FFPF is language neutral, which means that different languages may be mixed. As mentioned earlier, we currently support five languages: BPF, FPL-1, FPL-2, C, and OKE-Cyclone. Support for C is limited to root users. The nature of the other languages will be discussed in more detail in Section 3. Presently, we only sketch how multiple languages are supported by the framework.
Figure (2.a) shows an example with two simplified flow
definitions, for flows 
and 
, respectively. The grabber for flow
scans web traffic for the occurrence of a worm signature and saves
the IP source and destination addresses of all infected packets. In
case the signature was not encountered before, the packet is also
handed to the application. Flow grabber counts the number of
fragments in web traffic. The first fragment of each fragmented packet
is passed to the application.
There are a few things that we should notice. First, one of these applications is fairly complex, performing a full payload scan, while the other shows how state is kept regardless of whether a packet itself is sent to userspace. It is difficult to receive these flows efficiently using existing packet filtering frameworks, because they either don't allow complex processing in the kernel, or do not keep persistent state, or both. Second, both flows may end up grabbing the same packets. Third, the processing in both flows is partly overlapping: they both work on HTTP packets, which means that they first check whether the packets are TCP/IP with destination port 80 (first block in Figure 2). Fourth, as fragmentation is rare and few packets contain the CodeRed worm, in the common case there is no need for the monitoring application to get involved at all.
![\includegraphics[width=0.9\linewidth]{figs/concat_filters.eps}](img15.png)
|
Figure (2.a) shows how these two flows can be accommodated. A common BPF filter selecting HTTP/TCP/IP packets is shared by both flows. They are connected to the flow-specific parts of the data paths. As shown in the figure, the data paths are made up of small components written in different languages. The constituent filters are connected in a fashion similar to UNIX pipes. Moreover, a pipe may be `split' (i.e., sent to multiple other pipes, as shown in the figure) and multiple pipes may even be `joined'. Again, in UNIX fashion, the framework allows applications to create complex filter structures using simple components. A difference with UNIX pipes, however, is the method of connection: FFPF automatically recognises overlapping requests and merges the respective filters, thereby also taking care of all component interconnects.
Each filter has its own
, and
, and, once connected to a packet
source, may be used as a `flow grabber' in its own right (just like a
stage in a UNIX pipe is itself an application). Filters may read the
of other filters in their flow group (although we have not yet
implemented synchronisation primitives to prevent races). In case the
same
needs to be written by multiple filters, the solution is to
use function-like filter calls supported by FPL-1 and FPL-2,
rather than pipe-like filter concatenation discussed so far. For
filter call semantics, a filter is called explicitly as an
external function by a statement in an FPL expression, rather than
implicitly in a concatenated pipe. An explicit call will execute the
target filter expression with the calling filter's
and
. An
example is shown in Figure (2.b), where a first filter
call creates a hash table with counters for each TCP flow, while a
second filter call scans the hash table for the top-10 most active
flows. Both access the same memory area.