DIOCCHANGERULE may be used in PF?
Max Laier
max at love2party.net
Sat Dec 18 21:36:47 PST 2004
On Sunday 19 December 2004 05:54, sam wun wrote:
> I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of
> DIOCCHANGERULE.
ssp_pf.c ?!?
> As I looked into authpf.c file in function add_pool(), authpf only use
> DIOCADDADDR for adding new rule to PF.
DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent
DIOCCOMMITRULES).
> I also want to find out where does DIOCCHANGERULE used in PF, but
> nothing is found except in the man page:
> # cd src/contrib/pf
> # grep -r DIOCCHANGERULE *
> man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
> man/pf.4:DIOCADDRULE or DIOCCHANGERULE call.
> man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule"
>
> DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may
> be need to use DIOCADDADDR rather than DIOCCHANGERULE.
>
> Any comment?
erm? I am having a hard time understanding what you mean.
DIOCCHANGERULE works and may be used, but it is not easy to use. It is much
easier to have an anchor and add new rules into that anchor as a complete
ruleset. This is how it's done in authpf and spamd. Otherwise you have to
keep track of to many things. Non of the default pf tools uses DIOCCHANGERULE
as it is not convenient to change rules. As rulesets can be committed
atomically it's much easier to replace a ruleset completely or to use
anchors.
Anchors is the way to go most of the time. Look at authpf(8) for details.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041219/61696d52/attachment.bin
More information about the freebsd-pf
mailing list