Should there be more API calls for firewall?

I have ran into a fault with /nodeworx/firewall/allowDenyIps. After realizing this scenario, I've decided to instead use `apf -u $IP`. Should there be API calls for adding/removing individual IPs from deny/allow_hosts.rules?

My scripts intended to remove an IP address from the firewall's block list X amount of time after it's been added.
While we're at it, let's say that N is the amount of IPs in deny_hosts.rules.
The way to do that with IW API is to:

• 1. sed out the $IP in question from /etc/apf/deny_hosts.rules
• 2. output that into another file
• 3. find the latest "{trust} deny all to/from $IP" entry in /var/log/apf_log
• 4. collect the time from that entry, let's call it T
• 5. add X amount of time to T
• 6. write a shell script that has all the parameters to run a perl script with the API call that uploads the list, from which $IP is sedded out
• 7. make an atd job that will run that script at time T

What you get in the logs is evidence that each IP in that list has been added into what seems an empty list. There are no "{trust} removed $IP from trust system" entries in the log resulting from that API call.

The real fallout of doing this on a regular basis, is that if you have a script that does this for all IPs in deny_hosts.rules:

• you need to write logic that seds out IPs that expire after the last IP you ever removed this way
• because of steps 3-5, the expiry date for remaining IPs will be refreshed and they will be scheduled for removal at time T+X, where T is where a previous IP was removed
• this will create a cascade of N-1 atd jobs that will also unblock their own IP, but also block the rest
• and to prevent this you need to write a job script that seds deny_hosts.rules only when the job is being run
• it's also nontrivial to implement removal of many IPs at the same time if they got blocked the same second

I really think the lack of other API calls is only adding complexity to efficiently using this one. What do you think?