New Firewall (hpf) for DragonFlyBSD

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Sun Jan 11 05:51:06 PST 2004


On 11.01.2004, at 14:21, Sebastien Petit wrote:
I thought 256 would be enough as the firewall has a binary tree with
256 nodes each level.
We can do a base adresse + unsigned int for an index in each node. But
unsigned char and unsigned short is not enough. Eg: in the worse case 
(no
optimization in the tree), you can have 14 nodes per rule (one per 
level).
So you can adress nodes for about 20 rules max in the hpf engine that 
is not
enough.
Maybe I'm completely misunderstanding the principle behind, but won't 
every Node[n] contain a pointer to some element in Node[n+1]? Oh well, 
if it's possible to point to an arbitrary Node[n+1], it won't work this 
way :)

I must add architecture information (IA32, IA64, sparc etc...) on 
compiled
rule file header. Then, we avoid the case where someone compile rule 
file on
IA64 and push it on IA32 architecture (and avoid the reversed byte 
order
problem).
Can you tell me Simon if there is some defines on dragonfly kernel for
letting know the architecture (like __IA32__,  __IA64__ , __SPARC__,
__SPARC64__ etc...) ?
I'm sure there is, but I don't know where at the moment.
You could design the rule file format to be universal (like per default 
storing offsets and resolving them in the ia32 case) and endian 
independent (ntohl?) or at least endian aware (long int magic = 
0xf00a1122)

cheers
  simon
--
/"\   http://corecode.ath.cx/#donate
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News
Attachment:
PGP.sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00010.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/submit/attachments/20040111/b96f7d4f/attachment-0015.obj>


More information about the Submit mailing list