Hello,
On Wed, Jul 05, 2023 at 11:10:11AM +0200, Alexandr Nedvedicky wrote:
</snip>
>
> thanks for your help to put my update to pf(4) to shape.
> updated diff is below.
>
diff in my earlier email was wrong. this one is the right one.
sorry for extra noise.
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index 92eeb45f657..7346c7e3194 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -48,12 +48,25 @@ and retrieve statistics.
The most commonly used functions are covered by
.Xr pfctl 8 .
.Pp
-Manipulations like loading a ruleset that involve more than a single
+Operations loading or reading a ruleset that involve more than a single
.Xr ioctl 2
call require a so-called
-.Em ticket ,
-which prevents the occurrence of
-multiple concurrent manipulations.
+.Sy ticket ,
+which allows
+.Xr pf 4
+to deal with concurrent operations.
+For certain
+.Xr ioctl 2
+commands (currently
+.Dv DIOCGETRULES )
+the number of tickets program can get is limited.
+The program must explicitly release the ticket using the
+.Dv DIOCXEND
+command to avoid hitting the limit.
+All tickets which are not freed by
+.Dv DIOCXEND
+are released when the program closes
+.Pa /dev/pf .
.Pp
Fields of
.Xr ioctl 2
@@ -132,6 +145,9 @@ for subsequent
calls and the number
.Va nr
of rules in the active ruleset.
+The ticket should be released by the
+.Dv DIOCXEND
+command.
.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
Get a
.Va rule
@@ -792,6 +808,10 @@ inactive rulesets since the last
.Dv DIOCXBEGIN .
.Dv DIOCXROLLBACK
will silently ignore rulesets for which the ticket is invalid.
+.It Dv DIOCXEND Fa "u_int32_t *ticket"
+Release ticket obtained by the
+.Dv DIOCGETRULES
+command.
.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
Set the host ID, which is used by
.Xr pfsync 4
