On Sun, Aug 08, 2004 at 10:31:30PM +0100, Christopher Keeley wrote:
> What is the correct way to add rules?
>
> a) Am i to create a unique rulesetname for each rule?
> b) Or is it proper for a 'ruleset' to encompass more
> than one rule?
You can do either, the difference in performance is insignificant.
authpf, for instance, creates one subruleset for each user who logs in,
then adds rules related to that user to this specific subruleset.
This has the advantage that
a) rule insertion is simpler, as it can always add rules at the bottom
(of the specific user subruleset)
b) rule deletion is simpler, as it can delete all rules from the
specific subruleset (and, therefore, remove the entire subruleset)
when the user logs out.
If you use a single subruleset and insert/remove all rules there, you
might have to use a more complex algorithm to insert/delete rules, like
finding the right spot to add a rule or find the appropriate rules to
delete first.
Also, if your program may run as multiple instances in parallel, the
instances might (dead)lock themselves when attempting to modify the same
subruleset concurrently. It might be a good idea to give each instance
its own subruleset just for this purpose.
On the other hand, if you are creating thousands of rules, it might be
ugly to create a subruleset for each single rule.
Daniel
