Darren Reed wrote:
>
> In some email I received from Jason R Thorpe, sie wrote:
> > On Thu, May 03, 2001 at 08:30:55AM +1000, Darren Reed wrote:
> >
> > > IPFilter 4.0 will, as part of its general increase in kernel bloat,
> > > let you use BPF expressions for matching. There are other things
> >
> > You mean "pcap/tcpdump expressions"?
>
> They are included.
>
> > BPF "expressions" are literally BPF bytecodes.
>
> Well, one of the goals of IPFilter is it can parse (as rules) a textual
> representation of what's currently loaded into the kernel. At the moment
> that means collecting hex output, as the bytecode instructions are less
> suited to being displayed all on the one line.
I don't think that that's critical. When I write C, C++ or Java
programs I don't expect them to be disassembled into the source
language. What is more important is that any classifyer / filter
is fast, as fast as it gets. It is my understanding that BPF
is very fast, and that BPF scales very well for even complex
expressions. BPF may need some extension to be useful as a
classifier, mainly, instead of a simple true/false output one
would want a number representing the class. Also, it's been
noted before, the BPF machine needs some state awareness between
packets.
regards
-Gunther
--
Gunther Schadow, M.D., Ph.D. [EMAIL PROTECTED]
Medical Information Scientist Regenstrief Institute for Health Care
Adjunct Assistent Professor Indiana University School of Medicine
tel:1(317)630-7960 http://aurora.regenstrief.org
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
