> > > I will come up with better examples later. promise. > > I'm really interested, because I didn't understand what is the objective ;-) > The objective is to allow applications to insert and remove rules dynamically. > The present mechanisms for adding/removing rules are too general to be > easily used by applications.
So??? If you want something easy, use libdnet. IIRC it doesn't deal with NAT rules but I'm sure Dug would love diffs. > The application has to specify not only the > complete rule parameters, but has to know _where_ exactly to place the > rule in the ruleset (beginning, end, after a rule? etc.) I'd hope so. I wouldn't want authpf to start placing rules at the end of my ruleset of mostly quicks. > Furthermore, > the administrator has no control on what rule an application inserts, or > a way to konw which rules are inserted by an application. Configure your app to add a label to the rules if you want to distinguish them. If an admin has no control over what an application inserts, why would he run the app? > To make matters > more complex, if the application crashes, it may leave permanent rules > in the ruleset. Aha! That is a real issue. The way we had talked about solving that up in Calgary was to extend proc so rules could be tied to a process. When the process goes away, it calls back into PF which removes the rules. Were we talking about that in Calgary or in DC a year ago?? Hell, I can't remember. Bob was running around in a tizzy with excitement though (now that was a sight!) > Now, after all that talk, I should note that, with proper usage of > static rules (especially the user keyword) most proxy servers would > never need to insert rules (or can be designed to remove that requirement) > However there are isolated cases where it would be useful see > the recent post by Matthew Sweet for instance. That is why I could not > easily come up with a real world example. It is a cool concept, I'll give you that. But I still don't see the problem you're trying to solve. .mike
