> > No, no, it's me who is excluding this way. :) Moving packets through > > userland and reimplementing states in the app is not the simpliest, > > most reliable and - last but not least - fastest way, IMHO. Please > > prove me if I'm wrong. > > Well, in a sense, proxying is the most reliable in that it ensures that > there is no exploitable ambiguity of interpretation between the inspector > and the receiver of traffic. This is well described in Ptacek and Newsham's > "Insertion, Evasion, and Denial of Service: Eluding Network Intrustion > Detection"[1]. > > AFAIK you patch doesn't seem to deal with the trivial case of where the > data to inspect spans more than one packet so it isn't reliable even with > non-adverserial traffic. > > The fact that doing this right is exceedingly difficult is why it doesn't > exist in PF already.
Exactly. There does exist a diff which adds this to pf using a bpf grammer, written by Reyk. However the same objections came up at that time too. It is way too easy to misuse this. People who use it will reduce security when they think they are increasing security.
