On Sun, Jul 16, 2017 at 12:41:09PM +0000, Robert Peichaer wrote:
> On Sun, Jul 16, 2017 at 02:28:59PM +0200, Klemens Nanni wrote:
> > On Sun, Jul 16, 2017 at 12:11:55PM +0000, Robert Peichaer wrote:
> > > On Sun, Jul 16, 2017 at 01:37:56PM +0200, Klemens Nanni wrote:
> > > > This removes on level of indent, avoids the ugly RULES="$RULES ..."
> > > > repitition and spares a print.
> > > >
> > > > We could do a 'pfctl -ef -' right away but I kept changing and enabling
> > > > clearly seperated. Regarding the leading newlines and tabs of the inner
> > > > echo: pf perfectly munges those, no need to clear them.
> > > >
> > > > The "don't" -> "do not" is neccessary since otherwise the shell would
> > > > choke on it as opening quote.
> > > >
> > > >
> > > > Feedback? Comments?
> > >
> > > Nice idea. The only maby irrelevant concern I have is, that using the
> > > here-document approach uses a temporary file and if that for some reason
> > > fails, we end up without this or mangled rules.
> > sh reads the temporary file in 512 bytes chunks, the here document is
> > about 2.0K in size.
> >
> > I didn't bother intercepting sh with gdb and simulating a scenario where
> > the temporary file cannot be written but in case the user has no disk
> > space left I'd expect it to not be created at all since.
> >
> > In general I'd say that if /tmp doesn't have 2.0K left users probably
> > have more serious problems anyway.
>
> Have you thought about diskless(8) setups?
If /tmp is served via NFS and the here document's IO fails, 'pfctl -f -'
won't see any rule as it's not being executed.
I still think running out of space would cause more problems than just
this one but I shall be glad to be corrected.
Here's another approach still using $RULES but with saner quoting and
without the potentially dangerous here document.
Index: rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.507
diff -u -p -r1.507 rc
--- rc 4 Jul 2017 19:02:11 -0000 1.507
+++ rc 16 Jul 2017 13:23:02 -0000
@@ -402,31 +399,35 @@ wsconsctl_conf
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
- RULES="block all"
- RULES="$RULES\npass on lo0"
- RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port domain
keep state"
- RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
- RULES="$RULES\npass out inet proto udp from any port bootpc to any port
bootps"
- RULES="$RULES\npass in inet proto udp from any port bootps to any port
bootpc"
- if ifconfig lo0 inet6 >/dev/null 2>&1; then
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
neighbrsol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
neighbradv"
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
routersol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
routeradv"
- RULES="$RULES\npass out inet6 proto udp from any port
dhcpv6-client to any port dhcpv6-server"
- RULES="$RULES\npass in inet6 proto udp from any port
dhcpv6-server to any port dhcpv6-client"
- fi
- RULES="$RULES\npass in proto carp keep state (no-sync)"
- RULES="$RULES\npass out proto carp !received-on any keep state
(no-sync)"
- if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
- # Don't kill NFS.
- RULES="set reassemble yes no-df\n$RULES"
- RULES="$RULES\npass in proto { tcp, udp } from any port {
sunrpc, nfsd } to any"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ sunrpc, nfsd } !received-on any"
- fi
- print -- "$RULES" | pfctl -f -
- pfctl -e
+ RULES='
+ block all
+ pass on lo0
+ pass in proto tcp from any to any port ssh keep state
+ pass out proto { tcp, udp } from any to any port domain keep state
+ pass out inet proto icmp all icmp-type echoreq keep state
+ pass out inet proto udp from any port bootpc to any port bootps
+ pass in inet proto udp from any port bootps to any port bootpc'
+
+ ifconfig lo0 inet6 >/dev/null 2>&1 &&
+ RULES="$RULES"'
+ pass out inet6 proto icmp6 all icmp6-type neighbrsol
+ pass in inet6 proto icmp6 all icmp6-type neighbradv
+ pass out inet6 proto icmp6 all icmp6-type routersol
+ pass in inet6 proto icmp6 all icmp6-type routeradv
+ pass out inet6 proto udp from any port dhcpv6-client to any
port dhcpv6-server
+ pass in inet6 proto udp from any port dhcpv6-server to any port
dhcpv6-client'
+
+ RULES="$RULES"'
+ pass in proto carp keep state (no-sync)
+ pass out proto carp !received-on any keep state (no-sync)'
+
+ # Don't kill NFS.
+ [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]] &&
+ RULES="$RULES"'
+ set reassemble yes no-df
+ pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
+ pass out proto { tcp, udp } from any to any port { sunrpc, nfsd
} !received-on any'
+ print -- "$RULES" | pfctl -nf -
fi
fill_baddynamic udp
