On 08/19/08 14:12, Nicolas Williams wrote:
On Tue, Aug 19, 2008 at 10:17:36AM +0200, Enrico Perla wrote:
I guess (James will correct if I miss something :P) that the idea here is to
create an high-level meta-language. Pretty much what happens with binary
analysis: you create a meta-language and an interpreter for that language
and than you just have to "port" the different machine codes (UltraSPARC,
x86, PPC, etc) to that meta-language and you can investigate them with
standard (and tested) primitives.
There's a low-level packet filtering language called BPF (BSD Packet
Filter). Like DTrace, it doesn't allow for looping -- you can only
branch forward in a BPF program.
That's probably too low-level a language for use by firewall management
applications -- decoding a BPF program into rules that can be displayed
is difficult, akin to decompiling a binary executable.
BPF only gives you packet matching.
It doesn't tell you whether or not to do logging, drop (or pass) the
packet, etc.
A firewall rule is more than just "does it match?"
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
