Didn't notice this was to the list too. As I said to the OP, I use asynchronous I/O; there is one in-user-memory image of what the rules should look like, and multiple clients are all simultaneously handled by one thread. Commands to the daemon are atomic, and commits to pfctl will commit the entire, consistent, in-user-memory image.
This is all very much easier thanks to python's "twisted" library (asynch I/O core). -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
