New Firewall (hpf) for DragonFlyBSD

Max Laier max at love2party.net
Fri Jan 9 09:39:06 PST 2004


On Friday 09 January 2004 18:06, Simon 'corecode' Schubert wrote:
> On 09.01.2004, at 15:28, Seb wrote:
> > Here you can found patch for using High Performance Firewall under
> > DragonFlyBSD. This firewall is a new type and exprimental. It's a
> > constant
> > time firewall, so CPU consumption is not dependent of rules number.
> > This a
> > turboACL like implementation so the kernel code is very very little.
> > Actually, hpf recognize some ipfw syntax but an ipfilter parser can be
> > developped. Dynamic rules are not supported for the moment and some
> > options
> > too. You can see at http://www.phear.org/~spe/syntaxe.txt what type of
> > syntax is recognized.
>
> I'm sorry, maybe I'm just ignorant, but doesn't such a tree need 256^14
> (or 13) entries?
>
> Also, using ints to store pointers won't work on all architectures.

Yapp - apart from being highly unreadable - your code is _really_ i386 centric 
and does not care about storage sizes or byte order at all. Furthermore it's 
ignorant on real life things like incomplete/short mbufs, encapsulation etc. 
pp.

I am really curious how you plan to support IPv6, btw ;)

Nonetheless, it's an interesting approach for very special purpose, but not 
(yet) fit for real-life applications IMO.

-- 
Best regards,				| max at xxxxxxxxxxxxxx
Max Laier				| ICQ #67774661
http://pf4freebsd.love2party.net/	| mlaier at EFnet






More information about the Submit mailing list