Re: git: 324fd7ec4043 - main - libpfctl: introduce a handle-enabled variant of pfctl_add_rule()

In reply to: Jessica Clarke : "Re: git: 324fd7ec4043 - main - libpfctl: introduce a handle-enabled variant of pfctl_add_rule()"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 04 Jan 2024 22:42:37 UTC

On 4 Jan 2024, at 23:19, Jessica Clarke wrote:
> On 4 Jan 2024, at 22:11, Kristof Provost <kp@FreeBSD.org> wrote:
>> The branch main has been updated by kp:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=324fd7ec40439e6b3916429a69956d7acf74eb19
>>
>> commit 324fd7ec40439e6b3916429a69956d7acf74eb19
>> Author:     Kristof Provost <kp@FreeBSD.org>
>> AuthorDate: 2024-01-04 12:45:56 +0000
>> Commit:     Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2024-01-04 22:10:44 +0000
>>
>>    libpfctl: introduce a handle-enabled variant of pfctl_add_rule()
>>
>>    Introduce pfctl_add_rule_h(), which takes a pfctl_handle rather than a
>>    file descriptor (which it didn't use). This means that library users can
>>    open the handle while they're running as root, but later drop privileges
>>    and still add rules to pf.
>
> Given libpfctl is an INTERALLIB, why do we need to care about this
> compatibility (and live with this cruft) instead of just changing
> pfctl_add_rule to the new thing?
>
There’s also a ports version of libpfctl, which copies the libpfctl code and builds it for port consumption.
I didn’t want to turn libpfctl into a stable abi/api in the src tree, but ports do need something to use. We don’t want them to have to care about nvlists or netlink.

Given that it’s external we can have different code there, but I don’t want to make maintaining the external versions harder than it needs to be.

Best regards,
Kristof