From nobody@FreeBSD.org  Sat Feb 25 04:19:11 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5E1C116A420
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 25 Feb 2006 04:19:11 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 05EEF43D45
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 25 Feb 2006 04:19:10 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k1P4JAI3011526
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 25 Feb 2006 04:19:10 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k1P4JAWd011525;
	Sat, 25 Feb 2006 04:19:10 GMT
	(envelope-from nobody)
Message-Id: <200602250419.k1P4JAWd011525@www.freebsd.org>
Date: Sat, 25 Feb 2006 04:19:10 GMT
From: Vulpes Velox <v.velox@vvelox.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.
X-Send-Pr-Version: www-2.3

>Number:         93815
>Category:       conf
>Synopsis:       [patch] Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-rc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 25 04:20:03 GMT 2006
>Closed-Date:    
>Last-Modified:  Mon Oct 29 16:30:00 UTC 2012
>Originator:     Vulpes Velox
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD 5.4-STABLE #0: Sun Dec  4 02:26:56 CST 2005
kitsune@vixen42.vulpes:/usr/obj/usr/src/sys/vixen42-1          
>Description:
This allows ipfw rules to be saved. /var/db/ipfw is used for that. If a name for the save is not specified, last will be used.

They can be saved like this...
/etc/rc.d/ipfw save <name>

They can be recalled like this...
/etc/rc.d/ipfw restart <name>

firewall_type has to be set to last in rc.conf for starting it with a save, as of currently.
>How-To-Repeat:
              
>Fix:
--- rc.d_ipfw.patch begins here ---
18a19,29
> extra_commands="save"
> save_cmd="ipfw_save"
> 
> 
> #gets the name of the save to use
> if [ ! -z $2 ]; then
> 	savename="$2"
> 	usingsave="yes"
> else
> 	savename="last"
> fi
31a43,49
> ipfw_save()
> {
>         # Saves the firewall rules to /var/db/ipfw/$savename
> 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
> 	ipfw list | awk '{print "${fwcmd} add " $0 }' > /var/db/ipfw/$savename
> }
> 
33a52,59
> 	# Make sure the save file exists if one is specified
> 	if [ ! -z $usingsave ]; then
> 		if [ ! -f "/var/db/ipfw/$savename" ]; then
> 		    echo "Specified save does not exist"
> 		    exit 1
> 		fi
> 	fi
> 
38c64
< 		. "${firewall_script}"
---
> 		. "${firewall_script}" $savename
--- rc.d_ipfw.patch ends here ---

--- rc.firewall.patch begins here ---
--- /usr/src/etc/rc.firewall	Sun Nov  2 07:31:44 2003
+++ /etc/rc.firewall	Sun Feb 19 09:08:52 2006
@@ -143,6 +143,17 @@
 	setup_loopback
 	${fwcmd} add 65000 pass all from any to any
 	;;
+	
+[Ll][Aa][Ss][Tt])
+	# Gets the name of the save to use.
+	if [ ! -z $1 ]; then
+		savename="$1"
+	else
+		savename="last"
+	fi
+	
+	. /var/db/ipfw/$savename
+	;;
 
 [Cc][Ll][Ii][Ee][Nn][Tt])
 	############
--- rc.firewall.patch ends here ---

--- rc.d_ip6fw.patch begins here ---
17a18,27
> extra_commands="save"
> save_cmd="ipfw_save"
> 
> # Gets the name of the save to use.
> if [ ! -z $2 ]; then
> 	savename="$2"
> 	usingsave="yes"
> else
> 	savename="last"
> fi
31a42,48
> ipfw_save()
> {
> 	# Saves the firewall rules to /var/db/ipfw/$savename
> 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
> 	ipfw list | awk '{print "${fwcmd} add " $0 }' > /var/db/ipfw/$savename.6
> }
> 
33a51,58
>         # Make sure the save file exists if one is specified.
> 	if [ ! -z $usingsave ]; then
> 		if [ ! -f "/var/db/ipfw/$savename.6" ]; then
> 			echo "Specified save does not exist"
> 			exit 1
> 		fi
> 	fi
> 												
42c67
< 		. "${ipv6_firewall_script}"
---
> 		. "${ipv6_firewall_script}" $savename
--- rc.d_ip6fw.patch ends here ---

--- rc.firewall6.patch begins here ---
--- /usr/src/etc/rc.firewall6	Sun Dec  4 08:48:05 2005
+++ /etc/rc.firewall6	Sun Feb 19 09:13:20 2006
@@ -105,6 +105,17 @@
 	${fw6cmd} add 65000 pass all from any to any
 	;;
 
