2017-07-17 0:15 GMT+03:00 Klemens Nanni <k...@posteo.org>:
> On Sun, Jul 16, 2017 at 08:15:38PM +0000, Robert Peichaer wrote:
>> > + ifconfig lo0 inet6 >/dev/null 2>&1 &&
>>
>> Please leave the if-then-fi construct intact. This short form is
>> mostly used for on-line commands (with only a few exceptions).
> OK.
>
>> > + RULES="$RULES"'
>>
>> What is the reason to use double quotes and single quotes here?
>> Why not just use double quotes like this?
> Personal preference to make clear nothing inside the rules gets
> substituted. Using double quotes only will work just fine here.
>
>> This is not equivalent to the existing code.
>>
>> > + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to
>> > any
>> > + pass out proto { tcp, udp } from any to any port { sunrpc,
>> > nfsd } !received-on any'
>> > + print -- "$RULES" | pfctl -nf -
> Of course, fixed. Thanks!
>
>> Unless one of the pf people speaks up in favour of combining it,
>> I'd like to leave the two steps separated as you noted in your
>> original email too.
> Sure.
>
> This is hopefully the final version of my diff. After all it now only
> merges consecutive assignments of RULE into single ones.
>
> Feedback?
>
> Index: rc
> ===================================================================
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.507
> diff -u -p -r1.507 rc
> --- rc 4 Jul 2017 19:02:11 -0000 1.507
> +++ rc 16 Jul 2017 21:10:48 -0000
> @@ -402,28 +399,35 @@ wsconsctl_conf
>
> # Set initial temporary pf rule set.
> if [[ $pf != NO ]]; then
> - RULES="block all"
> - RULES="$RULES\npass on lo0"
> - RULES="$RULES\npass in proto tcp from any to any port ssh keep state"
> - RULES="$RULES\npass out proto { tcp, udp } from any to any port
> domain keep state"
> - RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep
> state"
> - RULES="$RULES\npass out inet proto udp from any port bootpc to any
> port bootps"
> - RULES="$RULES\npass in inet proto udp from any port bootps to any
> port bootpc"
> + RULES='
> + block all
> + pass on lo0
> + pass in proto tcp from any to any port ssh keep state
> + pass out proto { tcp, udp } from any to any port domain keep state
> + pass out inet proto icmp all icmp-type echoreq keep state
> + pass out inet proto udp from any port bootpc to any port bootps
> + pass in inet proto udp from any port bootps to any port bootpc'
> +
> if ifconfig lo0 inet6 >/dev/null 2>&1; then
> - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> neighbrsol"
> - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> neighbradv"
> - RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type
> routersol"
> - RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type
> routeradv"
> - RULES="$RULES\npass out inet6 proto udp from any port
> dhcpv6-client to any port dhcpv6-server"
> - RULES="$RULES\npass in inet6 proto udp from any port
> dhcpv6-server to any port dhcpv6-client"
> + RULES="$RULES
> + pass out inet6 proto icmp6 all icmp6-type neighbrsol
> + pass in inet6 proto icmp6 all icmp6-type neighbradv
> + pass out inet6 proto icmp6 all icmp6-type routersol
> + pass in inet6 proto icmp6 all icmp6-type routeradv
> + pass out inet6 proto udp from any port dhcpv6-client to any
> port dhcpv6-server
> + pass in inet6 proto udp from any port dhcpv6-server to any
> port dhcpv6-client"
> fi
> - RULES="$RULES\npass in proto carp keep state (no-sync)"
> - RULES="$RULES\npass out proto carp !received-on any keep state
> (no-sync)"
> +
> + RULES="$RULES
> + pass in proto carp keep state (no-sync)
> + pass out proto carp !received-on any keep state (no-sync)"
> +
> + # Don't kill NFS.
> if [[ $(sysctl vfs.mounts.nfs 2>/dev/null) == *[1-9]* ]]; then
> - # Don't kill NFS.
> - RULES="set reassemble yes no-df\n$RULES"
> - RULES="$RULES\npass in proto { tcp, udp } from any port {
> sunrpc, nfsd } to any"
> - RULES="$RULES\npass out proto { tcp, udp } from any to any
> port { sunrpc, nfsd } !received-on any"
> + RULES="set reassemble yes no-df
> + $RULES
> + pass in proto { tcp, udp } from any port { sunrpc, nfsd } to
> any
> + pass out proto { tcp, udp } from any to any port { sunrpc,
> nfsd } !received-on any"
> fi
> print -- "$RULES" | pfctl -f -
> pfctl -e
I like this, okay zhuk@.
--
WBR,
Vadim Zhukov
