On Thu, 2003-09-11 at 23:00, Daniel Hartmeier wrote: > This can be done easily within the logic of the http proxy, just write > one that doesn't open the real server connection immediately, but parses > the the request first. This works for TCP protocols where the client > must first send a complete request, and doesn't lead an interactive > dialogue with the server (like for smtp or pop3).
This still requires that the proxy daemon sticks around for the lifetime of the connection, consuming fds and cpu time. In the case of HTTP, it may also be fooled by HTTP 1.1 persistant connections. It would be cool if pf (some time in the future) had someway of passing packets off to to a userspace inspection process before they were put out on the wire or delivered locally. The inspection process could interrogate the packets and tell pf if they were OK. After the userspace process was no longer interested in the connection, it could disassociate from it and exit. In a perfect world, the inspection process would have the ability to modify these packets too (since I am in wishlist mode, why stop? :) ) IIRC Linux netfilter has something like this with its "queue packet for userspace" functionality. -d