#!/bin/sh -
#
# program to apply changes to an ipfw ruleset without reloading the whole
# ruleset.  guy@rucus.ru.ac.za, 20051107
#

# get the name of the firewall rule set
if [ $# = 1 ] ; then
	FILE=$1
else
	. /etc/defaults/rc.conf
	source_rc_confs
	if [ ! -z "${firewall_type}" -a -r "${firewall_type}" ] ; then
		FILE=${firewall_type}
	else
		echo "Unable to work out firewall ruleset file from '${firewall_type}'" >&2
		exit 1
	fi
fi

# some temporary files
NEW=`mktemp -t ipfwdiff`
ORIG="${NEW}.orig"

# get copies of the firewall rules
ipfw list > ${ORIG}
ipfw -fn ${FILE} 2>/dev/null > ${NEW}

# this is the hard work.  basically an awk script
diff -bBi ${ORIG} ${NEW} | egrep '^[<>][[:space:]]+[[:digit:]]+' | awk '
	/^[<] 65535/ { next; }
	/^[<>] pipe/ { next; }
	/^</ { del[i++] = $2; system("ipfw delete " $2); }
	/^>/ { add[j++] = $2; system("ipfw add " substr ($0, 3)); }
	END  { if (i) { printf "deleted rules:"; for (d in del) { printf " %d", del[d]; }; printf "\n"; }
	       if (j) { printf "added rules:"; for (a in add) { printf " %d", add[a]; }; printf "\n";  } 
	     }
'

# clean up after ourselves
rm -f ${ORIG} ${NEW}