On Sun, Jul 16, 2017 at 12:41:09PM +0000, Robert Peichaer wrote: > On Sun, Jul 16, 2017 at 02:28:59PM +0200, Klemens Nanni wrote: > > On Sun, Jul 16, 2017 at 12:11:55PM +0000, Robert Peichaer wrote: > > > On Sun, Jul 16, 2017 at 01:37:56PM +0200, Klemens Nanni wrote: > > > > This removes on level of indent, avoids the ugly RULES="$RULES ..." > > > > repitition and spares a print. > > > > > > > > We could do a 'pfctl -ef -' right away but I kept changing and enabling > > > > clearly seperated. Regarding the leading newlines and tabs of the inner > > > > echo: pf perfectly munges those, no need to clear them. > > > > > > > > The "don't" -> "do not" is neccessary since otherwise the shell would > > > > choke on it as opening quote. > > > > > > > > > > > > Feedback? Comments? > > > > > > Nice idea. The only maby irrelevant concern I have is, that using the > > > here-document approach uses a temporary file and if that for some reason > > > fails, we end up without this or mangled rules. > > sh reads the temporary file in 512 bytes chunks, the here document is > > about 2.0K in size. > > > > I didn't bother intercepting sh with gdb and simulating a scenario where > > the temporary file cannot be written but in case the user has no disk > > space left I'd expect it to not be created at all since. > > > > In general I'd say that if /tmp doesn't have 2.0K left users probably > > have more serious problems anyway. > > Have you thought about diskless(8) setups? If /tmp is served via NFS and the here document's IO fails, 'pfctl -f -' won't see any rule as it's not being executed.
I still think running out of space would cause more problems than just this one but I shall be glad to be corrected. Here's another approach still using $RULES but with saner quoting and without the potentially dangerous here document. Index: rc =================================================================== RCS file: /cvs/src/etc/rc,v retrieving revision 1.507 diff -u -p -r1.507 rc --- rc 4 Jul 2017 19:02:11 -0000 1.507 +++ rc 16 Jul 2017 13:23:02 -0000 @@ -402,31 +399,35 @@ wsconsctl_conf # Set initial temporary pf rule set. if [[ $pf != NO ]]; then - RULES="block all" - RULES="$RULES\npass on lo0" - RULES="$RULES\npass in proto tcp from any to any port ssh keep state" - RULES="$RULES\npass out proto { tcp, udp } from any to any port domain keep state" - RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state" - RULES="$RULES\npass out inet proto udp from any port bootpc to any port bootps" - RULES="$RULES\npass in inet proto udp from any port bootps to any port bootpc" - if ifconfig lo0 inet6 >/dev/null 2>&1; then - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type neighbrsol" - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type neighbradv" - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol" - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv" - RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server" - RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client" - fi - RULES="$RULES\npass in proto carp keep state (no-sync)" - RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)" - if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then - # Don't kill NFS. - RULES="set reassemble yes no-df\n$RULES" - RULES="$RULES\npass in proto { tcp, udp } from any port { sunrpc, nfsd } to any" - RULES="$RULES\npass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any" - fi - print -- "$RULES" | pfctl -f - - pfctl -e + RULES=' + block all + pass on lo0 + pass in proto tcp from any to any port ssh keep state + pass out proto { tcp, udp } from any to any port domain keep state + pass out inet proto icmp all icmp-type echoreq keep state + pass out inet proto udp from any port bootpc to any port bootps + pass in inet proto udp from any port bootps to any port bootpc' + + ifconfig lo0 inet6 >/dev/null 2>&1 && + RULES="$RULES"' + pass out inet6 proto icmp6 all icmp6-type neighbrsol + pass in inet6 proto icmp6 all icmp6-type neighbradv + pass out inet6 proto icmp6 all icmp6-type routersol + pass in inet6 proto icmp6 all icmp6-type routeradv + pass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server + pass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client' + + RULES="$RULES"' + pass in proto carp keep state (no-sync) + pass out proto carp !received-on any keep state (no-sync)' + + # Don't kill NFS. + [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]] && + RULES="$RULES"' + set reassemble yes no-df + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd } !received-on any' + print -- "$RULES" | pfctl -nf - fi fill_baddynamic udp