Module Name: src
Committed By: christos
Date: Thu Apr 13 17:59:34 UTC 2017
Modified Files:
src/external/bsd/blacklist: README
Log Message:
Explain a bit more how to examine the blacklist state.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/external/bsd/blacklist/README
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/README
diff -u src/external/bsd/blacklist/README:1.7 src/external/bsd/blacklist/README:1.8
--- src/external/bsd/blacklist/README:1.7 Sun Jan 25 19:34:50 2015
+++ src/external/bsd/blacklist/README Thu Apr 13 13:59:34 2017
@@ -1,4 +1,4 @@
-# $NetBSD: README,v 1.7 2015/01/26 00:34:50 christos Exp $
+# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $
This package contains library that can be used by network daemons to
communicate with a packet filter via a daemon to enforce opening and
@@ -98,6 +98,16 @@ group "internal" on $int_if {
...
}
+You can use 'blacklistctl dump -a' to list all the current entries
+in the database; the ones that have nfail <c>/<t> where <c>urrent
+>= <t>otal, should have an id assosiated with them; this means that
+there is a packet filter rule added for that entry. For npf, you
+can examine the packet filter dynamic rule entries using 'npfctl
+rule <rulename> list'. The number of current entries can exceed
+the total. This happens because entering packet filter rules is
+asynchronous; there could be other connection before the rule
+becomes activated.
+
Enjoy,
christos
