> It would be nicer if, as you suggest, sufficient support with rules > could be lifted into a libipf (without having to talk directly with > the kernel).
The ioctls make it not too hard to talk directly with the kernel, the trouble is that you'll have to parse the rules yourself, which is entering a game of catch-up. The libipf would contain the parser so you'd always be up-to-date. > I have never done any rules with "log" yet, so I only have a vague idea on > how they work. I'm guessing I can read /dev/ipmon to read any rules that > were hit by a "log" entry. Exactly. It isn't too hard to work out. I have that part down pat in "butler", and I'll be happy to share the code if you wish. In fact, we could just set up a Sourceforge project and make butler work for both functions. I have butler recognising the secret knocks ok, but I need three more things to finish it: * A configuration file that defines the secret knocks and the rules to apply when one is detected, * Implementing the callout to ipf or whatever to apply the changes * timeout code to remove rules (and maybe reactivate them if they're still being used). Clifford Heath.
