Date: Sun, 19 Dec 2004 06:33:14 +0100 From: Max Laier <max@love2party.net> To: sam wun <sam.wun@authtec.com> Cc: freebsd-pf@freebsd.org Subject: Re: DIOCCHANGERULE may be used in PF? Message-ID: <200412190633.24331.max@love2party.net> In-Reply-To: <41C5097B.5020606@authtec.com> References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sunday 19 December 2004 05:54, sam wun wrote: > I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of > DIOCCHANGERULE. ssp_pf.c ?!? > As I looked into authpf.c file in function add_pool(), authpf only use > DIOCADDADDR for adding new rule to PF. DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent DIOCCOMMITRULES). > I also want to find out where does DIOCCHANGERULE used in PF, but > nothing is found except in the man page: > # cd src/contrib/pf > # grep -r DIOCCHANGERULE * > man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. > man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. > man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" > > DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may > be need to use DIOCADDADDR rather than DIOCCHANGERULE. > > Any comment? erm? I am having a hard time understanding what you mean. DIOCCHANGERULE works and may be used, but it is not easy to use. It is much easier to have an anchor and add new rules into that anchor as a complete ruleset. This is how it's done in authpf and spamd. Otherwise you have to keep track of to many things. Non of the default pf tools uses DIOCCHANGERULE as it is not convenient to change rules. As rulesets can be committed atomically it's much easier to replace a ruleset completely or to use anchors. Anchors is the way to go most of the time. Look at authpf(8) for details. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBxRKkXyyEoT62BG0RAqRMAKCBaEnHBK6ZcOPb1sogJrn45utvngCfQgxh gLFEb/cpqbv5EerS3f2dh2I= =T57t -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200412190633.24331.max>