Hello,

I suppose some of you are using Firewall Builder for managing your iptables firewall. If you want to use ipset lists for storing some IP addresses, you need to create address table object in Firewall Builder and connect it to some predefined file for storing that address. Sometimes it's very handy to have dynamic address lists in your router. For example, you need to temporary store some attacker or bogon address, but you don't want to remember those addresses after router restart. So, what about if you want to use dynamic address list on your router and do not want to store them in any file ? Well you can do that. Just do not assign address table object in Firewall Builder to a file. In that case you will have a problem because you will not be able to install fwbuilder.fw. It will not find ipset list with predefined name in your router. You can, however, create ipset on OpenWRT by hand, but after router restart you'll lose that ipset list. As a consequence of that iptables rules which use ipset lists will be rejected on firewall startup. The solution is to use startup script which creates ipset lists as needed before firewall starts. In that case ipset lists will be created before fwbuilder.fw script and so all rules will be available. Also you will have no problems with fwbuilder.fw installation, because required ipset lists will be already available in router's memory. Ok, suppose you need to use ipset list named 'mylist' for storing dynamic IP addresses. Here is the script code:

#!/bin/sh /etc/rc.common
#create some ipset lists on router startup

START=44

start() {
    ipset create mylist:ip hash:ip
    ipset create mylist:net hash:net
    ipset create mylist list:set
    ipset add mylist mylist:ip
    ipset add mylist mylist:net
}

stop() {
    ipset destroy mylist
    ipset destroy mylist:ip
    ipset destroy mylist:net
}

It is important to use START=44, because you want ipset lists to be created before firewall startup. Firewall starts at runlevel 45. How to install the script:

1. Create empty file in /etc/init.d/ and name it let's say 'ipsets'.
2. Copy script defined above and paste into file.
3. Run /etc/init.d/ipsets enable to make it run on boot time.
4. Run /etc/init.d/ipsets disable to disable autostartup of the script.

More information on using startup scripts is here: http://wiki.openwrt.org/doc/techref/initscripts
If you need more than one dynamic ipset lists then you can update script with for loop to create more dynamic lists.