Arbitry packet matching in PF.

["Dom De Vitto" <dom_(_at_)_DeVitto_(_dot_)_com>]

All,
Anyone know if there are plans to expand the pf.conf syntax be more
powerful,
for example in tcpdump you can do:
  ip[9]>3

to match packets with a TTL > 3

If would have been useful, for instance, to match M$ SQL worm traffic
with something like:
  block in quick proto udp all port 1434 and ip[2:4]=400

I can see this is being more powerful than any other filter I know
of (excluding the obscure internal Checkpoint INSPECT code), and it's
obvious enough that someone must have already decided "no" about ?
true? false? RTFM?

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Henning Brauer
Sent: Friday, February 14, 2003 10:07 AM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: slightly OT: Documentation /howtos [was:sendmail connection
refused]


On Thu, Feb 13, 2003 at 01:32:42PM -0800, Michael wrote:
> >If people mailed in more 2 line changes to manual pages, the howto's 
> >would not be needed.
> 
> Now maybe this is one of those "can't see the forest for all the 
> trees"
> things, but i for one have no idea where to send such an eMail.  If 
> others are similarly in the dark, perhaps that is why you don't get
more 
> changes submitted?

sendbug(1) is fine in general.

if you already know a developer in charge of that particular page you
can also mail him directly.

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)