On Mon, Jul 28, 2008 at 09:18:39AM +0100, Charlie Clark wrote: > openbsd misc wrote: >> interessting point. How about dumping it to a file or something so you are >> able to check what was loaded last time (e.g. a file with 400 under >> /var/whatever)? >> >> > What I want is, I have a script that when I commit a ruleset with pfctl > it uses pfctl to query the loaded rules and outputs that to a file, I > get the rulesets there using fwbuilder, which loads the ruleset directly > using pfctl, I have another script which checks the currently loaded > ruleset against the file that my commit script creates and does a diff, > if the ruleset hasn't been commited using my script (or doesn't match > the file) after a minute, it will roll the rules back. This is good > incase an admin loads a ruleset which locks them out. But I have no way > to get my set to recognize changes to options so when I try to commit a > ruleset using my script it thinks that I'm trying to commit the same > ruleset. > > Does this make more sence?
diff of a loaded ruleset is not that useful (for humans) IMHO, a better way would be to diff the ruleset (possibly excluding the comments and spaces etc). even better way to do that would be to JustDoIt (no diff checking whatsoever, and let the admins reload the rule when they commit any changes to it. -- vi vi vi -- the number fo the beast
