On Thu, Jan 09, 2003 at 09:27:01PM +0100, Srebrenko Sehic wrote: > Didn't know that. So, authpf can insert rules on fly using anchors, but is > this possible with arbitrary applications? Say I want my snort box to insert > filter rules into pf, by sending a messages (something like > 'block 192.168.0.1') to a daemon running on my pf fw and have the daemon > translate that into a rules which can be added to the filter/anchor.
You could just pipe the rules into pfctl -a foo:bar -f -, which then parses them and loads them into the kernel, yes. The command line interface of pfctl doesn't change much (at least not existing switches), so that would cause less adjustments when the ioctl interface to pf changes. As for a library, that would only make sense if it were an additional abstraction layer somewhere between pf(4) ioctls and pfctl command line. Whether you find a level that changes less often than pf(4) but is more generic than pfctl decides how useful it would be. If it changes with each pf(4) change, it will just be another piece in the puzzle to update everytime, increasing the amount of work caused by changes. I don't suggest that userland tools like libdnet, pftop, symon, etc. should immediately adjust to all -current changes in pf. It's probably enough if they just provide one working source for each OpenBSD -release/-stable. If you want an update to -current, mail me, I'll happily adjust your source to -current. It causes me less work to adjust a handful of userland tools than maintaining a library. :) Daniel
