Skip to content

Commit

Permalink
start: Add support for pf hook script
Browse files Browse the repository at this point in the history
By setting POT_EXPORT_PORTS_PF_RULES_HOOK, the user has fine
grained control over how pf rules are setup.

This also skips creating netcat pipes.

Example scripts making use of this will come in the future.
  • Loading branch information
grembo committed Sep 26, 2023
1 parent 0c4fd3d commit 8fbc5c7
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 15 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [Unreleased]
### Added
- start: Add custom pf rule configuration hook, POT_EXPORT_PORTS_PF_RULES_HOOK (#XXX)

## [0.15.5] 2023-06-29
### Added
- set-attr: Add support for setting devfs_ruleset (#270)
Expand Down
11 changes: 11 additions & 0 deletions etc/pot/pot.default.conf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,17 @@ POT_DNS_NAME=dns
# IP of the DNS
POT_DNS_IP=10.192.0.2

# If not empty, this script will be called by pot and the pf rules
# returned on stdout will be loaded into "pot-rdr/anchor" instead
# of those which pot would usually create. This also skips
# creation of netcat-based localhost-tunnels.
# Only works with IPv4 at the moment.
#
# Parameters sent to the script are:
# POT_EXTIF BRIDGE POT_NETWORK POT_GATEWAY proto host_port pot_ip pot_port
# Example:
# igb0 bridge1 10.192.0.0/10 10.192.0.1 tcp 32732 10.192.0.10 80
POT_EXPORT_PORTS_PF_RULES_HOOK=
# VPN support

# name of the tunnel network interface
Expand Down
38 changes: 23 additions & 15 deletions share/pot/start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -324,7 +324,7 @@ _js_get_free_rnd_port()
# $1 pot name
_js_export_ports()
{
local _pname _ip _ports _excl_list _pot_port _host_port _proto_port _aname _pdir _ncat_opt _to_arg
local _pname _ip _ports _excl_list _pot_port _host_port _proto_port _aname _pdir _ncat_opt _to_arg _bridge
_pname=$1
_ip="$( _get_ip_var "$_pname" )"
_ports="$( _get_pot_export_ports "$_pname" )"
Expand All @@ -333,6 +333,7 @@ _js_export_ports()
fi
_pfrules=$(mktemp "${POT_TMP:-/tmp}/pot_pfrules_${_pname}${POT_MKTEMP_SUFFIX}") || exit 1
_lo_tunnel="$(_get_conf_var "$_pname" "pot.attr.localhost-tunnel")"
_bridge=$(_pot_bridge_ipv4)
for _port in $_ports ; do
_proto_port="tcp"
if [ "${_port#udp:}" != "${_port}" ]; then
Expand All @@ -355,20 +356,27 @@ _js_export_ports()
fi

_debug "Redirect: from $_to_arg : $_proto_port:$_host_port to $_ip : $_proto_port:$_pot_port"
echo "rdr pass on $POT_EXTIF proto $_proto_port from any to $_to_arg port $_host_port -> $_ip port $_pot_port" >> "$_pfrules"
_excl_list="$_excl_list $_host_port"
if [ -n "$POT_EXTRA_EXTIF" ]; then
for extra_netif in $POT_EXTRA_EXTIF ; do
echo "rdr pass on $extra_netif proto $_proto_port from any to ($extra_netif) port $_host_port -> $_ip port $_pot_port" >> "$_pfrules"
done
fi
if [ "$_lo_tunnel" = "YES" ]; then
_pdir="${POT_FS_ROOT}/jails/$_pname"
if [ -x "/usr/local/bin/ncat" ]; then
cp /usr/local/bin/ncat "$_pdir/ncat-$_pname-$_pot_port"
daemon -f -p "$_pdir/ncat-$_pot_port.pid" "$_pdir/ncat-$_pname-$_pot_port" -lk $_ncat_opt "$_host_port" -c "/usr/local/bin/ncat $_ncat_opt $_ip $_pot_port"
else
_error "nmap package is missing, localhost-tunnel attribute ignored"
if [ -n "$POT_EXPORT_PORTS_PF_RULES_HOOK" ]; then
"$POT_EXPORT_PORTS_PF_RULES_HOOK" \
"$POT_EXTIF" "$_bridge" "$POT_NETWORK" "$POT_GATEWAY" \
"$_proto_port" "$_host_port" "$_ip" "$_pot_port" >> "$_pfrules"
else
echo "rdr pass on $POT_EXTIF proto $_proto_port from any to $_to_arg port $_host_port -> $_ip port $_pot_port" >> "$_pfrules"

_excl_list="$_excl_list $_host_port"
if [ -n "$POT_EXTRA_EXTIF" ]; then
for extra_netif in $POT_EXTRA_EXTIF ; do
echo "rdr pass on $extra_netif proto $_proto_port from any to ($extra_netif) port $_host_port -> $_ip port $_pot_port" >> "$_pfrules"
done
fi
if [ "$_lo_tunnel" = "YES" ]; then
_pdir="${POT_FS_ROOT}/jails/$_pname"
if [ -x "/usr/local/bin/ncat" ]; then
cp /usr/local/bin/ncat "$_pdir/ncat-$_pname-$_pot_port"
daemon -f -p "$_pdir/ncat-$_pot_port.pid" "$_pdir/ncat-$_pname-$_pot_port" -lk $_ncat_opt "$_host_port" -c "/usr/local/bin/ncat $_ncat_opt $_ip $_pot_port"
else
_error "nmap package is missing, localhost-tunnel attribute ignored"
fi
fi
fi
done
Expand Down

0 comments on commit 8fbc5c7

Please sign in to comment.