Re: New Firewall (hpf) for DragonFlyBSD

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

On 11.01.2004, at 14:21, Sebastien Petit wrote:
> > I thought 256 would be enough as the firewall has a binary tree with
> > 256 nodes each level.
> We can do a base adresse + unsigned int for an index in each node. But
> unsigned char and unsigned short is not enough. Eg: in the worse case 
> (no
> optimization in the tree), you can have 14 nodes per rule (one per 
> level).
> So you can adress nodes for about 20 rules max in the hpf engine that 
> is not
> enough.

Maybe I'm completely misunderstanding the principle behind, but won't 
every Node[n] contain a pointer to some element in Node[n+1]? Oh well, 
if it's possible to point to an arbitrary Node[n+1], it won't work this 
way :)

> I must add architecture information (IA32, IA64, sparc etc...) on 
> compiled
> rule file header. Then, we avoid the case where someone compile rule 
> file on
> IA64 and push it on IA32 architecture (and avoid the reversed byte 
> order
> problem).
> Can you tell me Simon if there is some defines on dragonfly kernel for
> letting know the architecture (like __IA32__,  __IA64__ , __SPARC__,
> __SPARC64__ etc...) ?

I'm sure there is, but I don't know where at the moment.
You could design the rule file format to be universal (like per default 
storing offsets and resolving them in the ia32 case) and endian 
independent (ntohl?) or at least endian aware (long int magic = 
0xf00a1122)

cheers
  simon

--
/"\   http://corecode.ath.cx/#donate
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News

Attachment: PGP.sig
Description: This is a digitally signed message part