Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

INSPECT language

I searched quite a bit, and I couldn't find any proper documentation about the syntax of INSPECT. A few lines in an introduction to fw monitor, a ten-year-old online course site which I doubt is up-to-date, and that's about it. Is there a good resource on this, short of cracking open my lab SMS and dissecting the INSPECT code present there?

0 Kudos
2 Replies
Highlighted
Admin
Admin

Re: INSPECT language

We haven't published documentation about INSPECT since version 2 of the product.
The basic syntax of INSPECT hasn't changed in quite some time.
We generally don't support custom-written INSPECT code, except for the limited purposes of using fw monitor.
Can you explain what you're trying to achieve?
0 Kudos
Highlighted
Ivory

Re: INSPECT language

Well, mostly curiosity and a bit of hacker instinct, I guess. More concretely I was hoping to understand the underlying implementation of the packet filtering process to be able to reason about performance on a deeper level than "rules with lots of hits go on top".

 

My concrete application, if you want to call it that: It's been irking me for a while that in SmartConsole the presentation of the rules is deeply tied up with their implementation. This has led me to wonder if one couldn't build an alternative, more declarative interface, with the generation of the actual policy and optimization based on past rule hits taken care of by some piece of translator software. And this is where INSPECT comes in, cutting out the middleman mgmt_cli: It's definitely possible to do this via the existing tools, generating an Original Flavor ruleset from a declarative specification, but if possible it'd be better to avoid that detour. No dependencies regarding specific interface implementations, better reasoning about performance, hell, maybe even greater potential for optimization due to lower-level access. And yeah, greater potential for accidentally breaking things - I guess that's why you don't release documentation, isn't it?

0 Kudos