+[Ll][Aa][Ss][Tt])
+        # Gets the name of the save to use.
+	if [ ! -z $1 ]; then
+		savename="$1"
+	else
+		savename="last"
+	fi
+
+	. /var/db/ipfw/$savename.6
+	;;
+
 [Cc][Ll][Ii][Ee][Nn][Tt])
 	############
 	# This is a prototype setup that will protect your system somewhat
--- rc.firewall6.patch ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Feb 25 06:39:16 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=93815 

From: Giorgos Keramidas <keramida@FreeBSD.org>
To: Vulpes Velox <v.velox@vvelox.net>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.
Date: Sun, 5 Mar 2006 04:54:55 +0200

 On 2006-02-25 04:19, Vulpes Velox <v.velox@vvelox.net> wrote:
 > This allows ipfw rules to be saved. /var/db/ipfw is used for that. If
 > a name for the save is not specified, last will be used.
 >
 > They can be saved like this...
 > /etc/rc.d/ipfw save <name>
 >
 > They can be recalled like this...
 > /etc/rc.d/ipfw restart <name>
 
 I feel a bit worried about allowing unquoted user-supplied names to a
 shell script and then using them as filenames.
 
 > --- rc.d_ipfw.patch begins here ---
 > 18a19,29
 > > extra_commands="save"
 > > save_cmd="ipfw_save"
 > >
 > >
 > > #gets the name of the save to use
 > > if [ ! -z $2 ]; then
 > > 	savename="$2"
 > > 	usingsave="yes"
 > > else
 > > 	savename="last"
 > > fi
 
 Please don't.  This should be written at least with a proper quote set
 around $2 like this:
 
     if [ -z "$2" ]; then
 	savename="last"
     else
 	savename="$2"
         usingsave="yes"
     fi
 
 > 31a43,49
 > > ipfw_save()
 > > {
 > >         # Saves the firewall rules to /var/db/ipfw/$savename
 > > 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
 > > 	ipfw list | awk '{print "${fwcmd} add " $0 }' > /var/db/ipfw/$savename
 > > }
 
 The style sucks a bit here, but it's mostly ok.  I'd probably avoid
 constructs that have the potential to end up using really-very-long
 lines, like cmd && cmd && cmd a bit and make the directory of the saved
 firewalls tunable through rc.conf:
 
     ipfw_save()
     {
         # set the firewall save directory if none was specified
         [ -z "${firewall_savedir}" ] && firewall_savedir=/var/db/ipfw
 
 	if [ ! -d "${firewall_savedir}" ]; then
 	    mkdir -p "${firewall_savedir}" || return 1
 	fi
 
         ipfw list | sed -e 's/^/add /' > "${firewall_savedir}/${savename}"
     }
 
 Also, in my opinion, loading saved rulesets shouldn't be overloaded with
 the special 'last' savename, but supported by a similar ipfw_load()
 function.  Then 'last' could be used as a valid savename too :)
 

From: Vulpes Velox <v.velox@vvelox.net>
To: Giorgos Keramidas <keramida@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw
 and rc.d/ip6fw.
Date: Wed, 8 Mar 2006 22:23:21 -0600

 On Sun, 5 Mar 2006 04:54:55 +0200
 Giorgos Keramidas <keramida@FreeBSD.org> wrote:
 
 > On 2006-02-25 04:19, Vulpes Velox <v.velox@vvelox.net> wrote:
 > > This allows ipfw rules to be saved. /var/db/ipfw is used for
 > > that. If a name for the save is not specified, last will be used.
 > >
 > > They can be saved like this...
 > > /etc/rc.d/ipfw save <name>
 > >
 > > They can be recalled like this...
 > > /etc/rc.d/ipfw restart <name>
 > 
 > I feel a bit worried about allowing unquoted user-supplied names to
 > a shell script and then using them as filenames.
 > 
 > > --- rc.d_ipfw.patch begins here ---
 > > 18a19,29
 > > > extra_commands="save"
 > > > save_cmd="ipfw_save"
 > > >
 > > >
 > > > #gets the name of the save to use
 > > > if [ ! -z $2 ]; then
 > > > 	savename="$2"
 > > > 	usingsave="yes"
 > > > else
 > > > 	savename="last"
 > > > fi
 
 Cool. Fixed.
  
