From owner-freebsd-pf@FreeBSD.ORG Tue Oct 25 10:11:46 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DC5516A421 for ; Tue, 25 Oct 2005 10:11:46 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id B846743D53 for ; Tue, 25 Oct 2005 10:11:45 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so41009wra for ; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Rb7MLRGpSldbt91WYmfn/nojfyRVu1aonvuZlqvaxnEtIkk4rqMuwwYJWGesh9WAcJhYNEeKQWhY5D62DFLzvqzd//a1OqbB4U7FlCR5sFrcjl42xd+kvdNC5f2FJy+ysVBF19qt3FlcUi/CAbcxN01gTC2//9Z7Aelexls3JeM= Received: by 10.54.63.20 with SMTP id l20mr121436wra; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) Received: by 10.54.81.7 with HTTP; Tue, 25 Oct 2005 03:11:45 -0700 (PDT) Message-ID: Date: Tue, 25 Oct 2005 05:11:45 -0500 From: "Travis H." To: Kai Gallasch In-Reply-To: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6BDA08CF-3930-4F37-BB47-EAC722391D41@free.de> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.0RC1 - pf and big tables, pfspamd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 10:11:46 -0000 > Is there a possibility to abuse pf in the following fashion? > > rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org > =3D=3D 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025 Disclaimer: I don't speak for anyone. It would be nice, but then they'd need to link the resolver library into the kernel, and the kernel would block when doing lookups*, which is probably unacceptable. Or are you talking about doing the lookups when the rules are loaded? If that's the case, you can just preprocess the rules file and do your lookups yourself. [*] Unless you get tricky and do kernel preemption. More generally, it'd be nice if we could hook routing decisions to userland programs, but then the kernel has to make its decisions in kernel mode... to schedule a userland program and run it, you'd have to save your place and come back... I recently proposed on the pf mailing list that pf actually be a virtual machine which runs a simple program, then we could do lots of fancy optimization, and maybe JIT compilation of rules. There was talk of checkpoint having a patent on something similar (see the pf@benzedrine.cx archives for URL to the patent). Seems straightforward though, as bpf already does something like this, I wonder if that counts as prior art. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B