Hi David, On Tue, Apr 24, 2012 at 11:46:52AM -0700, David Birdsong wrote: > i'm not seeing my response that swear i sent last night...
I swear I didn't see it :-) > yes, this would solve our issues and would be very, very useful. OK, I'll have to think about it. Now I remember what the hard part was, an ACL is a list of possible expressions, and each expression supports multiple pattern sources. On the socket we could only reload one pattern source of one type at a time, of course. So the complexity comes in naming what we want to reload. For instance : acl bad_guys src 0.0.0.0/8 127.0.0.0/8 224.0.0.0/3 acl bad_guys hdr_ip(x-forwarded-for) 0.0.0.0/8 127.0.0.0/8 224.0.0.0/3 acl bad_guys hdr_ip(x-forwarded-for) -f manual.lst -f automatic.lst Now when trying to reload the "bad_guys" ACL, in fact we'd like to reload one of the files. Probably that we should find a way to name a specific expression (one ACL statement) that will have to be reloaded, I don't know. Or maybe in a first time we could reject reload requests for ACLs that have more than one statement. I also remember that some pattern parsing errors were sent to stderr and will have to be disabled when fed this way. In summary, nothing terribly complex but nothing trivial either. Regards, Willy