On Tue, Apr 30, 2013 at 07:14:50PM -0400, Ted Unangst wrote: > On Wed, May 01, 2013 at 00:16, Franco Fichtner wrote: > > Yes, I am proposing a lightweight approach: hard-wired regex-like > > code, no allocations, no reassembly or state machines. I've seen > > far worse things being put into Kernels and I assure you that I do > > refrain from putting in anything that could cause segmentation > > faults, sleeps, or other non-suitable behaviour. > > > And talking about complexity: 1000 LOC for 25 protocols. I'm afraid > > it can't be simplified any more than this. > > Well, it's really hard to comment on code we can't see. > > My thoughts on the matter have always been that it would be cool to > integrate bpf into pf (though other developers surely have other > opinions). Then you get filtering for as many protocols as you care to > write bpf matchers for.
My first thought was why not to have something like squid does (ICAP) you can forward some inspection to other app and it would return you some agreed data (tag) and then you could work with then in pf rules... ???
