From dd2c830c87f926c076a30b1fe40b512e65fed03a Mon Sep 17 00:00:00 2001 From: Roz K Date: Thu, 17 Feb 2022 17:59:16 +0100 Subject: [PATCH] First version. --- LICENSE | 2 +- README.md | 7 ++- pftab | 140 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 3 deletions(-) create mode 100644 pftab diff --git a/LICENSE b/LICENSE index e06aa93..5aa67c5 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) year copyright holder. All Rights Reserved. +Copyright (c) 2022 Roz K. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/README.md b/README.md index cc1bc84..d05f055 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ # pftab -pf anchors manager for FreeBSD inspired by fstab. -https://blog.rozk.net/pf/ \ No newline at end of file +pf anchors manager for FreeBSD inspired by fstab. + +## Installation, configuration and usage + +See https://blog.rozk.net/pf/ diff --git a/pftab b/pftab new file mode 100644 index 0000000..b1d38d1 --- /dev/null +++ b/pftab @@ -0,0 +1,140 @@ +#!/bin/sh + +. /etc/rc.subr + +# PROVIDE: pftab +# REQUIRE: FILESYSTEMS pf unbound +# BEFORE: NETWORKING +# KEYWORD: nojailvnet shutdown + +name="pftab" +rcvar=pftab_enable + +start_cmd="pftab_start" +stop_cmd="pftab_flush" +load_cmd="pftab_load" +flush_cmd="pftab_flush" +extra_commands="load flush" + +load_rc_config $name +: ${pftab_enable:="NO"} +: ${pftab_file=/usr/local/etc/pftab} +: ${pftab_suffix=""} + +pftab_command_flush() { + file="$1" ; anchor="$2$pftab_suffix" ; flags=$3 + if ( echo -n $flags | grep -qi "noflush" ) ; then + info "Not flushing anchor $anchor with flag noflush." + else + info "Flushing anchor $anchor..." + pfctl -q -F all -a $anchor + fi +} + +pftab_command_load() { + file="$1" ; anchor="$2$pftab_suffix" ; flags=$3 + if ( pfctl -n -a $anchor -f "$file" ) ; then + if ( echo -n $flags | grep -qi "noflush" ) ; then + info "Loading anchor $anchor from file $file without flushing..." + pfctl -q -a $anchor -f "$file" + else + info "Loading anchor $anchor from file $file..." + pfctl -q -F all -a $anchor -f "$file" + fi + else + if ( echo -n $flags | grep -qi "nofail" ) ; then + warn "Error(s) while checking file $file with flag nofail." + else + err 1 "Error(s) while checking file $file." + fi + fi +} + +pftab_command_start() { + file="$1" ; anchor=$2 ; flags=$3 + if ( echo -n $flags | grep -qi "noauto" ) ; then + info "Not loading anchor $anchor with flag noauto" + else + pftab_command_load "$file" $anchor $flags + fi +} + +pftab_process_command() { + cmd=$1 ; file="$2" ; anchor=$3 ; flags=$4 + if ( [ $cmd != "flush" ] && [ ! -r "$file" ] ) ; then + if ( echo -n $flags | grep -qi "nofail" ) ; then + warn "File $file missing or not readable with flag nofail." + else + err 1 "File $file missing or not readable." + fi + else + case $cmd in + "load") + pftab_command_load "$file" $anchor $flags + ;; + "flush") + pftab_command_flush "$file" $anchor $flags + ;; + "start") + pftab_command_start "$file" $anchor $flags + ;; + esac + fi +} + +pftab_process_line() { + cmd=$1 ; sel="$2" ; file="$3" ; anchor=$4 + if [ $# -gt 4 ] ; then + flags=$5 + else + flags="defaults" + fi + if [ "$sel" = "all" ] ; then + pftab_process_command $cmd "$file" $anchor $flags + else + for x in $sel ; do + if [ $x = $anchor ] ; then + pftab_process_command $cmd "$file" $anchor $flags + break + fi + done + fi +} + +pftab_process_file() { + cmd=$1 ; sel="$2" + while read line ; do + case "$line" in + ''|\#*) + continue + ;; + esac + pftab_process_line $cmd "$sel" $line + done < "$pftab_file" +} + +pftab_start() { + if [ $# -gt 0 ] ; then + pftab_process_file start "$*" + else + pftab_process_file start all + fi +} + +pftab_load() { + if [ $# -gt 0 ] ; then + pftab_process_file load "$*" + else + pftab_process_file load all + fi +} + +pftab_flush() { + if [ $# -gt 0 ] ; then + pftab_process_file flush "$*" + else + pftab_process_file flush all + fi +} + +run_rc_command "$@"