[src/trunk]: src/external/bsd/blacklist Explain a bit more how to examine the...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/e5ae43723aa1
branches:  trunk
changeset: 823140:e5ae43723aa1
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Apr 13 17:59:34 2017 +0000

description:
Explain a bit more how to examine the blacklist state.

diffstat:

 external/bsd/blacklist/README |  12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)

diffs (26 lines):

diff -r 15428632c262 -r e5ae43723aa1 external/bsd/blacklist/README
--- a/external/bsd/blacklist/README     Thu Apr 13 17:45:56 2017 +0000
+++ b/external/bsd/blacklist/README     Thu Apr 13 17:59:34 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
 
 This package contains library that can be used by network daemons to
 communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@
        ...
 }
 
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail <c>/<t> where <c>urrent
+>= <t>otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule <rulename> list'.  The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
 Enjoy,
 
 christos