Sometimes it is convenient to ignore errors when loading ruleset from a file. For example if standalone rules must be replaced (or added if not exist yet) in definite order. To replace existing rules we must issue sequence of 'delete' and 'add' commands. If for some reason target rule doesn't exists (temporary or mistakenly removed, not generated due to bug in script on previous attempt, etc.), ruleset loading stops. Another case - when we need to re-apply subset of rules without 'flush' of entire ruleset. Running 'ipfw' multiple times (one call for each rule) is not good for system performance. Also, there is inconvenience inside 'ipfw.c': many functions calls 'errx()' when find some error instead of reporting error status to caller. This makes some difficulty in implementation of 'ignore errors' mode. Fix: Attached patch adds '-i' switch to ipfw command, which turns ipfw into 'ignore errors' mode. In this mode all syntax errors in rule cause 'ipfw' to abort processing of current rule and start processing of the next one. '-i' switch can be used both in command line and inside ruleset file for particular rules. Patch replaces calls of 'errx()' to wrapping function. Normally, this function calls 'errx()'. But if 'ignore errors' mode is on, it calls 'warnx()' and returns error code back to caller. Implemented error handling in such cases and returning error status necessary places. Also, this patch adds 'replace' command. It can be used instead of pair -i delete NNN add NNN <rule body> Patch attached with submission follows:
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s).
I added some code already last year to allow ipfw to continue on after some failures if the -q option is in use (especially delete). I certainly do agree that bombing out is a less that optimal behaviour when automatic use is required.