Date: Sun, 19 Dec 2004 13:45:52 +0800 From: sam wun <sam.wun@authtec.com> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: DIOCCHANGERULE may be used in PF? Message-ID: <41C51590.2000303@authtec.com> In-Reply-To: <200412190633.24331.max@love2party.net> References: <41C3B6CE.4080704@authtec.com> <200412181714.51674.max@love2party.net> <41C5097B.5020606@authtec.com> <200412190633.24331.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Max Laier wrote: >On Sunday 19 December 2004 05:54, sam wun wrote: > > >>I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of >>DIOCCHANGERULE. >> >> Sorry for the typos, I mean DIOCADDRULE. > >ssp_pf.c ?!? > > > Sorry to publish this file. This is a specific file in a plugin program I used. It currently having few problem, I m tring to fix it. >>As I looked into authpf.c file in function add_pool(), authpf only use >>DIOCADDADDR for adding new rule to PF. >> >> > >DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent >DIOCCOMMITRULES). > > > Yeah, I need to change it to DIOCADDRULE, a mistake when I did a copy and paste. And I forgot the use of DIOCCOMMITRULES. Does DIOCCOMMITRULES get invoked each time when calling DIOCADDRULE? >>I also want to find out where does DIOCCHANGERULE used in PF, but >>nothing is found except in the man page: >># cd src/contrib/pf >># grep -r DIOCCHANGERULE * >>man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. >>man/pf.4:DIOCADDRULE or DIOCCHANGERULE call. >>man/pf.4:.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" >> >>DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may >>be need to use DIOCADDADDR rather than DIOCCHANGERULE. >> >>Any comment? >> >> > >erm? I am having a hard time understanding what you mean. > > You may be have understood more about my question now. Sorry for the typos again. >DIOCCHANGERULE works and may be used, but it is not easy to use. It is much >easier to have an anchor and add new rules into that anchor as a complete >ruleset. This is how it's done in authpf and spamd. Otherwise you have to >keep track of to many things. Non of the default pf tools uses DIOCCHANGERULE >as it is not convenient to change rules. As rulesets can be committed >atomically it's much easier to replace a ruleset completely or to use >anchors. > > > This may be the problem with the original ssp_pf.c file, it used DIOCCHANGERULE thru out the entire operational of adding rules. As you said, I will need to use DIOCADDRULE and DIOCCOMMITERULES for adding new rules to PF. >Anchors is the way to go most of the time. Look at authpf(8) for details. > > > Yeah, I found this is a very good reference to look at. Thanks Sam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C51590.2000303>