Re: Developing a user space library for filtering

[Phil Dibowitz <phil@ipom.com>]

[-- Attachment #1: Type: text/plain, Size: 2496 bytes --]

On Tue, May 22, 2007 at 01:50:20PM -0700, Darren.Reed@Sun.COM wrote:
> Patrick Schaaf wrote:
> 
> >...
> >Anyway, regarding the original request, I don't think it is sensible to
> >expect from netfilter developers to invent such a library, especially
> >when the scope is desired to be abstracting from netfilter.
> >
> 
> At this point in time, I was looking for people who might be interested
> in helping design such an API.  In the end, what I'm hoping for is to
> have a common API delivered as part of OpenSolaris as well as both
> FreeBSD and NetBSD.  Given that it's still being drafted, I'm opening
> the door and asking if there is anyone from Linux who's interested in
> participating.  I should point out that I'm not interested in requesting
> anyone here write code that isn't [L]GPL'd.

Actually the netfilter folks wrote an entire infrastructure for just this
purpose.

netfilter is a generic infrastructure for firewall software with a defined
kernel-user API and they're now writing many libraries on top of that.

My software, iptstate, uses libnetfilter-conntrack, which is built upon the
netfilter framework.

All this is not to be confused with iptables, which is simply an implmentation
of netfilter coincidentally written by the same people who write the netfilter
framework.

Or so I understand it.

> None of those 3 options are what I would call palatable.
> 
> Imagine if everytime a new glibc was delivered you needed to
> recompile all of your programs, from ls all the way through to the
> X server, or...

Darren, you're correct, this is definitely needed. If IPF and IPtables and
everyone else all used a common core kernel-userspace API, with a standard
library on top of it, that would be awesome.

Netfilter brings a lot of of this to the table, but the people involved in
writing the specs mostly worked on ipchains, and iptables, so they may have
made linux-specific assumptions without realizing it - but it was very much
purposed to be OS-agnostic.

-- 
Phil Dibowitz                             phil@ipom.com
Open Source software and tech docs        Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"Never write it in C if you can do it in 'awk';
 Never do it in 'awk' if 'sed' can handle it;
 Never use 'sed' when 'tr' can do the job;
 Never invoke 'tr' when 'cat' is sufficient;
 Avoid using 'cat' whenever possible" -- Taylor's Laws of Programming


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]