DIOCCHANGERULE may be used in PF?

sam wun sam.wun at authtec.com
Sat Dec 18 21:46:37 PST 2004 


Max Laier wrote:

>On Sunday 19 December 2004 05:54, sam wun wrote:
>  
>
>>I m not sure whether ssp_pf.c file should use DIOCADDADDR instead of
>>DIOCCHANGERULE.
>>    
>>
Sorry for the typos, I mean DIOCADDRULE.

>
>ssp_pf.c ?!?
>
>  
>
Sorry to publish this file. This is a specific file in a plugin program 
I used. It currently having few problem, I m tring to fix it.

>>As I looked into authpf.c file in function add_pool(), authpf only use
>>DIOCADDADDR for adding new rule to PF.
>>    
>>
>
>DIOCADDADDR does *not* add a rule. DIOCADDRULE does that (and a subsequent 
>DIOCCOMMITRULES).
>
>  
>
Yeah, I need to change it to DIOCADDRULE, a mistake when I did a copy 
and paste.
And I forgot the use of DIOCCOMMITRULES. Does DIOCCOMMITRULES get 
invoked each time when calling DIOCADDRULE?

>>I also want to find out where does DIOCCHANGERULE used in PF, but
>>nothing is found except in the man page:
>># cd src/contrib/pf
>># grep -r DIOCCHANGERULE *
>>man/pf.4:for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
>>man/pf.4:DIOCADDRULE or DIOCCHANGERULE call.
>>man/pf.4:.It Dv DIOCCHANGERULE  Fa "struct pfioc_rule"
>>
>>DIOCCHANGERULE may not be used. If I want to add new rule in PF, I may
>>be need to use DIOCADDADDR rather than DIOCCHANGERULE.
>>
>>Any comment?
>>    
>>
>
>erm? I am having a hard time understanding what you mean.
>  
>
You may be  have understood more about my question now. Sorry for the 
typos again.

>DIOCCHANGERULE works and may be used, but it is not easy to use. It is much 
>easier to have an anchor and add new rules into that anchor as a complete 
>ruleset. This is how it's done in authpf and spamd. Otherwise you have to 
>keep track of to many things. Non of the default pf tools uses DIOCCHANGERULE 
>as it is not convenient to change rules. As rulesets can be committed 
>atomically it's much easier to replace a ruleset completely or to use 
>anchors.
>
>  
>
This may be the problem with the original ssp_pf.c file, it used 
DIOCCHANGERULE thru out the entire operational of adding rules.
As you said, I will need to use DIOCADDRULE and DIOCCOMMITERULES for 
adding new rules to PF.

>Anchors is the way to go most of the time. Look at authpf(8) for details.
>
>  
>
Yeah, I found this is a very good reference to look at.

Thanks
Sam

More information about the freebsd-pf mailing list