Hi David,
On Tue, Apr 24, 2012 at 11:46:52AM -0700, David Birdsong wrote:
> i'm not seeing my response that swear i sent last night...
I swear I didn't see it :-)
> yes, this would solve our issues and would be very, very useful.
OK, I'll have to think about it. Now I remember what the hard part
was, an ACL is a list of possible expressions, and each expression
supports multiple pattern sources. On the socket we could only reload
one pattern source of one type at a time, of course. So the complexity
comes in naming what we want to reload. For instance :
acl bad_guys src 0.0.0.0/8 127.0.0.0/8 224.0.0.0/3
acl bad_guys hdr_ip(x-forwarded-for) 0.0.0.0/8 127.0.0.0/8 224.0.0.0/3
acl bad_guys hdr_ip(x-forwarded-for) -f manual.lst -f automatic.lst
Now when trying to reload the "bad_guys" ACL, in fact we'd like to reload one
of the files. Probably that we should find a way to name a specific expression
(one ACL statement) that will have to be reloaded, I don't know. Or maybe in a
first time we could reject reload requests for ACLs that have more than one
statement.
I also remember that some pattern parsing errors were sent to stderr and will
have to be disabled when fed this way. In summary, nothing terribly complex
but nothing trivial either.
Regards,
Willy