 > Please don't.  This should be written at least with a proper quote
 > set around $2 like this:
 > 
 >     if [ -z "$2" ]; then
 > 	savename="last"
 >     else
 > 	savename="$2"
 >         usingsave="yes"
 >     fi
 > 
 > > 31a43,49
 > > > ipfw_save()
 > > > {
 > > >         # Saves the firewall rules to /var/db/ipfw/$savename
 > > > 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod
 > > > go-rwx /var/db/ipfw ipfw list | awk '{print "${fwcmd} add "
 > > > $0 }' > /var/db/ipfw/$savename }
 > 
 > The style sucks a bit here, but it's mostly ok.  I'd probably avoid
 > constructs that have the potential to end up using really-very-long
 > lines, like cmd && cmd && cmd a bit and make the directory of the
 > saved firewalls tunable through rc.conf:
 > 
 >     ipfw_save()
 >     {
 >         # set the firewall save directory if none was specified
 >         [ -z "${firewall_savedir}" ] &&
 > firewall_savedir=/var/db/ipfw
 > 
 > 	if [ ! -d "${firewall_savedir}" ]; then
 > 	    mkdir -p "${firewall_savedir}" || return 1
 > 	fi
 > 
 >         ipfw list | sed -e 's/^/add /' >
 > "${firewall_savedir}/${savename}" }
 
 Cool. I like the that idea for the savedir. I am some what mixed
 about making it longer, but I see the point in making it more
 readable though.
 
 > Also, in my opinion, loading saved rulesets shouldn't be overloaded
 > with the special 'last' savename, but supported by a similar
 > ipfw_load() function.  Then 'last' could be used as a valid
 > savename too :)
 > 
 
 True. It can just be thrown in /etc/defualts/rc.conf.
 
 
 I will have the new patch set pr submitted tomorrow.

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Vulpes Velox <v.velox@vvelox.net>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw and rc.d/ip6fw.
Date: Thu, 9 Mar 2006 14:16:37 +0200

 On 2006-03-08 22:23, Vulpes Velox <v.velox@vvelox.net> wrote:
 > Cool. I like the that idea for the savedir. I am some what mixed
 > about making it longer, but I see the point in making it more
 > readable though.
 > [...]
 > I will have the new patch set pr submitted tomorrow.
 
 Note that the patch still has to be reviewed by one of our rc.d experts,
 but thank you for considering to make the changes to match some of my
 suggestions.  Keep the good work up :)))
 

From: Vulpes Velox <v.velox@vvelox.net>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc: bug-followup@FreeBSD.org
Subject: Re: conf/93815: Adds in the ability to save ipfw rules to rc.d/ipfw
 and rc.d/ip6fw.
Date: Sun, 12 Mar 2006 00:47:33 -0600

 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 On Thu, 9 Mar 2006 14:16:37 +0200
 Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
 
 > On 2006-03-08 22:23, Vulpes Velox <v.velox@vvelox.net> wrote:
 > > Cool. I like the that idea for the savedir. I am some what mixed
 > > about making it longer, but I see the point in making it more
 > > readable though.
 > > [...]
 > > I will have the new patch set pr submitted tomorrow.
 > 
 > Note that the patch still has to be reviewed by one of our rc.d
 > experts, but thank you for considering to make the changes to match
 > some of my suggestions.  Keep the good work up :)))
 > 
 
 Made a few more changes. I just got thinking of the idea of
 eliminating rc.firewall and rc.firewall6 entirely. Will be sending in another patch set shortly.
 
 This set includes load and unload. This will load or unload a set of
 rules. This will unload or load a save, with out flushing.  I have
 also added a new variable. fwcmd2. This is like fwcmd in rc.firewall,
 but has add/delete added to it depending on what it is doing.
 
 
 
 BTW is there any good reason this is included in
 rc.firewall/rc.firewall6 instead of ipfw/ip6fw?
 
 ############
 # Set quiet mode if requested
 #
 case ${firewall_quiet} in
 [Yy][Ee][Ss])
         fwcmd="/sbin/ipfw -q"
         ;;
 *)
         fwcmd="/sbin/ipfw"
         ;;
 esac
 
 
 I see there being no problem moving that into ipfw.
 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX
 Content-Type: text/x-patch; name=ip6fw.diff
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=ip6fw.diff
 
