-
Notifications
You must be signed in to change notification settings - Fork 5
/
rpfload.pl
executable file
·158 lines (136 loc) · 5.39 KB
/
rpfload.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#!/usr/bin/env perl
# Copyright (c) 2021 Joseph Fierro <joe@kernelpanic.life>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
use strict;
use warnings;
use Getopt::Long;
use Sys::Syslog qw(:DEFAULT setlogsock);
use File::Basename;
use if $^O eq 'openbsd', "OpenBSD::Pledge";
my $live_config;
my $backup_config;
my $time;
my $overwrite = 0;
my $disable = 0;
my $help = 0;
if ( $^O eq 'openbsd' ) {
pledge ( qw ( rpath unix proc exec ))
or die "Unable to pledge: $!";
}
GetOptions(
"live_config|f=s" => \$live_config,
"backup_config|b=s" => \$backup_config,
"o" => \$overwrite,
"d" => \$disable,
"h" => \$help,
"time|t=i" => \$time
) or die "Error parsing command line arguments";
if ( $help ) {
print ( "Usage:\n\trpfload [-t seconds] [-o] -f live_config -b backup_config\n\trpfload [-t seconds] -d -f live_config\n\n" );
exit;
}
if ( !$live_config ) {
die "Error: no live configuration specified";
}
if ( !$backup_config && !$disable ) {
die "Error: no backup configuration specified";
}
if ( $disable && $overwrite ) {
die "Error: -d and -o are mutually exclusive";
}
if ( $disable && $backup_config ) {
die "Error: -d and -b are mutually exclusive";
}
if ( !$time ) {
$time = 60;
}
if ( $? != 0 ) {
die "Error: pfctl failed to load live configuration";
}
setlogsock ( "unix" );
openlog ( basename ( $0 ), "pid", "local3" )
or die "Could not open syslog";
# First, check the backup file for errors, if we're using one.
# If that fails, log it and die now, because we don't want to continue
if ( !$disable ) {
print ( "Checking backup config for syntax errors...\n" );
system ( '/sbin/pfctl', '-nf', $backup_config );
if ( $? != 0 ) {
syslog ( "warning", "errors detected in %s, exiting without taking any action", $backup_config );
die "Error: pfctl detected errors in $backup_config, quitting now without taking any action";
} else {
print ( "Backup config OK\n\n" );
}
}
# We'll check the live config file for syntax errors too.
# If that fails, die immediately because pfctl will fail to load it anyway.
# Then, load the live config and log it.
print ( "rpfload: Checking live config for syntax errors. Config we are loading is below (verbose):\n" );
print ( "\n--------\n" );
system ( '/sbin/pfctl', '-nvvf', $live_config );
print ( "--------\n\n" );
if ( $? != 0 ) {
syslog ( "warning", "errors detected in %s, not loading it", $live_config );
die "Error: pfctl detected errors in $live_config, not loading it";
} else {
system ( '/sbin/pfctl', '-f', $live_config);
if ( $? != 0 ) {
syslog ( "warning", "pfctl failed to load %s", $live_config );
die "Error: pfctl could not load configuration at $live_config";
}
syslog ( "warning", "loaded PF configuration at %s", $live_config );
print ( "rpfload: loaded live configuration at $live_config\n" );
}
# These are just informational messages about what is about to happen
if ( $disable ) {
print ( "rpfload: disabling pf in $time seconds\n");
} else {
print ( "rpfload: reverting to $backup_config in $time seconds.\n" );
}
print( "Ctrl-C or kill process $$ to cancel rollback and keep current configuration\n" );
if ( $overwrite ) {
print ( "rpfload: overwrite requested, will replace $live_config with $backup_config unless cancelled\n" );
}
# Sleep for the amount of time requested. Default is 60 seconds
sleep ( $time );
# If the user has requested to disable PF, disable it if the process is still running at this point.
# Otherwise, we will attempt to load the backup config.
if ( $disable ) {
system ( "/sbin/pfctl -d" );
if ( $? !=0 ) {
syslog ( "warning", "pfctl could not disable pf, firewall still enabled" );
die "Error: pfctl could not disable pf";
}
syslog ( "warning", "Timeout reached, disabled PF" );
print ( "rpfload: disabled pf\n");
} else {
system ( '/sbin/pfctl', '-f', $backup_config );
if ( $? != 0 ) {
syslog ( "warning", "pfctl could not load backup configuration at %s", $backup_config );
die "Error: pfctl could not load backup configuration";
}
syslog ( "warning", "reverted PF configuration to backup at %s", $backup_config );
print ( "rpfload: reverted PF configuration to backup at $backup_config\n" );
}
# If overwrting the config file was requested, we'll copy the backup_config to the live_config location.
if ( $overwrite ) {
system ( '/bin/cp', $backup_config, $live_config );
if ($? != 0 ) {
syslog ("warning", "failed to overwrite %s with %s", $live_config, $backup_config );
die "Error: failed to overwrite $live_config with $backup_config";
}
syslog ( "warning", "Overwrote %s with %s", $live_config, $backup_config );
print ( "rpfload: overwrote $live_config with $backup_config\n" );
}
closelog();