Compact Filter 0.3 review
DownloadCompact Filter is a network packet filter for Linux
|
|
Compact Filter is a network packet filter for Linux. It features an easy-to-use compact filter representation and high performance.
The main features are: easy to use interface, compact filter representation (memory efficient), and very high performance.
A difference between CF and other firewalls, such as Netfilter, is its representation of the ruleset. In CF the user writes a filter which is then compiled and optimized in user-space. The optimized filter is then loaded into the kernel (using netlink). Consequently the in kernel packet filtering code only needs funtionality for setting up a filter and filtering packets, while the more complex code of optimizing the filter remains in user-space.
Because of the continuous increase of the bandwidth and the security threats, firewalls have to evolve towards more efficient filtering schemes. The truth is that the existing scheme does not scale so well with the combined growth of bandwidth and rulesets.
Our aim is to try another approach to perform packet filtering where we minimize the complexity of the filtering process. This result in, both, a reduction of the required CPU power to filter packets and a simpler (and smaller) kernel code. Of course, we are pushing all the smart and complex part out to the user-space, but, developing in user-space is much simpler and safer.
What's New in This Release:
changed -d option to delete all filters
added -D option to delete a specific filter
changed default policy to permit rather than deny
added -l option on flex to support --yylineno on older versions of flex
new and improved install guide
Compact Filter 0.3 keywords