On Sun, Jul 16, 2006 at 02:40:04AM +0300, Soner Tari wrote:
> However, if you agree with me, I get the feeling that all of these are
> inelegant workarounds compared to the ideal solution: time support in pf
> (similar to perhaps iptables). I've read the replies from developers to
> a similar question a few months back, and they were not interested in
> adding such support in pf. I am sure there are other priorities for
> them, and it's totally OK with me.
>
> But time rules are important for me, so ultimately I'd like to achieve
> the correct solution, if I can (which is the OpenBSD way after all).
> Therefore, I am even willing to play with the pf source code to add time
> support just for packet filtering rules. I am sure, if it were so easy,
> we would probably have it by now. So, before I attempt it myself, do you
> guys think it is too difficult?
> the case, hopefully?

Consider that pf does its job, and does it well. Other tools can be used
to manipulate the policy that pf enforces, changing over not only time
but any other criteria. Such criteria can't be foreseen and certainly
all of them can't (and shouldn't) be included in pf.

Small, focused tools are one example of the Unix way (not just OpenBSD).
You can build the behavior you're asking for with the tools you have
currently, and do it in a robust manner. Thinking through how that would
work, I don't find it inelegant. It would be clear and easy to manage.

--
Darrin Chandler | Phoenix BSD Users Group
dwchandler@stilyagin.com | http://bsd.phoenix.az.us/
http://www.stilyagin.com/ |