Working on some application proxies that do nat lookups through pf API, I found out that there are some situations where the pf API doesn't help enough. Particularly, if the nat or pf rules get reloaded by the administrator, the userland proxies have no way to find out easily. In cases where those applications actively manage nat/pf rules, it can make things more difficult. Also authpf techniques may be improved, if it could load rules directly in pf and get informed of pf resets. I believe that a very simple way would be to signal application proxies that have opened /dev/pf to let them now about the reset. Another possibility could be to create some sort of grouping and prioritization, so that reloading the pf.conf file doesn't clean out other types of rulesets. A third option (an extension of the previous) could be to trigger the shutdown of a /dev/pf device access to clean out the dynamic rules created by the application. The need for nat/pf direct handling by the application becomes necessary in my case, since the proxies protocols are quite complex and require several different kinds of connections to be proxied separately as result of information grabbed in other proxied protocols and so on. Furthermore I believe that userland proxies coders may want to be able to handle the insertion/removal of the rules directly from the application, instead of requiring the user to add them manually. Last but not least, if pf is able to clean out rules created by applications once they quit (see above), it would certainly make the system safer: as of now, if a local, unprivileged user manages to crash ftp-proxy (unlikely to happen, it's just an example), could open a socket in place of him and use it to read clear-text user/pass tuples and such. I've discussed this privately with Daniel and we agreed to talk again about the issue. Now, as this mailing list is getting crowded, I thought of posting here, in case anyone wanted to join the discussion.
Giacomo Cariello, [EMAIL PROTECTED] KeyID: 3072/1024/0x409C9044 Fingerprint: 7984 10FD 0460 4202 BF90 3881 CDE4 D78E 409C 9044 "Put that mic in my hand and let me kick out the jams!" - MC5
