On Sun, Jul 16, 2017 at 03:24:19PM +0200, Klemens Nanni wrote: > On Sun, Jul 16, 2017 at 12:41:09PM +0000, Robert Peichaer wrote: > > On Sun, Jul 16, 2017 at 02:28:59PM +0200, Klemens Nanni wrote: > > > On Sun, Jul 16, 2017 at 12:11:55PM +0000, Robert Peichaer wrote: > > > > On Sun, Jul 16, 2017 at 01:37:56PM +0200, Klemens Nanni wrote: > > > > > This removes on level of indent, avoids the ugly RULES="$RULES ..." > > > > > repitition and spares a print. > > > > > > > > > > We could do a 'pfctl -ef -' right away but I kept changing and > > > > > enabling > > > > > clearly seperated. Regarding the leading newlines and tabs of the > > > > > inner > > > > > echo: pf perfectly munges those, no need to clear them. > > > > > > > > > > The "don't" -> "do not" is neccessary since otherwise the shell would > > > > > choke on it as opening quote. > > > > > > > > > > > > > > > Feedback? Comments? > > > > > > > > Nice idea. The only maby irrelevant concern I have is, that using the > > > > here-document approach uses a temporary file and if that for some reason > > > > fails, we end up without this or mangled rules. > > > sh reads the temporary file in 512 bytes chunks, the here document is > > > about 2.0K in size. > > > > > > I didn't bother intercepting sh with gdb and simulating a scenario where > > > the temporary file cannot be written but in case the user has no disk > > > space left I'd expect it to not be created at all since. > > > > > > In general I'd say that if /tmp doesn't have 2.0K left users probably > > > have more serious problems anyway. > > > > Have you thought about diskless(8) setups? > If /tmp is served via NFS and the here document's IO fails, 'pfctl -f -' > won't see any rule as it's not being executed. > > I still think running out of space would cause more problems than just > this one but I shall be glad to be corrected. > > Here's another approach still using $RULES but with saner quoting and > without the potentially dangerous here document. > > > Index: rc > =================================================================== > RCS file: /cvs/src/etc/rc,v > retrieving revision 1.507 > diff -u -p -r1.507 rc > --- rc 4 Jul 2017 19:02:11 -0000 1.507 > +++ rc 16 Jul 2017 13:23:02 -0000 > @@ -402,31 +399,35 @@ wsconsctl_conf > > # Set initial temporary pf rule set. > if [[ $pf != NO ]]; then > - RULES="block all" > - RULES="$RULES\npass on lo0" > - RULES="$RULES\npass in proto tcp from any to any port ssh keep state" > - RULES="$RULES\npass out proto { tcp, udp } from any to any port domain > keep state" > - RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep > state" > - RULES="$RULES\npass out inet proto udp from any port bootpc to any port > bootps" > - RULES="$RULES\npass in inet proto udp from any port bootps to any port > bootpc" > - if ifconfig lo0 inet6 >/dev/null 2>&1; then > - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type > neighbrsol" > - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type > neighbradv" > - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type > routersol" > - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type > routeradv" > - RULES="$RULES\npass out inet6 proto udp from any port > dhcpv6-client to any port dhcpv6-server" > - RULES="$RULES\npass in inet6 proto udp from any port > dhcpv6-server to any port dhcpv6-client" > - fi > - RULES="$RULES\npass in proto carp keep state (no-sync)" > - RULES="$RULES\npass out proto carp !received-on any keep state > (no-sync)" > - if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then > - # Don't kill NFS. > - RULES="set reassemble yes no-df\n$RULES" > - RULES="$RULES\npass in proto { tcp, udp } from any port { > sunrpc, nfsd } to any" > - RULES="$RULES\npass out proto { tcp, udp } from any to any port > { sunrpc, nfsd } !received-on any" > - fi > - print -- "$RULES" | pfctl -f - > - pfctl -e > + RULES=' > + block all > + pass on lo0 > + pass in proto tcp from any to any port ssh keep state > + pass out proto { tcp, udp } from any to any port domain keep state > + pass out inet proto icmp all icmp-type echoreq keep state > + pass out inet proto udp from any port bootpc to any port bootps > + pass in inet proto udp from any port bootps to any port bootpc' > + > + ifconfig lo0 inet6 >/dev/null 2>&1 &&
Please leave the if-then-fi construct intact. This short form is mostly used for on-line commands (with only a few exceptions). > + RULES="$RULES"' What is the reason to use double quotes and single quotes here? Why not just use double quotes like this? RULES="$RULES ..." > + pass out inet6 proto icmp6 all icmp6-type neighbrsol > + pass in inet6 proto icmp6 all icmp6-type neighbradv > + pass out inet6 proto icmp6 all icmp6-type routersol > + pass in inet6 proto icmp6 all icmp6-type routeradv > + pass out inet6 proto udp from any port dhcpv6-client to any > port dhcpv6-server > + pass in inet6 proto udp from any port dhcpv6-server to any port > dhcpv6-client' > + > + RULES="$RULES"' > + pass in proto carp keep state (no-sync) > + pass out proto carp !received-on any keep state (no-sync)' > + > + # Don't kill NFS. > + [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]] && Please leave the if-then-fi construct intact, here too. > + RULES="$RULES"' > + set reassemble yes no-df This is not equivalent to the existing code. > + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any > + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd > } !received-on any' > + print -- "$RULES" | pfctl -nf - Unless one of the pf people speaks up in favour of combining it, I'd like to leave the two steps separated as you noted in your original email too. print -- "$RULES" | pfctl -f - pfctl -e > fi > > fill_baddynamic udp > -- -=[rpe]=-