Subject: Re: pf documentation?
To: None <tech-net@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 02/20/2006 05:42:47
>> I'm trying to do some stuff with pf that, among other things,
>> involves adding and removing rules under program control.
> Have you tried using anchors with pfctl?

That's what I had to resort to, even though it is rather seriously
non-ideal in some respects.

- I would much rather do it directly, instead of having to fork and
   exec pfctl (with all the failure modes that introduces).

- It requires that I maintain a single repository for the rules, since
   (as far as I can tell) there is no way to have pfctl add a rule to
   an anchor without disturbing existing rules, nor to remove a single
   rule without disturbing other rules.  So I have to have some central
   piece which knows the entire current set.

I consider both of these serious flaws - but unavoidable ones, given
the nonexistence of the documentation.  (I did put a bit of time into
trying to work out what was needed, but there were too many pieces
whose semantics were undocumented, and figuring out what they were all
intended to be would have meant getting my head around almost all of
pf, something well beyond what I was willing to do to avoid the above.)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B