Re: New functionnality for authpf

Wed, 14 Oct 2009 04:41:23 -0700 

I would be hard to ask my boss to hire a developer, since with my script the
solution is working.
I'll think to OpenBSD people before discarding our old hardware, anyway.

My script loads the rules once, and modifies the table within the rule.
When the user disconnects, its IP is removed from the table, and its
connections are killed with pfctl -k.

By the way, your idea of include statement is very good, and doesn't need any
further coding of authpf.
I'm going to test this right now.

Thank you for the precious time you spent on my problem !

--
Cordialement,
Pierre BARDOU


-----Message d'origine-----
De : Vadim Zhukov [mailto:[email protected]]
EnvoyC) : mardi 13 octobre 2009 18:09
C : BARDOU Pierre
Cc : [email protected]
Objet : Re: New functionnality for authpf

On 13 October 2009 P3. 18:53:07 BARDOU Pierre wrote:
> Hello,
>
>
>
> Id need a new functionnality in authpf
>
> It would be nice to do group based rules instead of user based rules.
>
>
>
> I made this using a script used as shell for the user, which lists the
> groups of the user, and add them to a table named like the group using
> pfctl and sudo.
>
> I can give it to you if you are interested.
>
>
>
> But I think it would be better to include this in authPF, and by the
> way it doesnt seems too difficult.
>
> Unfortunately, I dont know how to make this in C. Someone interested
> in doing this ?

Ignoring the fact that it's better for you to prepare money (or some
equivalent) to hier someone to do that work. You need it, then either
you implement it, or pay for it. For example, you could donate some
hardware OpenBSD need - see the www.openbsd.org/want.html .

Now, for the request itself, you should clarify exact behavior you want:

- Should the rules loaded only once, or every time user logs in? (The
real fun part here is detach policy)

- Maybe it's simplier to have /etc/authpf/groups/$GROUP/ directory with
authpf.rules in it, and make /etc/authpf/users/$USER/authpf.rules be a
soft link or contain "include" statement? The latter allows you very,
very much flexibility.

- Maybe more, I do not want to spend more time that I better have spent
for polishing my own patches.

--
  Best wishes,
    Vadim Zhukov

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Reply via email to