 18,29d17
 < extra_commands="save load unload"
 < save_cmd="ipfw_save"
 < load_cmd="ipfw_load"
 < unload_cmd="ipfw_unload"
 < 
 < # Gets the name of the save to use.
 < if [ ! -z "$2" ]; then
 < 	savename="$2"
 < 	usingsave="yes"
 < else
 < 	savename="last"
 < fi
 44,82d31
 < ipfw_save()
 < {
 < 	# Saves the firewall rules to /var/db/ipfw/$savename
 < 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
 < 	ipfw list | awk '{print "${fw6cmd2} " $0 }' > /var/db/ipfw/$savename.6
 < }
 < 
 < ipfw_load()
 < {
 < 
 <     # Set quiet mode if requested
 <     case ${firewall_quiet} in
 <     [Yy][Ee][Ss])
 <         fwcmd2="/sbin/ipfw -q add"
 <         ;;
 <     *)
 <         fwcmd2="/sbin/ipfw add"
 <         ;;
 <     esac
 < 
 <     . /var/db/ipfw/$savename.6
 < }
 < 
 < ipfw_unload()
 < {
 < 
 <     # Set quiet mode if requested
 <     case ${firewall_quiet} in
 <     [Yy][Ee][Ss])
 <         fwcmd2="/sbin/ipfw -q delete"
 <         ;;
 <     *)
 <         fwcmd2="/sbin/ipfw delete"
 <         ;;
 <     esac
 < 
 <     . /var/db/ipfw/$savename.6
 < }
 < 
 85,92d33
 < 	# Make sure the save file exists if one is specified.
 < 	if [ ! -z "$usingsave" ]; then
 < 		if [ ! -f "/var/db/ipfw/$savename.6" ]; then
 < 			echo "Specified save does not exist"
 < 			exit 1
 < 		fi
 < 	fi
 < 												
 101c42
 < 		. "${ipv6_firewall_script}" $savename
 ---
 > 		. "${ipv6_firewall_script}"
 
 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX
 Content-Type: text/x-patch; name=ipfw.diff
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=ipfw.diff
 
 19,30d18
 < extra_commands="save load unload"
 < save_cmd="ipfw_save"
 < load_cmd="ipfw_load"
 < unload_cmd="ipfw_unload"
 < 
 < #gets the name of the save to use
 < if [ ! -z "$2" ]; then
 < 	savename="$2"
 < 	usingsave="yes"
 < else
 < 	savename="last"
 < fi
 44,82d31
 < ipfw_save()
 < {
 <       # Saves the firewall rules to /var/db/ipfw/$savename
 < 	[ ! -d /var/db/ipfw ] && mkdir /var/db/ipfw && chmod go-rwx /var/db/ipfw
 < 	ipfw list | awk '{print "${fwcmd2} " $0 }' > /var/db/ipfw/$savename
 < }
 < 
 < ipfw_load()
 < {
 < 
 <     # Set quiet mode if requested
 <     case ${firewall_quiet} in
 <     [Yy][Ee][Ss])
 < 	fwcmd2="/sbin/ipfw -q add"
 < 	;;
 <     *)
 < 	fwcmd2="/sbin/ipfw add"
 < 	;;
 <     esac
 < 
 <     . /var/db/ipfw/$savename
 < }
 < 
 < ipfw_unload()
 < {
 < 
 <     # Set quiet mode if requested
 <     case ${firewall_quiet} in
 <     [Yy][Ee][Ss])
 < 	fwcmd2="/sbin/ipfw -q delete"
 < 	;;
 <     *)
 < 	fwcmd2="/sbin/ipfw delete"
 < 	;;
 <     esac
 < 
 <     . /var/db/ipfw/$savename
 < }
 < 
 85,92d33
 < 	# Make sure the save file exists if one is specified
 < 	if [ ! -z "$usingsave" ]; then
 < 		if [ ! -f "/var/db/ipfw/$savename" ]; then
 < 		    echo "Specified save does not exist"
 < 		    exit 1
 < 		fi
 < 	fi
 < 
 97c38
 < 		. "${firewall_script}" $savename
 ---
 > 		. "${firewall_script}"
 
 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX
 Content-Type: text/x-patch; name=rc.firewall.diff
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=rc.firewall.diff
 
 146,158d145
 < 	
 < [Ss][Aa][Vv][Ee])
 < 	# Gets the name of the save to use.
 < 	if [ ! -z "$1" ]; then
 < 		savename="$1"
 < 	else
 < 		savename="last"
 < 	fi
 < 	
 < 	fwcmd2="${fwcmd} add"
 < 	
 < 	. /var/db/ipfw/$savename
 < 	;;
 
 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX
 Content-Type: text/x-patch; name=rc.firewall6.diff
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename=rc.firewall6.diff
 
 108,120d107
 < [Ss][Aa][Vv][Ee])
 <       # Gets the name of the save to use.
 < 	if [ ! -z "$1" ]; then
 < 		savename="$1"
 < 	else
 < 		savename="last"
 < 	fi
 < 
 < 	fw6cmd2="${fw6cmd} add"
 < 
 < 	. /var/db/ipfw/$savename.6
 < 	;;
 < 
 
 --MP_mS8Ucp6Sl2z5XmLbi.CVHUX--

From: Chris Rees <utisoft@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: conf/93815 Adding save and reload ability to ipfw
Date: Mon, 29 Oct 2012 16:21:46 +0000

 Nowadays we have much simpler firewall scripts.
 
 http://www.bayofrum.net/~crees/patches/firewall-saved-rulesets.diff
 
 What does everyone think about this?
 
 Chris
>Unformatted:
