On 10/25/05, Markus Friedl <[EMAIL PROTECTED]> wrote: > On Mon, Oct 24, 2005 at 02:38:43AM -0500, Travis H. wrote: > > Has anyone thought of modeling packet filtering/translation/queueing > > as a virtual machine? > > BSD/OS ipfw (http://www.pix.net/software/ipfw/)
That site has some good code and links to conference papers by the way. Looking at the filter injection points into the stacks, it looks a lot like Linux's netfilter. One potentially powerful change would be to have the flow of packets through the stacks controlled by a configurable ruleset, instead of inserting filter code at semi-arbitrary points in the flow. I'm not exactly sure how this would be useful, but it strikes me as the kind of thing that could be used in a great many ways I can't forsee. For example, transparent proxying would be much easier. Perhaps you could make delivery to sockets part of the ruleset, and give the user the ability to deliver a packet to a socket that isn't necessarily bound to that destination IP, with the original headers available via some socket-level interface. This would be similar to, but different than, creating an "any destination" socket that is mentioned in the BSD/OS paper. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B