You want to be careful here....having done some research on this, the intent is for received packets to only reach the program that has the bpf device open...if you were to start using this to implement a security policy, of sorts, you could be wandering into territory that could attract Checkpoint's attention: one of their early patents (US#5,606,668) covers using a virtual machine & instructions (which is what the BPF is) to enforce security. Then again, if someone knows of an implementation that matches the description (virtual machine, instructions, enforces security, etc) and it predates 1993, please speak up. Just to make it clear, I don't know if using BPF in this manner does infringe the patent, but there are strong resemblences so be careful. I have heard from one person that Checkpoint do try to enforce their patents but that wasn't regarding this one.
Darren > The new filter option in bpf (in current > http://archives.neohapsis.com/archives/openbsd/cvs/2004-06/0798.html) > allows frames to be passed to userland and dropped in the kernel if they > match a bpf filter. Could allow for some funky bsd licensed inline ids if > anyone is willing to write the code (snort ruleset -> bpf filter or full > on userland app with frame reinjection)... the few for seen problems would > be fragementation and performance / complexity of the bpf filter > > it would sort of be like ngrep with the filter bpf command bolted on with > a ruleset back end > > probably not what your after but i thought the new filter bpf command was > a nice addition ;) > > Cheers > Ste Jones > NetworkPenetration.com >
