On Sat, Jul 15, 2006 at 08:27:32PM +0300, Soner Tari wrote:
> > Have your cron job copy the current anchor rules to pf-current.conf,
> > then add pfctl -f pf-current.conf to rc.local.
>
> Thank you for the reply (and Gaby too). But I am not sure if this would
> be an elegant workaround. Because by chance there may be cron jobs
> scheduled to run exactly during downtime, and I would miss them. This is
> still true no matter how small the chances are.
well, since rc.local is sourced right before the 'standard daemons:'
echo in /etc/rc, which is itself above when cron is started, it may
be entirely feasible to use rc.local for this.
perhaps create a system by which you somehow drop a file into somewhere
in var which describes what time-based anchor/ruleset you're using - you
could populate that file either upon each instance of it changing via
cron, or also in /etc/rc.shutdown (or both).
then in rc.local, have it look for that file, if it finds it, it will
load the appropriate pf ruleset pertaining to whatever time period the
file indicates the host was in when it last updated that file.
i don't know if this will inspire or help at all, but here is what i use
to make some of my pf tables persist through reboots. basically it
tries to save/populate any table which i have named without an initial
underscore -- if i have tables i don't want to persist through reboots,
my convention is to name them with an initial underscore:
-[rc.shutdown]--------
TABLE_STATE_DIR=/var/db/pftablestate
if [ -w "${TABLE_STATE_DIR}" ] && [ -d "${TABLE_STATE_DIR}" ]; then
echo "writing contents of pf tables:"
for table in $(pfctl -sT); {
# don't keep state for tables starting
# with an underscore
if [[ "${table}" = _* ]]; then
continue
# only be concerned with nonempty tables
elif [ $(pfctl -t "${table}" -Ts | wc -l) -gt 0 ]; then
echo -n "\t${table} "
pfctl -t "${table}" -Ts > "${TABLE_STATE_DIR}/${table}"
fi
};
unset table
echo "done."
fi
unset TABLE_STATE_DIR
----------------------
-[rc.local]-----------
TABLE_STATE_DIR=/var/db/pftablestate
if [ -w "${TABLE_STATE_DIR}" ] && [ -d "${TABLE_STATE_DIR}" ]; then
echo "restoring contents of pf tables:"
for table in $(pfctl -sT); {
# don't keep state for tables starting
# with an underscore
if [[ "${table}" = _* ]]; then
continue
# only be concerned with nonempty tables
elif [ -r "${TABLE_STATE_DIR}/${table}" ] && \
[ $(wc -l < "${TABLE_STATE_DIR}/${table}") -gt 0 ]; then
echo -n "\t${table} "
pfctl -t "${table}" -Ta
$(<"${TABLE_STATE_DIR}/${table}") && \
rm -- "${TABLE_STATE_DIR}/${table}"
fi
};
unset table
echo "done."
fi
unset TABLE_STATE_DIR
----------------------
--
jared
[ openbsd 3.9-current GENERIC ( jun 22 ) // i386 ]
