Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 2 May 2001 19:52:38 +1000 (EST)
From:      Darren Reed <darrenr@reed.wattle.id.au>
To:        julian@elischer.org (Julian Elischer)
Cc:        darrenr@reed.wattle.id.au, gunther@aurora.regenstrief.org, snap-users@kame.net, freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp
Subject:   Re: (KAME-snap 4587) The future of ALTQ, IPsec & IPFILTER playing   together ...
Message-ID:  <200105020952.TAA23436@avalon.reed.wattle.id.au>
In-Reply-To: <3AEFA529.BB773EA1@elischer.org> from Julian Elischer at "May 1, 1 11:11:53 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
In some email I received from Julian Elischer, sie wrote:
[Charset iso-8859-2 unsupported, filtering to ASCII...]
> Darren Reed wrote:
> > 
> > In some email I received from Gunther Schadow, sie wrote:
> > > Gunther Schadow wrote:
> > > [snip]
> > >
> > > .... to make things even more complicated, we also have the
> > > berkeley packet filter (BPF) mechanism. Heck! How could
> > > so many things evolve that all do essentially the same
> > > thing? The interesting thing about the BPF mechanism is
> > > that it is very generic. Filter rules are instructions
> > > of a virtual von-Neumann-machine (reminds me of 6502
> > > assembler :-). Tcpdump uses BPF, at least on FreeBSD.
> > > But I think BPF is available on all 4.4 BSD derivatives.
> > >
> > > where does this fit in the crowd?
> > 
> > BPF uses a byte-code language, like Java, to tell the
> > matching routine what bits to compare and return a "true or
> > false".  i.e. you need to build things around it if you want
> > to use it for packet matching, etc.
> 
> netgraph has a bpf node that can be programmed with BPF codes to do almost 
> any filtereing required. 
> 
> (Netgraph can be used to do in-kernel tunnelling of almost any type
> if you are willing to figure ot how to use it.)

So ?  Maybe I should have made the point more clearly.

Just because you have BPF does not mean you have a "packet filter".
You need a whole lot of other infrastructure as well.
Same goes for netgraph.  Both netgraph and BPF are enabling technologies
but are not in and of themselves providers of solutions.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105020952.TAA23436>