So I think a number of people were confused about what DFD actually *did*.
I think this is best explained by an example.
Here is a sample transcript, bash$ is the Unix command line and
dfd_keeper> is the dfd command line. Basically I connect up, show the
rules in the example script, block the IP
> If you have any other uses for changing firewall rules dynamically,
> then I'd love to hear them! dfd_keeper can already peacefully coexist
> with anchors and tables
I don't know if you remember a discussion from several months
back, but the ability to change pf rules on the fly, reliably,
Didn't notice this was to the list too.
As I said to the OP, I use asynchronous I/O; there is one
in-user-memory image of what the rules should look like, and multiple
clients are all simultaneously handled by one thread. Commands to the
daemon are atomic, and commits to pfctl will commit the ent
