Not sure I want native code; I prefer that it be sandboxed, even at the
price of speed. (Just what we need, a virus vector in the kernel...
although I suppose that modules already give us one such.)
What I was thinking of is something like the packet filtering used by
CheckPoint FireWall-1 (not available for Linux AFAIK); this involves a
kernel module which implements arbitrarily complex (limited by memory
assigned for bytecode and table storage) stateful packet filters. It runs
bytecode. (For those who've seen FW-1, the things you can do with their GUI
filter editor are a subset of its full capability; you have to write
low-level INSPECT code to use its full power. INSPECT is *not* a simple
language to work with, though, which is why I was thinking of more normal
languages such as Java or Icon.)
BPF doesn't appear to be capable of supporting all of the capabilities of
this kind of filter, even ignoring the "stateful" part.
-- brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net system administrator [WAY too many hats] allbery@ece.cmu.edu electrical and computer engineering KF8NH carnegie mellon university
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html