2021-12-02 14:25:02 +01:00
#!/bin/sh
#
# Helps you edit a production packet filter configuration and reduces the risk of doing something really bad.
#
# Author: Georg Pfuetzenreuter <georg@lysergic.dev>
2021-12-05 14:58:59 +01:00
# Created: 02/11/2021
# Last edit: 05/12/2021
# Version: 2.0
2021-12-02 14:25:02 +01:00
#
# This assumes .ssh/config being configured to ssh into your router with a user having write access to /tmp/* and $prodfile as well as having doas permissions for `pfctl -f $prodfile`.
2021-12-05 14:58:59 +01:00
editor = " $( which nvim) "
difftool = "/home/lysergic/lysergic-venv/bin/icdiff"
diffargs = ( -L "CURRENT CONFIGURATION" -L "YOUR CONFIGURATION" -N -U2 )
2021-12-02 14:25:02 +01:00
prodfile = "/etc/pf.conf"
backupfile = " /tmp/pf.conf.bak- $( date -u +%d%m%y-%H%M) "
stagefile = " /tmp/pf.conf-work- $USER - $( date -u +%d%m%y-%H%M) "
gethostaddress ( ) {
ssh -G " $host " | grep hostname | awk '{print $2}' | head -n1
}
init ( ) {
2021-12-05 14:58:59 +01:00
#hostaddress=$(gethostaddress) ##we no longer parse ssh_config and rely on functioning DNS lookups
hostaddress = " $host "
if nc -z $hostaddress 22 2>/dev/null; then
2021-12-02 14:25:02 +01:00
workfile = " /tmp/pf.conf. $host - $USER - $( date -u +%d%m%y-%H%M) "
ssh -q $host cp $prodfile $backupfile
scp -q $host :$prodfile $workfile
2021-12-05 14:58:59 +01:00
localbackupfile = " ${ workfile } _original "
cp $workfile $localbackupfile
2021-12-02 14:25:02 +01:00
edit
else
echo "Host not reachable."
fi
}
edit ( ) {
if [ ! -f " $workfile " ] ; then
echo "Could not create workfile."
exit 1
else
$editor " $workfile "
scp -q $workfile $host :$stagefile
check
fi
}
check ( ) {
echo " $stagefile "
ssh -q $host pfctl -nf $stagefile
result = " $? "
case $result in
0 ) edit_ok
; ;
1 ) edit_failed
; ;
* ) echo " $result - Unhandled condition. Aborting. " && exit 1
; ;
esac
}
2021-12-05 14:58:59 +01:00
render_diff ( ) {
$difftool " ${ diffargs [@] } " $localbackupfile $workfile
}
2021-12-02 14:25:02 +01:00
edit_ok ( ) {
2021-12-05 14:58:59 +01:00
render_diff
2021-12-02 14:25:02 +01:00
echo "Syntax OK. Type YES to deploy changes or anything else to abort."
read choice
if [ " $choice " = "YES" ] ; then
deploy
else
#rollback
abort
fi
}
edit_failed ( ) {
echo "Syntax error. [e]dit or [a]bort?"
read choice
if [ " $choice " = "e" ] ; then
edit
elif [ " $choice " = "a" ] ; then
abort
echo "OK. Exiting."
else
echo "Invalid choice. Let's try this again."
edit_failed
fi
}
abort ( ) {
rm $workfile
ssh -q $host rm $stagefile
}
rollback ( ) {
ssh -q $host cp $backupfile $prodfile
ssh -q $host pfctl -nf $prodfile
result = " $? "
case $result in
0 ) echo "Rollback ok." && exit
; ;
1 ) echo "Rollback failed. You NEED to investigate this."
; ;
* ) echo "Unhandled rollback return code. Investigate this!"
; ;
esac
}
deploy ( ) {
ssh -q $host cp $stagefile $prodfile
ssh -q $host pfctl -nf $prodfile
result = " $? "
case $result in
0 )
2021-12-05 14:58:59 +01:00
ssh -q $host " doas pfctl -f $prodfile && rm $stagefile "
2021-12-02 14:25:02 +01:00
echo "OK."
rm $workfile
; ;
1 )
echo "Deployment failed. Initiating rollback."
rollback
; ;
* ) echo "Unhandled condition. Investigate this! Initiating rollback."
rollback
; ;
esac
}
if [ -z " $1 " ] ; then
echo "Missing argument. Specify a host."
exit 1
else
host = " $1 "
init
fi