diff --git a/scripts/sh/pf.sh b/scripts/sh/pf.sh index 0014168..aab30ed 100644 --- a/scripts/sh/pf.sh +++ b/scripts/sh/pf.sh @@ -3,11 +3,15 @@ # Helps you edit a production packet filter configuration and reduces the risk of doing something really bad. # # Author: Georg Pfuetzenreuter -# Last edit: 02/11/2021 +# Created: 02/11/2021 +# Last edit: 05/12/2021 +# Version: 2.0 # # This assumes .ssh/config being configured to ssh into your router with a user having write access to /tmp/* and $prodfile as well as having doas permissions for `pfctl -f $prodfile`. -editor="$(which vim)" +editor="$(which nvim)" +difftool="/home/lysergic/lysergic-venv/bin/icdiff" +diffargs=( -L "CURRENT CONFIGURATION" -L "YOUR CONFIGURATION" -N -U2 ) prodfile="/etc/pf.conf" backupfile="/tmp/pf.conf.bak-$(date -u +%d%m%y-%H%M)" stagefile="/tmp/pf.conf-work-$USER-$(date -u +%d%m%y-%H%M)" @@ -17,11 +21,14 @@ gethostaddress () { } init () { - hostaddress=$(gethostaddress) - if nc -nz $hostaddress 22 2>/dev/null; then + #hostaddress=$(gethostaddress) ##we no longer parse ssh_config and rely on functioning DNS lookups + hostaddress="$host" + if nc -z $hostaddress 22 2>/dev/null; then workfile="/tmp/pf.conf.$host-$USER-$(date -u +%d%m%y-%H%M)" ssh -q $host cp $prodfile $backupfile scp -q $host:$prodfile $workfile + localbackupfile="${workfile}_original" + cp $workfile $localbackupfile edit else echo "Host not reachable." @@ -54,7 +61,12 @@ check () { esac } +render_diff () { + $difftool "${diffargs[@]}" $localbackupfile $workfile +} + edit_ok () { + render_diff echo "Syntax OK. Type YES to deploy changes or anything else to abort." read choice if [ "$choice" = "YES" ]; then @@ -105,9 +117,8 @@ deploy () { result="$?" case $result in 0 ) - ssh -q $host doas pfctl -f $prodfile + ssh -q $host "doas pfctl -f $prodfile && rm $stagefile" echo "OK." - ssh -q $host rm $stagefile rm $workfile ;; 1 )