I'd like to pass or block certain packets based on an inspection of the payload after scrubbing. It might be fun if pf were able to use a bpf-style expression like 'protocol[offset:size] = x' to create rules which look at the data in the packet, but it seems more practical to do it in a separate program. Is it possible for me to create rules to somehow hand off selected packets to a different program? I'm thinking of something along the lines of a FreeBSD divert socket, although I'm certainly open to better suggestions.
You could probably put something together with tun. There aren't any mechanisms that work directly with the filter like divert does.
Note that scrub, at best, can piece together IP fragments. It cannot handle TCP segments, or do anything approaching snort's stream reassembly. I'm curious what this would be useful for (in terms of pass/block decisions), since there are a lot of caveats in actually getting the data.
