Thanks jared and others for your replies. I'll try all of your
suggestions.

However, if you agree with me, I get the feeling that all of these are
inelegant workarounds compared to the ideal solution: time support in pf
(similar to perhaps iptables). I've read the replies from developers to
a similar question a few months back, and they were not interested in
adding such support in pf. I am sure there are other priorities for
them, and it's totally OK with me.

But time rules are important for me, so ultimately I'd like to achieve
the correct solution, if I can (which is the OpenBSD way after all).
Therefore, I am even willing to play with the pf source code to add time
support just for packet filtering rules. I am sure, if it were so easy,
we would probably have it by now. So, before I attempt it myself, do you
guys think it is too difficult?

Or perhaps, the developers have changed their minds, and there is
already some development effort to add such support. May I ask if that's
the case, hopefully?

Thanks,

On Sat, 2006-07-15 at 15:36 -0400, jared r r spiegel wrote:
> On Sat, Jul 15, 2006 at 08:27:32PM +0300, Soner Tari wrote:
> > > Have your cron job copy the current anchor rules to pf-current.conf,
> > > then add pfctl -f pf-current.conf to rc.local.
> >
> > Thank you for the reply (and Gaby too). But I am not sure if this would
> > be an elegant workaround. Because by chance there may be cron jobs
> > scheduled to run exactly during downtime, and I would miss them. This is
> > still true no matter how small the chances are.
>
> well, since rc.local is sourced right before the 'standard daemons:'
> echo in /etc/rc, which is itself above when cron is started, it may
> be entirely feasible to use rc.local for this.
>
> perhaps create a system by which you somehow drop a file into somewhere
> in var which describes what time-based anchor/ruleset you're using - you
> could populate that file either upon each instance of it changing via
> cron, or also in /etc/rc.shutdown (or both).
>
> then in rc.local, have it look for that file, if it finds it, it will
> load the appropriate pf ruleset pertaining to whatever time period the
> file indicates the host was in when it last updated that file.
>
> i don't know if this will inspire or help at all, but here is what i use
> to make some of my pf tables persist through reboots. basically it
> tries to save/populate any table which i have named without an initial
> underscore -- if i have tables i don't want to persist through reboots,
> my convention is to name them with an initial underscore:
>
> -[rc.shutdown]--------
> TABLE_STATE_DIR=/var/db/pftablestate
> if [ -w "${TABLE_STATE_DIR}" ] && [ -d "${TABLE_STATE_DIR}" ]; then
> echo "writing contents of pf tables:"
> for table in $(pfctl -sT); {
> # don't keep state for tables starting
> # with an underscore
> if [[ "${table}" = _* ]]; then
> continue
> # only be concerned with nonempty tables
> elif [ $(pfctl -t "${table}" -Ts | wc -l) -gt 0 ]; then
> echo -n "\t${table} "
> pfctl -t "${table}" -Ts > "${TABLE_STATE_DIR}/${table}"
> fi
> };
> unset table
> echo "done."
> fi
> unset TABLE_STATE_DIR
> ----------------------
>
> -[rc.local]-----------
> TABLE_STATE_DIR=/var/db/pftablestate
> if [ -w "${TABLE_STATE_DIR}" ] && [ -d "${TABLE_STATE_DIR}" ]; then
> echo "restoring contents of pf tables:"
> for table in $(pfctl -sT); {
> # don't keep state for tables starting
> # with an underscore
> if [[ "${table}" = _* ]]; then
> continue
> # only be concerned with nonempty tables
> elif [ -r "${TABLE_STATE_DIR}/${table}" ] && \
> [ $(wc -l < "${TABLE_STATE_DIR}/${table}") -gt 0 ]; then
> echo -n "\t${table} "
> pfctl -t "${table}" -Ta $(<"${TABLE_STATE_DIR}/${table}") && \
> rm -- "${TABLE_STATE_DIR}/${table}"
> fi
> };
> unset table
> echo "done."
> fi
> unset TABLE_STATE_DIR
> ----------------------