From 8929e99957d7c834b70ee73a70765bd2c0b3905f Mon Sep 17 00:00:00 2001 From: Michael Gmelin Date: Wed, 20 Dec 2023 11:30:42 +0100 Subject: [PATCH] Make init/de-init less intrusive This adds the flag "-m" to be minimally intrusive. Also allows de-init to use "-p pf_file" to specify the firewall rulesets (this way it's symmetrical to init). Rename "-f pf_file" to "-p pf_file" in init (as "-f" was already taken in de-init), but keep "-f" as an alias for the time being. Some minor cleanup of variable names while there. Fixes #85 --- CHANGELOG.md | 2 ++ share/pot/de-init.sh | 39 +++++++++++++------- share/pot/init.sh | 86 ++++++++++++++++++++++++++------------------ 3 files changed, 79 insertions(+), 48 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2477836..767ae90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Added - tinirc: Write tinirc's pid to /tmp/tinirc.pid (#277) - set-attr/stop: Add attributes exec_stop and stop_timeout (#275) +- init/de-init: Add flag "-m" to be minimally intrusive, add flag -p to specify pf file (#XXX) +- init: Deprecate flag -f pf_file, as it is replaced by -p (#XXX) ### Fixed - tinirc: Overwrite tinirc on start instead of appending to an existing file (#277) diff --git a/share/pot/de-init.sh b/share/pot/de-init.sh index bb3d57e..03e19cc 100644 --- a/share/pot/de-init.sh +++ b/share/pot/de-init.sh @@ -5,32 +5,43 @@ de-init-help() { cat <<-"EOH" - pot de-init [-hvf] + pot de-init [-hmvf] [-p pf_file] + -f force : stop all running pots + -p pf_file : remove anchors to this file (empty to skip), + defaults to result of `sysrc -n pf_rules` -h print this help + -m minimal modifications (alias for `-p ''`) + WARNING: Still destroys POT_ZFS_ROOT -v verbose - -f force : stop all running pots EOH } pot-de-init() { - local _pots _p _force _zopt + local _pots _p _force _zopt _pf_file _force= _zopt= + _pf_file="$(sysrc -n pf_rules)" OPTIND=1 - while getopts "hvf" _o ; do + while getopts "fhmvp:" _o ; do case "$_o" in + f) + _force="force" + ;; h) de-init-help ${EXIT} 0 ;; + m) + _pf_file="" + ;; + p) + _pf_file="$OPTARG" + ;; v) _POT_VERBOSITY=$(( _POT_VERBOSITY + 1)) _zopt="-v" ;; - f) - _force="force" - ;; ?) de-init-help ${EXIT} 1 @@ -59,13 +70,15 @@ pot-de-init() _info "Deinstall pot ($POT_ZFS_ROOT)" zfs destroy -r $_zopt "${POT_ZFS_ROOT}" fi - # Remove pf entries - pf_file="$(sysrc -n pf_rules)" - sed -i '' '/^nat-anchor pot-nat$/d' "$pf_file" - sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$pf_file" - # Final message echo "zfs datasets have been removed" - echo "pf configuration file should be clean (please check $pf_file)" + # Remove pf entries if needed + if [ -n "$_pf_file" ]; then + sed -i '' '/^nat-anchor pot-nat$/d' "$_pf_file" + sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$_pf_file" + echo "pf configuration file should be clean" + echo " - please check $_pf_file and reload it" + fi + # Final message echo "check your rc.conf for potential leftovers variable like:" echo ' syslogd_flags' echo ' pot_enable' diff --git a/share/pot/init.sh b/share/pot/init.sh index 14fd32d..ea9adbc 100644 --- a/share/pot/init.sh +++ b/share/pot/init.sh @@ -8,27 +8,39 @@ init-help() { cat <<-"EOH" - pot init [-hv] [-f pf_file] - -f pf_file : write pot anchors to this file (empty to skip), - defaults to result of `sysrc -n pf_rules` + pot init [-hmsv] [-p pf_file] -h print this help + -m minimal modifications (alias for `-sp ''`) + -p pf_file : write pot anchors to this file (empty to skip), + defaults to result of `sysrc -n pf_rules` + -f pf_file : alias for -p pf_file (deprecated) + -s do not alter syslogd config -v verbose EOH } pot-init() { - local pf_file dataset - pf_file="$(sysrc -n pf_rules)" + local _pf_file _dataset _skip_alter_syslog + _pf_file="$(sysrc -n pf_rules)" + _skip_alter_syslog= OPTIND=1 - while getopts "hvf:" _o ; do + while getopts "hmsvf:p:" _o ; do case "$_o" in - f) pf_file="$OPTARG" + f|p) + _pf_file="$OPTARG" ;; h) init-help ${EXIT} 0 ;; + m) + _pf_file="" + _skip_alter_syslog="YES" + ;; + s) + _skip_alter_syslog="YES" + ;; v) _POT_VERBOSITY=$(( _POT_VERBOSITY + 1)) ;; @@ -73,14 +85,14 @@ pot-init() chown root:"${POT_GROUP:-pot}" "${POT_FS_ROOT}" || ${EXIT} 1 # create mandatory datasets - for dataset in bases jails fscomp; do - if ! _zfs_dataset_valid "${POT_ZFS_ROOT}/$dataset" ; then - _debug "creating ${POT_ZFS_ROOT}/$dataset" - zfs create "${POT_ZFS_ROOT}/$dataset" || ${EXIT} 1 + for _dataset in bases jails fscomp; do + if ! _zfs_dataset_valid "${POT_ZFS_ROOT}/$_dataset" ; then + _debug "creating ${POT_ZFS_ROOT}/$_dataset" + zfs create "${POT_ZFS_ROOT}/$_dataset" || ${EXIT} 1 fi - if ! _zfs_mounted "${POT_ZFS_ROOT}/$dataset"; then - _debug "mounting ${POT_ZFS_ROOT}/$dataset" - zfs mount "${POT_ZFS_ROOT}/$dataset" || ${EXIT} 1 + if ! _zfs_mounted "${POT_ZFS_ROOT}/$_dataset"; then + _debug "mounting ${POT_ZFS_ROOT}/$_dataset" + zfs mount "${POT_ZFS_ROOT}/$_dataset" || ${EXIT} 1 fi done if ! _zfs_exist "${POT_ZFS_ROOT}/cache" "${POT_CACHE}" ; then @@ -91,10 +103,12 @@ pot-init() fi # create the bridges folder mkdir -p "${POT_FS_ROOT}/bridges" - # create mandatory directories for logs - mkdir -p /usr/local/etc/syslog.d - mkdir -p /usr/local/etc/newsyslog.conf.d - mkdir -p /var/log/pot + if [ "$_skip_alter_syslog" != "YES" ]; then + # create mandatory directories for logs + mkdir -p /usr/local/etc/syslog.d + mkdir -p /usr/local/etc/newsyslog.conf.d + mkdir -p /var/log/pot + fi if ! _is_pot_tmp_dir ; then _error "The POT_TMP directory has not been created - aborting" @@ -127,31 +141,33 @@ pot-init() fi done - if [ -w /etc/rc.conf ]; then - echo "Creating a backup of your /etc/rc.conf" - cp -v /etc/rc.conf /etc/rc.conf.bkp-pot + if [ "$_skip_alter_syslog" != "YES" ]; then + if [ -w /etc/rc.conf ]; then + echo "Creating a backup of your /etc/rc.conf" + cp -v /etc/rc.conf /etc/rc.conf.bkp-pot + fi + # add proper syslogd flags and restart it + sysrc -q syslogd_flags="-b 127.0.0.1 -b $POT_GATEWAY -a $POT_NETWORK" + # service syslogd restart fi - # add proper syslogd flags and restart it - sysrc -q syslogd_flags="-b 127.0.0.1 -b $POT_GATEWAY -a $POT_NETWORK" - # service syslogd restart # Add pot anchors if needed - if [ -n "$pf_file" ]; then - if [ -r "$pf_file" ] && [ "$(grep -c '^nat-anchor pot-nat$' "$pf_file" )" -eq 1 ] && [ "$(grep -c '^rdr-anchor "pot-rdr/\*"$' "$pf_file" )" -eq 1 ] ; then + if [ -n "$_pf_file" ]; then + if [ -r "$_pf_file" ] && [ "$(grep -c '^nat-anchor pot-nat$' "$_pf_file" )" -eq 1 ] && [ "$(grep -c '^rdr-anchor "pot-rdr/\*"$' "$_pf_file" )" -eq 1 ] ; then _debug "pf already properly configured" else - if [ -w "$pf_file" ]; then - echo "Creating a backup of your $pf_file" - cp -v "$pf_file" "$pf_file".bkp-pot + if [ -w "$_pf_file" ]; then + echo "Creating a backup of your $_pf_file" + cp -v "$_pf_file" "$_pf_file".bkp-pot # delete incomplete/broken ancory entries - just in case - sed -i '' '/^nat-anchor pot-nat$/d' "$pf_file" - sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$pf_file" + sed -i '' '/^nat-anchor pot-nat$/d' "$_pf_file" + sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$_pf_file" else - touch "$pf_file" + touch "$_pf_file" fi - echo "auto-magically editing your $pf_file" - printf "%s\n" 0a "nat-anchor pot-nat" "rdr-anchor \"pot-rdr/*\"" . x | ex "$pf_file" - echo "Please, check that your PF configuration file $pf_file is still valid!" + echo "auto-magically editing your $_pf_file" + printf "%s\n" 0a "nat-anchor pot-nat" "rdr-anchor \"pot-rdr/*\"" . x | ex "$_pf_file" + echo "Please, check that your PF configuration file $_pf_file is still valid and reload it!" fi else _debug "pf configuration skipped"