Date: Tue, 25 Oct 2005 05:11:45 -0500 From: "Travis H." <solinym@gmail.com> To: Kai Gallasch <gallasch@free.de> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.0RC1 - pf and big tables, pfspamd Message-ID: <d4f1333a0510250311x66bbec69re6e7b42f48b50ae@mail.gmail.com> In-Reply-To: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> References: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> Is there a possibility to abuse pf in the following fashion? > > rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org > =3D=3D 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025 Disclaimer: I don't speak for anyone. It would be nice, but then they'd need to link the resolver library into the kernel, and the kernel would block when doing lookups*, which is probably unacceptable. Or are you talking about doing the lookups when the rules are loaded? If that's the case, you can just preprocess the rules file and do your lookups yourself. [*] Unless you get tricky and do kernel preemption. More generally, it'd be nice if we could hook routing decisions to userland programs, but then the kernel has to make its decisions in kernel mode... to schedule a userland program and run it, you'd have to save your place and come back... I recently proposed on the pf mailing list that pf actually be a virtual machine which runs a simple program, then we could do lots of fancy optimization, and maybe JIT compilation of rules. There was talk of checkpoint having a patent on something similar (see the pf@benzedrine.cx archives for URL to the patent). Seems straightforward though, as bpf already does something like this, I wonder if that counts as prior art. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0510250311x66bbec69re6e7b42f48b50ae>