On Sun, Jul 16, 2017 at 08:15:38PM +0000, Robert Peichaer wrote:
> > + ifconfig lo0 inet6 >/dev/null 2>&1 &&
>
> Please leave the if-then-fi construct intact. This short form is
> mostly used for on-line commands (with only a few exceptions).
OK.
> > + RULES="$RULES"'
>
> What is the reason to use double quotes and single quotes here?
> Why not just use double quotes like this?
Personal preference to make clear nothing inside the rules gets
substituted. Using double quotes only will work just fine here.
> This is not equivalent to the existing code.
>
> > + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
> > + pass out proto { tcp, udp } from any to any port { sunrpc, nfsd
> > } !received-on any'
> > + print -- "$RULES" | pfctl -nf -
Of course, fixed. Thanks!
> Unless one of the pf people speaks up in favour of combining it,
> I'd like to leave the two steps separated as you noted in your
> original email too.
Sure.
This is hopefully the final version of my diff. After all it now only
merges consecutive assignments of RULE into single ones.
Feedback?
Index: rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.507
diff -u -p -r1.507 rc
--- rc 4 Jul 2017 19:02:11 -0000 1.507
+++ rc 16 Jul 2017 21:10:48 -0000
@@ -402,28 +399,35 @@ wsconsctl_conf
# Set initial temporary pf rule set.
if [[ $pf != NO ]]; then
- RULES="block all"
- RULES="$RULES\npass on lo0"
- RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port domain
keep state"
- RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
state"
- RULES="$RULES\npass out inet proto udp from any port bootpc to any port
bootps"
- RULES="$RULES\npass in inet proto udp from any port bootps to any port
bootpc"
+ RULES='
+ block all
+ pass on lo0
+ pass in proto tcp from any to any port ssh keep state
+ pass out proto { tcp, udp } from any to any port domain keep state
+ pass out inet proto icmp all icmp-type echoreq keep state
+ pass out inet proto udp from any port bootpc to any port bootps
+ pass in inet proto udp from any port bootps to any port bootpc'
+
if ifconfig lo0 inet6 >/dev/null 2>&1; then
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
neighbrsol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
neighbradv"
- RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
routersol"
- RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
routeradv"
- RULES="$RULES\npass out inet6 proto udp from any port
dhcpv6-client to any port dhcpv6-server"
- RULES="$RULES\npass in inet6 proto udp from any port
dhcpv6-server to any port dhcpv6-client"
+ RULES="$RULES
+ pass out inet6 proto icmp6 all icmp6-type neighbrsol
+ pass in inet6 proto icmp6 all icmp6-type neighbradv
+ pass out inet6 proto icmp6 all icmp6-type routersol
+ pass in inet6 proto icmp6 all icmp6-type routeradv
+ pass out inet6 proto udp from any port dhcpv6-client to any
port dhcpv6-server
+ pass in inet6 proto udp from any port dhcpv6-server to any port
dhcpv6-client"
fi
- RULES="$RULES\npass in proto carp keep state (no-sync)"
- RULES="$RULES\npass out proto carp !received-on any keep state
(no-sync)"
+
+ RULES="$RULES
+ pass in proto carp keep state (no-sync)
+ pass out proto carp !received-on any keep state (no-sync)"
+
+ # Don't kill NFS.
if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
- # Don't kill NFS.
- RULES="set reassemble yes no-df\n$RULES"
- RULES="$RULES\npass in proto { tcp, udp } from any port {
sunrpc, nfsd } to any"
- RULES="$RULES\npass out proto { tcp, udp } from any to any port
{ sunrpc, nfsd } !received-on any"
+ RULES="set reassemble yes no-df
+ $RULES
+ pass in proto { tcp, udp } from any port { sunrpc, nfsd } to any
+ pass out proto { tcp, udp } from any to any port { sunrpc, nfsd
} !received-on any"
fi
print -- "$RULES" | pfctl -f -
pfctl -e
