Subject: Re: admin script for ipfilter
To: Darren Reed <>
From: Bill Studenmund <>
List: tech-userlevel
Date: 01/09/2007 20:02:03
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 28, 2006 at 01:59:08PM +0000, Darren Reed wrote:
> On Thu, Dec 28, 2006 at 12:56:45AM +0100, Hubert Feyrer wrote:
> > The question coming to my mind would be "what's wrong with putting=20
> > ipfilter=3Dyes into /etc/rc.conf" - what is it?
> How do you script it?
> But really, you need to know:
> a) which file to edit
> b) how to edit it correctly
> c) know if nobody else is editting it at the same time
> ...
> To old timers, sure, "edit /etc/rc.conf" seems easy.
> But there are lots of complications and i ask you this,
> is asking someone to edit a file in order to enable a
> service the easiest we can make it?
> Why can't it be easier?
> Why can't we make it that you can just run some command
> line tool and that takes care of all of the above complications
> for you ?

How hard would it be to write a tool that will parse rc.conf for editing=20
and edit it?

For a given service, we know what variables should be in rc.conf=20
(service=3DFOO and service_BAR=3DBAZ). So stripping them out is easy, and=
adding them is easy too.

The idea I have is a tool that would be given a new service flag=20
(service=3DFOO). It then:

*) does some locking to say, "Leave the file alone"
*) Looks for lines starting with "service=3D" and "service_". It will then=
	remove them from rc.conf, remembering any service_ lines. If there
	was a blank line before any of them, it is deleted too.
*) Append a blank line, the new service=3DFOO line, and any removed
	service_ lines to the end of the file.
*) Unlock the file.

We have enough structure with rc.conf that this will work, permitting a=20
program to update the file.

The one cool feature I could see would be some sort of block marker that=20
includes the service name. "#service block start" and "#service block=20
end". The idea with them, whatever they end up being, is that they=20
delineate a block of the file that gets moved around as part of the=20
automagic processing. So if you have a comment explaining something about=
the variables, it stays with the variables even when the automatic=20
processing happens.

Another option, of course, is something that just replaces a service=3DFOO=
line if it exists and appends if it doesn't.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.3 (NetBSD)