From owner-freebsd-pf@FreeBSD.ORG Sun Dec 19 05:36:47 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA88516A4CE for ; Sun, 19 Dec 2004 05:36:47 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 320B043D1F for ; Sun, 19 Dec 2004 05:36:47 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cfth7-0000JI-00; Sun, 19 Dec 2004 06:33:25 +0100 Received: from [80.131.159.125] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cfth6-0002Pr-00; Sun, 19 Dec 2004 06:33:25 +0100 From: Max Laier To: sam wun Date: Sun, 19 Dec 2004 06:33:14 +0100 User-Agent: KMail/1.7.1 References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com> In-Reply-To: <41C5097B.5020606@authtec.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2787088.tuf9rFICE4"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412190633.24331.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-pf@freebsd.org Subject: Re: DIOCCHANGERULE may be used in PF? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 05:36:47 -0000 --nextPart2787088.tuf9rFICE4 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 December 2004 05:54, sam wun wrote: > I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of > DIOCCHANGERULE. ssp_pf.c ?!? > As I looked into authpf.c file in function add_pool(), authpf only use > DIOCADDADDR for adding new rule to PF. DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent= =20 DIOCCOMMITRULES). > I also want to find out where does DIOCCHANGERULE used in PF, but > nothing is found except in the man page: > # cd src/contrib/pf > # grep -r DIOCCHANGERULE * > man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. > man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. > man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" > > DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may > be need to use DIOCADDADDR rather than DIOCCHANGERULE. > > Any comment? erm? I am having a hard time understanding what you mean. DIOCCHANGERULE works and may be used, but it is not easy to use. It is much= =20 easier to have an anchor and add new rules into that anchor as a complete=20 ruleset. This is how it's done in authpf and spamd. Otherwise you have to=20 keep track of to many things. Non of the default pf tools uses DIOCCHANGERU= LE=20 as it is not convenient to change rules. As rulesets can be committed=20 atomically it's much easier to replace a ruleset completely or to use=20 anchors. Anchors is the way to go most of the time. Look at authpf(8) for details. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2787088.tuf9rFICE4 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxRKkXyyEoT62BG0RAqRMAKCBaEnHBK6ZcOPb1sogJrn45utvngCfQgxh gLFEb/cpqbv5EerS3f2dh2I= =T57t -----END PGP SIGNATURE----- --nextPart2787088.tuf9rFICE4--