> Is there a possibility to abuse pf in the following fashion? > > rdr inet proto tcp from a.b.c.d/32 [if dnsquery d.c.b.a.list.dsbl.org > == 127.0.0.2] to any port smtp -> 192.168.0.100 port 8025
Disclaimer: I don't speak for anyone. It would be nice, but then they'd need to link the resolver library into the kernel, and the kernel would block when doing lookups*, which is probably unacceptable. Or are you talking about doing the lookups when the rules are loaded? If that's the case, you can just preprocess the rules file and do your lookups yourself. [*] Unless you get tricky and do kernel preemption. More generally, it'd be nice if we could hook routing decisions to userland programs, but then the kernel has to make its decisions in kernel mode... to schedule a userland program and run it, you'd have to save your place and come back... I recently proposed on the pf mailing list that pf actually be a virtual machine which runs a simple program, then we could do lots of fancy optimization, and maybe JIT compilation of rules. There was talk of checkpoint having a patent on something similar (see the [email protected] archives for URL to the patent). Seems straightforward though, as bpf already does something like this, I wonder if that counts as prior art. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
