Skip to content

Instantly share code, notes, and snippets.

@dgeo

dgeo/vipf.sh

Last active June 30, 2017 22:44
Show Gist options
  • Save dgeo/99d061316fbe61f4f30a7bd4e69c5ca0 to your computer and use it in GitHub Desktop.
Save dgeo/99d061316fbe61f4f30a7bd4e69c5ca0 to your computer and use it in GitHub Desktop.
Download ZIP
vipf
Raw
vipf.sh
#!/bin/sh
# edition "secure" de /etc/pf.conf
# première version: alias vipf='cp -f /etc/pf.conf /tmp/pf.conf.new && vim /tmp/pf.conf.new; diff /tmp/pf.conf.new /etc/pf.conf || ( pfctl -nf /tmp/pf.conf.new && (cp -f /etc/pf.conf /etc/pf.conf.bak; mv /tmp/pf.conf.new /etc/pf.conf; pfctl -f /etc/pf.conf))'
#
# si appele avec plusieurs arguments, ce sont des IP's des
# machines pf a syncroniser (la sienne comprise eventuellement)
#
# teste sous OpenBSD & FreeBSD
#
# usage: $0 [IP1 IP2]
#
PFCONF=/etc/pf.conf
NEWCONF=/tmp/pf.conf.new
DATE=$(date +%s)
#################################
#### <extraits d'une "librairie">
# o/n, y/N, ...
# usage: askok "question" && do_something || echo "Annulé"
# ou: if askok "question"; then
askok () {
if [ $# -eq 2 ] && [ "$2" = "O" ]; then
echo $1" (O/n)"
def=0
else
echo $1" (o/N)"
def=1
fi
read reponse_askok
case "$reponse_askok" in
o|O|y|Y)
return 0
;;
n|N)
return 1
;;
"")
return $def
;;
esac
return 1
}
# fait un 'git commit' du/des fichiers
commitit() {
# skip all: export TEST_NO_GIT=1
[ -n "$TEST_NO_GIT" ] && return
if [ "$1" = "-m" ]; then
shift
export COMMITMGS="$1";
shift
fi
for arg in $@; do
git add $arg
echo "$GITS" | grep -q "^/\.git " || GITS="/.git $GITS"
done
GITS=/.git" "$GITS
for GDIR in $(echo $GITS); do
eval "cd ${GDIR%.git}; git commit ${CMSG:+$CMSG}" && CMSG="-F $GDIR/COMMIT_EDITMSG; cd - 2>/dev/null"
done
}
# détermine mon IP dans une liste (pour les synchro de confs)
# usage: MONIP=$(qui_suis_je IP1 IP2 IP3 ...)
# LESAUTRES=$(qui_suis_je pas IP1 IP2 IP3 ...)
qui_suis_je () {
pas="0"
if [ "$1" = "pas" ]; then
shift;
pas="pas";
fi
nous=$*
for i in $nous; do
ifconfig | grep "inet[[:space:]]$(echo $i | sed 's/\./\\./g')[^0-9]" > /dev/null && moi=$i
done
if [ "$pas" = "pas" ]; then
echo $nous | sed 's/[[:space:]]*'$moi'[[:space:]]*/ /'
else
if [ -z "$moi" ]; then
return 1
else
echo $moi
fi
fi
}
#### </extraits d'une "librairie">
###################################
if [ -f $NEWCONF ]; then
echo "Un fichier $NEWCONF existe deja."
if diff $PFCONF $NEWCONF; then
echo "...mais est identique a $PFCONF. suppression"
rm $NEWCONF
else
askok "Reutiliser $NEWCONF ?" || rm -f $NEWCONF
fi
fi
test -f $NEWCONF || cp $PFCONF $NEWCONF
test -f $NEWCONF || return 1
vim $NEWCONF || return $?
if ! diff $PFCONF $NEWCONF; then
while ! pfctl -nf $NEWCONF; do
echo "Les regles ne sont pas bonnes"...
if askok "reedition"; then
vim $NEWCONF
else
break
fi
done
if pfctl -nf $NEWCONF; then
cp -f $PFCONF $PFCONF.$DATE
cp $NEWCONF $PFCONF
commitit $PFCONF
( pfctl -d; pfctl -F rules; pfctl -ef $PFCONF )
if [ $# -gt 1 ] && qui_suis_je $@ > /dev/null; then
if askok "On envoie sur les autres fw ?"; then
for fw in $(qui_suis_je pas $@); do
echo "Envoi sur $fw..."
if [ -f /root/.vipf.$fw.sed ]; then
# remplacements depuis /root/.vipf.$fw.sed
sed -f /root/.vipf.$fw.sed $PFCONF > $NEWCONF
fi
# todo: via cle ssh + script pour "command=" dans authorized_keys
ssh root@$fw "cp $PFCONF $PFCONF.$DATE" && \
scp $NEWCONF root@$fw:$NEWCONF && \
ssh root@$fw "pfctl -nf $NEWCONF && mv $NEWCONF $PFCONF" && \
ssh root@$fw "( pfctl -d; pfctl -F rules; pfctl -ef $PFCONF )" && \
( [ -n "$TEST_NO_GIT" ] || grep -v '^#' /.git/COMMIT_EDITMSG | ssh root@$fw "git commit -F - $PFCONF" || echo "pas de git :(" ) && \
echo " done." || \
aiiie "Attention, verifier la validite de $NEWCONF sur $fw: # pfctl -nf $NEWCONF"
done
else
echo "Ok, C toi qui synchronisera avec $(qui_suis_je pas $@)"
return 0
fi
fi
else
echo "$PFCONF non valide d'apres # pfctl -nf $NEWCONF"
echo "demerdes-toi."
return 1
fi
fi
echo "bonne journee :)"
test -f $NEWCONF && rm $NEWCONF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment