> If you have any other uses for changing firewall rules dynamically, > then I'd love to hear them! dfd_keeper can already peacefully coexist > with anchors and tables....
I don't know if you remember a discussion from several months back, but the ability to change pf rules on the fly, reliably, is critical to transparent interception at the TCP/IP level by a bridge. In particular you need to be able to avoid race conditions caused by two requests in close proximity, i.e. thread one fetches the pf file, thread two fetches the pf file, thread one modifies the rules it finds, thread two modifies the rules it finds, thread one writes back the new pf file, thread two writes back the new pf file ... and the thread one changes are lost! So, how good is your locking? Graham
