> Has anyone thought of modeling packet filtering/translation/queueing > as a virtual machine?
Checkpoint did it with their inspect scripting and I'm told have a patent on using a VM in a firewall (no I've never read the patent, no idea how specific/general it is). Sun used a BPF-like virtual machine for the rule processing in their SunScreen firewall but NAT was seperate in straight C. It was a little slow, incredibly complex because you had a big fat compiler in userland, totally non-extensible since no one knew the huge compiler anymore, and I hear a royal pain in the ass to debug. The rumormill has it that Checkpoint had a little talk with Sun that if they ever extended their virtual machine then they would get sued. They would have to have been really serious about protecting their patent to threaten Sun; remember that almost all FW1 installations (checkpoints cash cow) were dependant on solaris boxes. .mike