summaryrefslogtreecommitdiffstats
path: root/scripts/sh
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/sh')
-rw-r--r--scripts/sh/pf.sh23
1 files changed, 17 insertions, 6 deletions
diff --git a/scripts/sh/pf.sh b/scripts/sh/pf.sh
index 0014168..aab30ed 100644
--- a/scripts/sh/pf.sh
+++ b/scripts/sh/pf.sh
@@ -3,11 +3,15 @@
# Helps you edit a production packet filter configuration and reduces the risk of doing something really bad.
#
# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
-# Last edit: 02/11/2021
+# Created: 02/11/2021
+# Last edit: 05/12/2021
+# Version: 2.0
#
# This assumes .ssh/config being configured to ssh into your router with a user having write access to /tmp/* and $prodfile as well as having doas permissions for `pfctl -f $prodfile`.
-editor="$(which vim)"
+editor="$(which nvim)"
+difftool="/home/lysergic/lysergic-venv/bin/icdiff"
+diffargs=( -L "CURRENT CONFIGURATION" -L "YOUR CONFIGURATION" -N -U2 )
prodfile="/etc/pf.conf"
backupfile="/tmp/pf.conf.bak-$(date -u +%d%m%y-%H%M)"
stagefile="/tmp/pf.conf-work-$USER-$(date -u +%d%m%y-%H%M)"
@@ -17,11 +21,14 @@ gethostaddress () {
}
init () {
- hostaddress=$(gethostaddress)
- if nc -nz $hostaddress 22 2>/dev/null; then
+ #hostaddress=$(gethostaddress) ##we no longer parse ssh_config and rely on functioning DNS lookups
+ hostaddress="$host"
+ if nc -z $hostaddress 22 2>/dev/null; then
workfile="/tmp/pf.conf.$host-$USER-$(date -u +%d%m%y-%H%M)"
ssh -q $host cp $prodfile $backupfile
scp -q $host:$prodfile $workfile
+ localbackupfile="${workfile}_original"
+ cp $workfile $localbackupfile
edit
else
echo "Host not reachable."
@@ -54,7 +61,12 @@ check () {
esac
}
+render_diff () {
+ $difftool "${diffargs[@]}" $localbackupfile $workfile
+}
+
edit_ok () {
+ render_diff
echo "Syntax OK. Type YES to deploy changes or anything else to abort."
read choice
if [ "$choice" = "YES" ]; then
@@ -105,9 +117,8 @@ deploy () {
result="$?"
case $result in
0 )
- ssh -q $host doas pfctl -f $prodfile
+ ssh -q $host "doas pfctl -f $prodfile && rm $stagefile"
echo "OK."
- ssh -q $host rm $stagefile
rm $workfile
;;
1 )