Application proxies


We do not put L7 protocols or NAT helpers in the kernel!
parsing application protocols is difficult and error-prone
The risk of running privileged code in the kernel is too high
A no-no: people keep on doing scary diffs for PF L7 stuff in the kernel.

Implemented as userland proxies, as found in OpenBSD base:
ftp-proxy, tftp-proxy, spamd, relayd
All of them have a sane security model with reduced privileges.

They need fast and usable interfaces with the kernel.