On Tue, 14 Feb 2006, Tony Sterrett wrote:
> > > I'm not sure I'd do it in that way. I'm thinking if BPF provided stateful
> > > inspection is would be
> > > more useful.
> >
> > Asking for stateful inspection in bpf(4) is like wanting a carburettor
> > for a pushbike. You might be able to shoehorn it in there, but it won't
> > be pretty, will ruin its simplicity and probably won't be much use.
>
> Yeah this would be something in addition to BPF and not to alter BPF. I like
> the simple
> functionary but I think it would be hard to management complex rule(s). The
> language is
> a little clunky. Just think is doing something when you have to check protocol
> #, source and dst address
> and TCP flags. I guess the fact that BPF branches only forward does both
> simplify and limit its scope.
Having only forward jumps is an essential (security) feature of bpf.
This makes it possible to validate the bpf code to ensure that it
terminates. After all, bpf let's a user inject code into the kernel.
You want to be 100% sure it doesn't do nasty things. See
sys/net/bpf_filter:bpf_validate().
-Otto
