On Tue, Sep 30, 2003 at 04:23:45AM +0000, [EMAIL PROTECTED] wrote: > At the university i am working on a project where i have to implement deep > packet inspection(payload inspection) with some firewall(i picked OpenBSD's > pf), currently i am thinking about design and implementation of that. One of > the most obvious options is to rdr packets to user-land proxy (just like ftp- > proxy) however i'd like to implement that in kernel-land.
doing such complicated and error-prone shit in kernel land is the wrong way. just go read bugtraq archives for errors in netfilter's connection tracking modules for various protocols as well as IPF and its in-kernel ftp-proxy. All had issues, for all the consequences were really reaaly bad. should ftp-proxy ever be affected, well, it runs in userland as unprivileged account... -- Henning Brauer, BS Web Services, http://bsws.de [EMAIL PROTECTED] - [EMAIL PROTECTED] Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
