diff --git a/applets/pbot-vm/guest/bin/disable-network-iptables b/applets/pbot-vm/guest/bin/disable-network-iptables deleted file mode 100755 index 63cb7c6a..00000000 --- a/applets/pbot-vm/guest/bin/disable-network-iptables +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -# disables all incoming, outgoing and forwarded traffic except incoming/established SSH -iptables -F -iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A INPUT -p tcp --dport 22 -j ACCEPT -iptables -P INPUT DROP -iptables -P FORWARD DROP -iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -P OUTPUT DROP diff --git a/applets/pbot-vm/guest/bin/disable-network-nftables b/applets/pbot-vm/guest/bin/disable-network-nftables deleted file mode 100755 index 5823ea8c..00000000 --- a/applets/pbot-vm/guest/bin/disable-network-nftables +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -# disables all incoming, outgoing and forwarded traffic except incoming/established SSH -nft add table ip filter -nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }' -nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }' -nft 'add rule ip filter INPUT ct state related,established counter accept' -nft 'add rule ip filter INPUT tcp dport 22 counter accept' -nft 'add rule ip filter OUTPUT ct state related,established counter accept' diff --git a/applets/pbot-vm/guest/bin/enable-network-iptables b/applets/pbot-vm/guest/bin/enable-network-iptables deleted file mode 100755 index ceb5905f..00000000 --- a/applets/pbot-vm/guest/bin/enable-network-iptables +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# removes all iptables rules to re-enable networking -iptables -F diff --git a/applets/pbot-vm/guest/bin/enable-network-nftables b/applets/pbot-vm/guest/bin/enable-network-nftables deleted file mode 100755 index 291c9810..00000000 --- a/applets/pbot-vm/guest/bin/enable-network-nftables +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# deletes filter table to re-enable networking -nft delete table ip filter diff --git a/applets/pbot-vm/guest/bin/network b/applets/pbot-vm/guest/bin/network new file mode 100755 index 00000000..f7645add --- /dev/null +++ b/applets/pbot-vm/guest/bin/network @@ -0,0 +1,70 @@ +#!/bin/bash + +Usage="$0 [iptables|ipt|nftables|nft]" + +DefaultMode="iptables" + +EnableNetwork() { + case $1 in + iptables) + iptables -F ;; + nftables) + nft delete table ip filter ;; + esac +} + +DisableNetwork() { + case $1 in + iptables) + iptables -F + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -P OUTPUT DROP + ;; + nftables) + nft add table ip filter + nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }' + nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }' + nft add rule ip filter INPUT ct state related,established counter accept + nft add rule ip filter INPUT tcp dport 22 counter accept + nft add rule ip filter OUTPUT ct state related,established counter accept + ;; + esac +} + +Main() { + case $1 in + on|off) ;; + *) + echo "Invalid command \`$1\`; usage: $Usage" + exit 1 ;; + esac + + Toggle="$1" + + case $2 in + iptables|ipt) + Mode="iptables" ;; + nftables|nft) + Mode="nftables" ;; + "") + Mode=$DefaultMode ;; + *) + echo "Invalid mode \`$2\`; usage: $Usage" + exit 1 ;; + esac + + case $Toggle in + "on") + echo "Enabling networking with $Mode" + EnableNetwork "$Mode" ;; + "off") + echo "Disabling networking with $Mode" + DisableNetwork "$Mode" ;; + esac +} + +Main "$@" diff --git a/applets/pbot-vm/guest/provision/debian-trixie b/applets/pbot-vm/guest/provision/debian-trixie index 4637a202..20c02115 100755 --- a/applets/pbot-vm/guest/provision/debian-trixie +++ b/applets/pbot-vm/guest/provision/debian-trixie @@ -25,8 +25,8 @@ apt install -y --no-install-recommends default-jre default-jdk apt install -y --no-install-recommends libipc-run-perl libjson-xs-perl # disable networking -./guest/bin/disable-network-iptables +./guest/bin/network off iptables echo 'Networking disabled.' -echo 'To re-enable, run ./guest/bin/enable-networking-iptables' -echo 'To disable again, run ./guest/bin/disable-network-iptables' +echo 'To re-enable, run ./guest/bin/network on iptables' +echo 'To disable again, run ./guest/bin/network off iptables' diff --git a/applets/pbot-vm/guest/provision/tumbleweed b/applets/pbot-vm/guest/provision/tumbleweed index 38f9ea0d..3d6458b9 100755 --- a/applets/pbot-vm/guest/provision/tumbleweed +++ b/applets/pbot-vm/guest/provision/tumbleweed @@ -22,8 +22,8 @@ zypper -n in --no-recommends clisp gcc-go java java-devel zypper -n in perl-IPC-Run perl-JSON-XS # disable networking -./guest/bin/disable-network-nftables +./guest/bin/network off nftables echo 'Networking disabled.' -echo 'To re-enable, run ./guest/bin/enable-networking-nftables' -echo 'To disable again, run ./guest/bin/disable-network-nftables' +echo 'To re-enable, run ./guest/bin/network on nftables' +echo 'To disable again, run ./guest/bin/network off nftables' diff --git a/applets/pbot-vm/host/bin/vm-exec b/applets/pbot-vm/host/bin/vm-exec index 2fa678c3..4fd94e09 100755 --- a/applets/pbot-vm/host/bin/vm-exec +++ b/applets/pbot-vm/host/bin/vm-exec @@ -299,8 +299,7 @@ sub main() { exit 2; } - print $health "\n"; - + print $health "\n"; # request health eval { alarm 2; diff --git a/lib/PBot/VERSION.pm b/lib/PBot/VERSION.pm index d00d822e..18ea2bc9 100644 --- a/lib/PBot/VERSION.pm +++ b/lib/PBot/VERSION.pm @@ -25,8 +25,8 @@ use PBot::Imports; # These are set by the /misc/update_version script use constant { BUILD_NAME => "PBot", - BUILD_REVISION => 4747, - BUILD_DATE => "2024-04-10", + BUILD_REVISION => 4748, + BUILD_DATE => "2024-04-12", }; sub initialize {}