This removes on level of indent, avoids the ugly RULES="$RULES ..."
repitition and spares a print.
We could do a 'pfctl -ef -' right away but I kept changing and enabling
clearly seperated. Regarding the leading newlines and tabs of the inner
echo: pf perfectly munges those, no need to clear them.
The "don't" -> "do not" is neccessary since otherwise the shell would
choke on it as opening quote.
Feedback? Comments?
Index: rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.507
diff -u -p -r1.507 rc
--- rc 4 Jul 2017 19:02:11 -0000 1.507
+++ rc 16 Jul 2017 11:34:09 -0000
@@ -402,30 +402,33 @@ wsconsctl_conf
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
- RULES="block all"
- RULES="$RULES\npass on lo0"
- RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port domain
keep state"
- RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
- RULES="$RULES\npass out inet proto udp from any port bootpc to any port
bootps"
- RULES="$RULES\npass in inet proto udp from any port bootps to any port
bootpc"
- if ifconfig lo0 inet6 >/dev/null 2>&1; then
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
neighbrsol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
neighbradv"
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
routersol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
routeradv"
- RULES="$RULES\npass out inet6 proto udp from any port
dhcpv6-client to any port dhcpv6-server"
- RULES="$RULES\npass in inet6 proto udp from any port
dhcpv6-server to any port dhcpv6-client"
- fi
- RULES="$RULES\npass in proto carp keep state (no-sync)"
- RULES="$RULES\npass out proto carp !received-on any keep state
(no-sync)"
- if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
- # Don't kill NFS.
- RULES="set reassemble yes no-df\n$RULES"
- RULES="$RULES\npass in proto { tcp, udp } from any port {
sunrpc, nfsd } to any"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ sunrpc, nfsd } !received-on any"
- fi
- print -- "$RULES" | pfctl -f -
+ pfctl -f - <<- __EOF__
+block all
+pass on lo0
+pass in proto tcp from any to any port ssh keep state
+pass out proto { tcp, udp } from any to any port domain keep state
+pass out inet proto icmp all icmp-type echoreq keep state
+pass out inet proto udp from any port bootpc to any port bootps
+pass in inet proto udp from any port bootps to any port bootpc
+$(if ifconfig lo0 inet6 >/dev/null 2>&1; then
+ echo '
+ pass out inet6 proto icmp6 all icmp6-type neighbrsol
+ pass in inet6 proto icmp6 all icmp6-type neighbradv
+ pass out inet6 proto icmp6 all icmp6-type routersol
+ pass in inet6 proto icmp6 all icmp6-type routeradv
+ pass out inet6 proto udp from any port dhcpv6-client to any port
dhcpv6-server
+ pass in inet6 proto udp from any port dhcpv6-server to any port
dhcpv6-client'
+fi)
+pass in proto carp keep state (no-sync)
+pass out proto carp !received-on any keep state (no-sync)
+$(if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
+ # Do not kill NFS.
+ echo '
+ set reassemble yes no-df
+ pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
+ pass out proto { tcp, udp } from any to any port { sunrpc, nfsd }
!received-on any'
+fi)
+__EOF__
pfctl -e
fi
