Hi Nicolas,
2008/8/20 Nicolas Williams <Nicolas.Williams at sun.com>
>
>
> I only used BPF to make the point that a very low-level filter language
> is probably not a good thing to target a firewall management tool to.
>
The example I made was just to give the idea of the "meta-language", not to
specify the level of completeness/complexity it should have.. sorry if it
was misleading.
A meta-language can be more high-level than the BPF one (or way more than
the binary example): if all you want from it is to describe simple concepts
as 'allow traffic to this service' or 'block traffic overthere' and so on
(which is usually the case for a non-admin user) you just need a small
grammar.
Anyway, as Tony explained in previous emails, the aim here is a Solaris
tool, not a generic management tool, so probably all the discussion doesn't
really apply. [1]
Cheers,
- Enrico
[1] - btw, the tool will have to understand "generic rules" and translate
them in IPFilter commands, so some sort of a ""language"" is already there,
maybe just not too much isolated to make easier the porting to, for example,
iptables, if that would ever at some point be the necessity.
For example, the code might be structured with a set of parsing function for
the "generic rules" that will use a set of pointer to functions to generate
the effective IPFilter rules. In this way a new set of pointer to functions
might be passed to achieve "portability" (which, once again, is not the
goal... but at some point one might face the introduction of a new packet
filter code, just as it happened in Linux with the ipchains->iptables
transition)
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080820/65315939/attachment.html>
