On Feb 13, 2006, at 5:16 PM, Ted Unangst wrote:
On 2/13/06, Tony Sterrett <[EMAIL PROTECTED]> wrote:
I'm looking at the tradeoff of porting bpf with states from linux to
OpenBSD from linux. Daniel Hartmeier in Design and Performance of
the "OpenBSD Stateful Packet Filter (pf)" says that pf is more
efficient than bpf, so it may be pointless. On the other hand having
this facility would increase the richness of our toolkit.
what you want to do is add the ability to attach a bpf filter to a pf
rule, though i wouldn't try to wedge this functionality into pf.conf's
grammar. i still haven't come up with much reason why you need bpf to
express a rule pattern that can't be done with pf.
I'm not sure I'd do it in that way. I'm thinking if BPF provided
stateful inspection is would be
more useful. There are a few BPF enhancement projects like FFPF:
Fairly Fast Packet Filters
Vrije Universiteit Amsterdam, The Netherlands. that add stateful
packet inspection. I think this only runs in linux
and it uses linux kernel hooks and therefore would need porting. So
the notion was to port.
My reasoning for stateful BPF is mainly in the sprit of providing a
rich toolset. Provide primitives not solutions.
It will just provided an additional means of packet inspection. Also
there is a lot of research that uses BPF in various
ways packet classifier, packet switching for grid, NIDS,
reconfigurable networks, etc. Some of this may be useful in the future
to a creative designer in ways unknown.
Respectfully,
Tony Sterrett
[EMAIL PROTECTED]
Consultant in Open Source Software, featuring OpenBSD and Linux.
www.sterrett.net
(858) 433-1467 San Diego
(408) 705-2135 San Jose
