[EMAIL PROTECTED] wrote:
Last time on IRC, if I understand it correctly, you said the
optimization is to make all packets go through the kernel, and the
kernel dispatches the packet with the BPF.
Not quite. The idea was that if you have a multiplexer sitting directly
on the kernel interface, it could just upload the rules to the kernel,
instead of running the BPF implementation itself. But that is only a
minor additional optimization in a specific situation.
The main idea was that if we have filter translators sitting on a
multiplexer, the filter rules could be combined with the user-supplied
rules and all be handled in the multiplexer's BPF implementation, rather
than actually filtering them twice..
I think it's quite similar as I said before. Maybe I used some words
that made you confused.
I said the multiplexer (or the hypervisor, I'm not very sensitive to the
name:-) can have multiple interfaces and there was a "filter" behind
every interface.
The filter here actually means the BPF implementation (maybe this
confused you). But I didn't think about who gave the filter rules.
At the beginning, I thought the rules associated with an interface could
apply to all clients connected to the interface, so the rules might be
from the user who creates the interface.
But as you said, every client can give its own rules and the rule can be
from the pfinet server and even the filter translator.
Zheng Da
