On 08/19/08 14:12, Nicolas Williams wrote: > On Tue, Aug 19, 2008 at 10:17:36AM +0200, Enrico Perla wrote: > >> I guess (James will correct if I miss something :P) that the idea here is to >> create an high-level meta-language. Pretty much what happens with binary >> analysis: you create a meta-language and an interpreter for that language >> and than you just have to "port" the different machine codes (UltraSPARC, >> x86, PPC, etc) to that meta-language and you can investigate them with >> standard (and tested) primitives. >> > > There's a low-level packet filtering language called BPF (BSD Packet > Filter). Like DTrace, it doesn't allow for looping -- you can only > branch forward in a BPF program. > > That's probably too low-level a language for use by firewall management > applications -- decoding a BPF program into rules that can be displayed > is difficult, akin to decompiling a binary executable. >
BPF only gives you packet matching. It doesn't tell you whether or not to do logging, drop (or pass) the packet, etc. A firewall rule is more than just "does it match?" Darren -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080819/cd3131d4/attachment.html>
