From owner-freebsd-ipfw@FreeBSD.ORG  Fri Feb 27 18:14:03 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4D1231065688
	for <freebsd-ipfw@freebsd.org>; Fri, 27 Feb 2009 18:14:03 +0000 (UTC)
	(envelope-from steve@ibctech.ca)
Received: from ibctech.ca (unknown [IPv6:2607:f118::b6])
	by mx1.freebsd.org (Postfix) with SMTP id D7A618FC13
	for <freebsd-ipfw@freebsd.org>; Fri, 27 Feb 2009 18:14:02 +0000 (UTC)
	(envelope-from steve@ibctech.ca)
Received: (qmail 73488 invoked by uid 89); 27 Feb 2009 18:16:42 -0000
Received: from unknown (HELO ?IPv6:2607:f118::5?)
	(steve@ibctech.ca@2607:f118::5)
	by v6.ibctech.ca with ESMTPA; 27 Feb 2009 18:16:42 -0000
Message-ID: <49A82D61.4060509@ibctech.ca>
Date: Fri, 27 Feb 2009 13:13:53 -0500
From: Steve Bertrand <steve@ibctech.ca>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Saving runtime created rules
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2009 18:14:03 -0000

I am frequently adding/changing/deleting IPFW rules on my FBSD powered
Quagga edge routers, and often neglect to update the start up script.

Fearing the disaster that would result if one of my routers reboots
without a saved IPFW config, I went about creating a method to save
runtime lists to be used at startup. I thought I'd share my experience.

First, I deleted all of the actual rules from my startup sh script
(/etc/ipfw.rules). I left all script variables and tables in this file.

I then added ". /etc/ipfw.include" to the bottom of the script. Then:

# ipfw list | \
# perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \
# > /etc/ipfw.include
# chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include

Now any time that I run that command pipeline, all rules are saved in
the include file. This could be cronned, but I'm hesitant to go that far
at this point, because there is no syntax checking at all.

Cheers!

Steve