New Firewall (hpf) for DragonFlyBSD
Simon 'corecode' Schubert
corecode at fs.ei.tum.de
Sun Jan 11 05:51:06 PST 2004
On 11.01.2004, at 14:21, Sebastien Petit wrote:
I thought 256 would be enough as the firewall has a binary tree with
256 nodes each level.
We can do a base adresse + unsigned int for an index in each node. But
unsigned char and unsigned short is not enough. Eg: in the worse case
optimization in the tree), you can have 14 nodes per rule (one per
So you can adress nodes for about 20 rules max in the hpf engine that
Maybe I'm completely misunderstanding the principle behind, but won't
every Node[n] contain a pointer to some element in Node[n+1]? Oh well,
if it's possible to point to an arbitrary Node[n+1], it won't work this
I must add architecture information (IA32, IA64, sparc etc...) on
rule file header. Then, we avoid the case where someone compile rule
IA64 and push it on IA32 architecture (and avoid the reversed byte
Can you tell me Simon if there is some defines on dragonfly kernel for
letting know the architecture (like __IA32__, __IA64__ , __SPARC__,
__SPARC64__ etc...) ?
I'm sure there is, but I don't know where at the moment.
You could design the rule file format to be universal (like per default
storing offsets and resolving them in the ia32 case) and endian
independent (ntohl?) or at least endian aware (long int magic =
\ ASCII Ribbon Campaign
/ \ Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
More information about the Submit