On Tue, Oct 21, 2003 at 04:54:42PM +0200, Laurent Cheylus wrote:
> But if the pf rules are changed, I need to update my buffer dynamically. Is it a
> solution to know when a PF ruleset is modified ?
There's no dedicated attribute (like a serial number automatically
increased with each ruleset reload), but you could either
a) fetch the currently loaded ruleset and compare against the
previously logged one, only log if they differ
b) fetch the first rule of the currently loaded ruleset and
check the evaluation counter of that rule. On reload, this
counter is reset, so when you see the counter decrease, you
can assume the (possibly unchanged) ruleset was reloaded.
Depending on the frequencies of the checks and reloads, there's a
chance that you miss a reload.
If the ruleset is small and fetching it completely is cheap, a) should
work fine, and it will also tell you whether the ruleset was actually
changed or just reloaded. If the ruleset is too large for the required
check frequency (fetching a set with 100k rules ten times per second
would lock up the machine doing ioctls), b) might be better.
Daniel
