pbot-vm: simplify `network` script slightly

pbot-vm: consolidate network enable/disable into one script
2024-04-12 13:12:41 -07:00 · 2024-04-12 13:07:27 -07:00
9 changed files with 73 additions and 33 deletions
--- a/applets/pbot-vm/guest/bin/disable-network-iptables
+++ b/applets/pbot-vm/guest/bin/disable-network-iptables
@ -1,9 +0,0 @@
-#!/bin/sh
-# disables all incoming, outgoing and forwarded traffic except incoming/established SSH
-iptables -F
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-iptables -P INPUT DROP
-iptables -P FORWARD DROP
-iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -P OUTPUT DROP
--- a/applets/pbot-vm/guest/bin/disable-network-nftables
+++ b/applets/pbot-vm/guest/bin/disable-network-nftables
@ -1,8 +0,0 @@
-#!/bin/sh
-# disables all incoming, outgoing and forwarded traffic except incoming/established SSH
-nft add table ip filter
-nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }'
-nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }'
-nft 'add rule ip filter INPUT ct state related,established counter accept'
-nft 'add rule ip filter INPUT tcp dport 22 counter accept'
-nft 'add rule ip filter OUTPUT ct state related,established counter accept'
--- a/applets/pbot-vm/guest/bin/enable-network-iptables
+++ b/applets/pbot-vm/guest/bin/enable-network-iptables
@ -1,3 +0,0 @@
-#!/bin/sh
-# removes all iptables rules to re-enable networking
-iptables -F
--- a/applets/pbot-vm/guest/bin/enable-network-nftables
+++ b/applets/pbot-vm/guest/bin/enable-network-nftables
@ -1,3 +0,0 @@
-#!/bin/sh
-# deletes filter table to re-enable networking
-nft delete table ip filter
--- a/applets/pbot-vm/guest/bin/network
+++ b/applets/pbot-vm/guest/bin/network
@ -0,0 +1,64 @@
+#!/bin/bash
+
+Usage="$0 <on|off> [iptables|ipt|nftables|nft]"
+
+DefaultMode="iptables"
+
+EnableNetwork() {
+    case $1 in
+        iptables)
+            iptables -F ;;
+        nftables)
+            nft delete table ip filter ;;
+    esac
+}
+
+DisableNetwork() {
+    case $1 in
+        iptables)
+            iptables -F
+            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+            iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+            iptables -P INPUT DROP
+            iptables -P FORWARD DROP
+            iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+            iptables -P OUTPUT DROP
+            ;;
+        nftables)
+            nft add table ip filter
+            nft add chain ip filter INPUT '{ type filter hook input priority 0; policy drop; }'
+            nft add chain ip filter OUTPUT '{ type filter hook output priority 0; policy drop; }'
+            nft add rule ip filter INPUT ct state related,established counter accept
+            nft add rule ip filter INPUT tcp dport 22 counter accept
+            nft add rule ip filter OUTPUT ct state related,established counter accept
+            ;;
+    esac
+}
+
+Main() {
+    case $2 in
+        iptables|ipt)
+            Mode="iptables" ;;
+        nftables|nft)
+            Mode="nftables" ;;
+        "")
+            Mode=$DefaultMode ;;
+        *)
+            echo "Invalid mode \`$2\`; usage: $Usage"
+            exit 1 ;;
+    esac
+
+    case $1 in
+        on)
+            echo "Enabling networking with $Mode"
+            EnableNetwork "$Mode" ;;
+        off)
+            echo "Disabling networking with $Mode"
+            DisableNetwork "$Mode" ;;
+        *)
+            echo "Invalid command \`$1\`; usage: $Usage"
+            exit 1 ;;
+    esac
+}
+
+Main "$@"
--- a/applets/pbot-vm/guest/provision/debian-trixie
+++ b/applets/pbot-vm/guest/provision/debian-trixie
@ -25,8 +25,8 @@ apt install -y --no-install-recommends default-jre default-jdk
 apt install -y --no-install-recommends libipc-run-perl libjson-xs-perl

 # disable networking
-./guest/bin/disable-network-iptables
+./guest/bin/network off iptables

 echo 'Networking disabled.'
-echo 'To re-enable, run ./guest/bin/enable-networking-iptables'
-echo 'To disable again, run ./guest/bin/disable-network-iptables'
+echo 'To re-enable, run ./guest/bin/network on iptables'
+echo 'To disable again, run ./guest/bin/network off iptables'
--- a/applets/pbot-vm/guest/provision/tumbleweed
+++ b/applets/pbot-vm/guest/provision/tumbleweed
@ -22,8 +22,8 @@ zypper -n in --no-recommends clisp gcc-go java java-devel
 zypper -n in perl-IPC-Run perl-JSON-XS

 # disable networking
-./guest/bin/disable-network-nftables
+./guest/bin/network off nftables

 echo 'Networking disabled.'
-echo 'To re-enable, run ./guest/bin/enable-networking-nftables'
-echo 'To disable again, run ./guest/bin/disable-network-nftables'
+echo 'To re-enable, run ./guest/bin/network on nftables'
+echo 'To disable again, run ./guest/bin/network off nftables'
--- a/applets/pbot-vm/host/bin/vm-exec
+++ b/applets/pbot-vm/host/bin/vm-exec
@ -299,8 +299,7 @@ sub main() {
            exit 2;
        }

-        print $health "\n";
-
+        print $health "\n"; # request health

        eval {
            alarm 2;
--- a/lib/PBot/VERSION.pm
+++ b/lib/PBot/VERSION.pm
@ -25,8 +25,8 @@ use PBot::Imports;
 # These are set by the /misc/update_version script
 use constant {
    BUILD_NAME     => "PBot",
-    BUILD_REVISION => 4747,
-    BUILD_DATE     => "2024-04-10",
+    BUILD_REVISION => 4749,
+    BUILD_DATE     => "2024-04-12",
 };

 sub initialize {}
Author	SHA1	Message	Date
Pragmatic Software	e4cb6ceff6	pbot-vm: simplify `network` script slightly	2024-04-12 13:12:41 -07:00
Pragmatic Software	111f3bd2e7	pbot-vm: consolidate network enable/disable into one script	2024-04-12 13:07:27 -07:00