Xref: utzoo comp.protocols.tcp-ip:5268 comp.unix.wizards:12260
Path: utzoo!utgpu!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!pyramid!decwrl!vixie
From: vixie@decwrl.dec.com (Paul Vixie)
Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards
Subject: Re: Packet filtering for 4.3BSD ?
Message-ID: <45@gnome6.pa.dec.com>
Date: 10 Nov 88 02:11:25 GMT
References: <2973@ci.sei.cmu.edu>
Organization: DEC Western Research Lab
Lines: 28

# I have a TCP/IP gateway running 4.3BSD, and I've just been told that it
# has to be able to filter packets based on UDP and TCP port numbers, and
# possibly on source and destination IP addresses.  Has anyone already modified
# 4.3BSD to do this sort of thing?  If so, I'd like to see the code...

In principle, this is not that hard to do.  Issues are:

1. speed -- every packet is going to go through the filter, it has to be an
  FSM or some other very efficient mechanism;

2. managability -- the language you speak to the filter in (telling it what's
  allowed and what's not) has to be readable.  Something built along the lines
  of sendmail.cf would be easiest to implement but would be (another) crime
  against reality.

3. minimal change -- the hook in the kernel has to be very narrow, since you
  will want to be able to pop the filter into future versions of TCP (CSRG
  promises many changes in the next release of their code, and streams-based
  TCP implementations are going to get more popular).  Portability is also
  a concern, for the same reasons.

Like I said, in principle it's not that hard.  But if anyone actually
implements something and/or publishes a paper on it, I'd sure like to
hear about it.  SMOP and all that.
-- 
Paul Vixie
Work:    vixie@decwrl.dec.com    decwrl!vixie    +1 415 853 6600
Play:    paul@vixie.sf.ca.us     vixie!paul      +1 415 864 7013