From owner-freebsd-pf@FreeBSD.ORG  Wed Jul 26 04:09:41 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BE20716A4DD
	for <freebsd-pf@freebsd.org>; Wed, 26 Jul 2006 04:09:41 +0000 (UTC)
	(envelope-from samba@embeddedinfotech.com)
Received: from relay02.pair.com (relay02.pair.com [209.68.5.16])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3EC0F43D4C
	for <freebsd-pf@freebsd.org>; Wed, 26 Jul 2006 04:09:41 +0000 (GMT)
	(envelope-from samba@embeddedinfotech.com)
Received: (qmail 19846 invoked by uid 0); 26 Jul 2006 04:09:39 -0000
Received: from unknown (HELO ?192.168.1.73?) (unknown)
	by unknown with SMTP; 26 Jul 2006 04:09:39 -0000
X-pair-Authenticated: 202.153.42.171
Message-ID: <44C6EB01.2050303@embeddedinfotech.com>
Date: Wed, 26 Jul 2006 09:39:37 +0530
From: samba <samba@embeddedinfotech.com>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Porting  proxies/ALGs into to the kernel
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2006 04:09:41 -0000

Hi all,
I am planning to use Packet Filter as a firewall/NAT for my VPN box 
which runs VxWorks. It has 32 MB of RAM. I need to support some of the 
popular services for machines behind the NAT like FTP, H.323, Real 
Audio, NetBIOS, DNS, RTSP, SIP. The standard OpenBSD way of doing things 
afaik is to redirect the traffic to the user space and let the proxy 
daemons deal with it. My questions are:

a) Would it not be a big overhead to move packets to and fro the user 
space and kernel space. Also considering my case where the box is memory 
constraint, so i would want to keep the number of user spaces 
process/tasks to a minimum.

b) Would it be a good idea to port the ALGs into the kernel, the way 
IPFILTER or Netfilter does it.

c) Would it be feasible to re-model PF such that rule matches (eg: IP 
address match, interface match) and targets (filter, redirect, DNAT, 
SNAT) can be registered.
     so that additional matches and targets can be added without much 
change in the core firewall code.

Please let me know your opinion regarding this.

thanks & regards
samba