Re: dynamically changing pf rules

On Tue, Nov 19, 2002 at 12:03:45PM -0000, Dan Heaver wrote:
> Hi, I'm currently pondering a solution for one of our clients using openbsd
> / pf  as the building blocks that hold the solution together and would value
> People's opinion on the idea.
> Basically this is the set up I want to implement
> I want to have an openbsd box in front of two Solaris boxes (these boxes are
> already in place and serving a live website) that nat's a public ip address
> to one
> Of the boxes, I then want to write a demon that monitors services on the
> Solaris and dynamically changes the nat to point to the second box should it
> deem
> That one of the services has failed.
> Does this sound feasible ? 
> Where would I have to look to dynamically change nat rules in pf ?
Yes , you could do it writting a custom program (daemon) that :
 1) Monitor services.
 2) Change the NAT rules via /dev/pf ioctl's ( man pf ).
Sounds prety easy if you have knowledge of c languaje.
I'v been working with pf ioctl's for a while on a project currently
owned by the company I work, so I can't open the sources but if you have
problems with it make contact with me at ps0@igmp.com.ar
> Regards
> Dan
Hector A. Paterno