On Sun, Jul 16, 2017 at 03:24:19PM +0200, Klemens Nanni wrote:
> On Sun, Jul 16, 2017 at 12:41:09PM +0000, Robert Peichaer wrote:
> > On Sun, Jul 16, 2017 at 02:28:59PM +0200, Klemens Nanni wrote:
> > > On Sun, Jul 16, 2017 at 12:11:55PM +0000, Robert Peichaer wrote:
> > > > On Sun, Jul 16, 2017 at 01:37:56PM +0200, Klemens Nanni wrote:
> > > > > This removes on level of indent, avoids the ugly RULES="$RULES ..."
> > > > > repitition and spares a print.
> > > > >
> > > > > We could do a 'pfctl -ef -' right away but I kept changing and
> > > > > enabling
> > > > > clearly seperated. Regarding the leading newlines and tabs of the
> > > > > inner
> > > > > echo: pf perfectly munges those, no need to clear them.
> > > > >
> > > > > The "don't" -> "do not" is neccessary since otherwise the shell would
> > > > > choke on it as opening quote.
> > > > >
> > > > >
> > > > > Feedback? Comments?
> > > >
> > > > Nice idea. The only maby irrelevant concern I have is, that using the
> > > > here-document approach uses a temporary file and if that for some reason
> > > > fails, we end up without this or mangled rules.
> > > sh reads the temporary file in 512 bytes chunks, the here document is
> > > about 2.0K in size.
> > >
> > > I didn't bother intercepting sh with gdb and simulating a scenario where
> > > the temporary file cannot be written but in case the user has no disk
> > > space left I'd expect it to not be created at all since.
> > >
> > > In general I'd say that if /tmp doesn't have 2.0K left users probably
> > > have more serious problems anyway.
> >
> > Have you thought about diskless(8) setups?
> If /tmp is served via NFS and the here document's IO fails, 'pfctl -f -'
> won't see any rule as it's not being executed.
>
> I still think running out of space would cause more problems than just
> this one but I shall be glad to be corrected.
>
> Here's another approach still using $RULES but with saner quoting and
> without the potentially dangerous here document.
>
>
> Index: rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.507
> diff -u -p -r1.507 rc
> --- rc 4 Jul 2017 19:02:11 -0000 1.507
> +++ rc 16 Jul 2017 13:23:02 -0000
> @@ -402,31 +399,35 @@ wsconsctl_conf
>
> # Set initial temporary pf rule set.
> if [[ $pf != NO ]]; then
> - RULES="block all"
> - RULES="$RULES\npass on lo0"
> - RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
> - RULES="$RULES\npass out proto { tcp, udp } from any to any port domain
> keep state"
> - RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
> state"
> - RULES="$RULES\npass out inet proto udp from any port bootpc to any port
> bootps"
> - RULES="$RULES\npass in inet proto udp from any port bootps to any port
> bootpc"
> - if ifconfig lo0 inet6 >/dev/null 2>&1; then
> - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> neighbrsol"
> - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> neighbradv"
> - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> routersol"
> - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> routeradv"
> - RULES="$RULES\npass out inet6 proto udp from any port
> dhcpv6-client to any port dhcpv6-server"
> - RULES="$RULES\npass in inet6 proto udp from any port
> dhcpv6-server to any port dhcpv6-client"
> - fi
> - RULES="$RULES\npass in proto carp keep state (no-sync)"
> - RULES="$RULES\npass out proto carp !received-on any keep state
> (no-sync)"
> - if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
> - # Don't kill NFS.
> - RULES="set reassemble yes no-df\n$RULES"
> - RULES="$RULES\npass in proto { tcp, udp } from any port {
> sunrpc, nfsd } to any"
> - RULES="$RULES\npass out proto { tcp, udp } from any to any port
> { sunrpc, nfsd } !received-on any"
> - fi
> - print -- "$RULES" | pfctl -f -
> - pfctl -e
> + RULES='
> + block all
> + pass on lo0
> + pass in proto tcp from any to any port ssh keep state
> + pass out proto { tcp, udp } from any to any port domain keep state
> + pass out inet proto icmp all icmp-type echoreq keep state
> + pass out inet proto udp from any port bootpc to any port bootps
> + pass in inet proto udp from any port bootps to any port bootpc'
> +
> + ifconfig lo0 inet6 >/dev/null 2>&1 &&
Please leave the if-then-fi construct intact. This short form is
mostly used for on-line commands (with only a few exceptions).
> + RULES="$RULES"'
What is the reason to use double quotes and single quotes here?
Why not just use double quotes like this?
RULES="$RULES
..."
> + pass out inet6 proto icmp6 all icmp6-type neighbrsol
> + pass in inet6 proto icmp6 all icmp6-type neighbradv
> + pass out inet6 proto icmp6 all icmp6-type routersol
> + pass in inet6 proto icmp6 all icmp6-type routeradv
> + pass out inet6 proto udp from any port dhcpv6-client to any
> port dhcpv6-server
> + pass in inet6 proto udp from any port dhcpv6-server to any port
> dhcpv6-client'
> +
> + RULES="$RULES"'
> + pass in proto carp keep state (no-sync)
> + pass out proto carp !received-on any keep state (no-sync)'
> +
> + # Don't kill NFS.
> + [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]] &&
Please leave the if-then-fi construct intact, here too.
> + RULES="$RULES"'
> + set reassemble yes no-df
This is not equivalent to the existing code.
> + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
> + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd
> } !received-on any'
> + print -- "$RULES" | pfctl -nf -
Unless one of the pf people speaks up in favour of combining it,
I'd like to leave the two steps separated as you noted in your
original email too.
print -- "$RULES" | pfctl -f -
pfctl -e
> fi
>
> fill_baddynamic udp
>
--
-=[rpe]=-
