On Tue, Aug 19, 2008 at 03:10:21PM -0700, Darren Reed wrote: > On 08/19/08 14:12, Nicolas Williams wrote: > >On Tue, Aug 19, 2008 at 10:17:36AM +0200, Enrico Perla wrote: > >> > > > >There's a low-level packet filtering language called BPF (BSD Packet > >Filter). Like DTrace, it doesn't allow for looping -- you can only > >branch forward in a BPF program. > > > >That's probably too low-level a language for use by firewall management > >applications -- decoding a BPF program into rules that can be displayed > >is difficult, akin to decompiling a binary executable. > > > > BPF only gives you packet matching.
It's been a long time since I've looked at BPF. > It doesn't tell you whether or not to do logging, drop (or pass) the > packet, etc. Perhaps, but that could always be added IF such a low-level language were desirable. > A firewall rule is more than just "does it match?" I only used BPF to make the point that a very low-level filter language is probably not a good thing to target a firewall management tool to. Nico --
