Minimal? Not even close. It requires the kernel to fully emulate TCP
based on the information in the IP datagrams it is seeing. This is
almost assuredly impossible to do correctly, and is the basis for just
about every "open an arbitrary connection" attack on stateful
firewalls that I can think of.
so, no. There are no plans. Dangerous proxies like this one belong in
userland, period.
I think maybe you misunderstand. I'm not proposing a kernel ftp proxy
-- I agree that there are conditions, such as commands or responses
spanning packets, that are almost impossible to handle correctly.
I'm asking whether anyone has considered modifying the userland proxy
to fake the connection it makes to the server so that it appears to
come from the originating host.
Whilst it would (probably) require some kernel hackery to allow such a
faked connection to be established, most of the kernel support for
such a connection is already there. Once established, that connection
is no different from the connection that already exists in the current
implementation between the client and ftp-proxy. In both cases,
OpenBSD is acting as the endpoint of a TCP connection that is not
addressed to it. And due to the symmetric nature of TCP, both
connections are indistinguishable, once established.
-roy
