Subject: ZPC rule matching -- first match only?
To: None <tech-net@netbsd.org>
From: Jason R Thorpe <thorpej@zembu.com>
List: tech-net
Date: 12/29/2000 10:27:41
I've had some private feedback from people on my brief ZPC description
(including a good suggestion for a better name :-), and there's one thing
I thought I'd bring up here...
Some people are a little uneasy with the idea of mixing both "first match"
and "last match" rules, in other words "quick has to die".
I must admit that I'm not really all that happy with it, either. I'd
rather have a first-match only rule set. With some cleverness and a
slight extension of libpcap, you could even have BPF direct the dispatch
of the action (something that is MUCH harder, if not impossible, to do
if you have last-match rules).
Assuming the pcap optimizer does its job, this would also remove the need
for sub-groups.
For some types of rules, it would definitely mean having to extend BPF,
but I'd like to get comments on the idea.
--
-- Jason R. Thorpe <thorpej@zembu.com>