Allow specifying pf_rules file to patch on init

When altering more complex setups automatically, pot's way of patching pf.conf is a bit too simplistic. By adding this flag, the user has multiple choices of modifying pf.conf in a controlled way: 1. Write to a different file that's included in pf.conf using its include keyword. 2. Write to a different file that's parsed by additional tooling to assemble a pf.conf (e.g., in automation). 3. In setups where pots modifications serve no real purpose, running `pot init -f ''` can be used to skip touching pf.conf completely. Help text intentionally shows the default to be determined by a command, not the result of it. This is the first patch of a series, with more complex ones to follow, which serve the ultimate purpose of making pot's networking more flexible/customizable using hooks, so it can be integrated into different network environments (as one size doesn't fit all).
bsdpot · Oct 16, 2021 · 42f28de · 42f28de
1 parent 7cd021d
commit 42f28de
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Added
 - copy-in: -c option to create missing dirs on copy-in (#172)
 - create: New command copy-in-flv, which is the same as copy-in, but always relative to flavourdir (#173)
+- init: -f option to specify pf file to patch on init (#181)
 
 ### Changed
 - start: do not write jid files to POT_TMP (#178)

diff --git a/share/pot/init.sh b/share/pot/init.sh
@@ -7,17 +7,22 @@
 
 init-help()
 {
-	echo 'pot init [-h][-v]'
+	echo 'pot init [-h][-v] [-f pf_file]'
+	echo '  -f pf_file : write pot anchors to this file (empty to skip),'
+	echo '     defaults to result of "sysrc -n pf_rules"'
 	echo '  -h print this help'
 	echo '  -v verbose'
 }
 
 pot-init()
 {
 	local pf_file
+	pf_file="$(sysrc -n pf_rules)"
 	OPTIND=1
-	while getopts "hv" _o ; do
+	while getopts "hvf:" _o ; do
 		case "$_o" in
+		f)	pf_file="$OPTARG"
+			;;
 		h)
 			init-help
 			${EXIT} 0
@@ -122,21 +127,24 @@ pot-init()
 	# service syslogd restart
 
 	# Add pot anchors if needed
-	pf_file="$(sysrc -n pf_rules)"
-	if [ -r "$pf_file" ] && [ "$(grep -c '^nat-anchor pot-nat$' "$pf_file" )" -eq 1 ] && [ "$(grep -c '^rdr-anchor "pot-rdr/\*"$' "$pf_file" )" -eq 1 ] ; then
-		_debug "pf alredy properly configured"
-	else
-		if [ -w "$pf_file" ]; then
-			echo "Creating a backup of your $pf_file"
-			cp -v "$pf_file" "$pf_file".bkp-pot
-			# delete incomplete/broken ancory entries - just in case
-			sed -i '' '/^nat-anchor pot-nat$/d' "$pf_file"
-			sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$pf_file"
+	if [ -n "$pf_file" ]; then
+		if [ -r "$pf_file" ] && [ "$(grep -c '^nat-anchor pot-nat$' "$pf_file" )" -eq 1 ] && [ "$(grep -c '^rdr-anchor "pot-rdr/\*"$' "$pf_file" )" -eq 1 ] ; then
+			_debug "pf already properly configured"
 		else
-			touch "$pf_file"
+			if [ -w "$pf_file" ]; then
+				echo "Creating a backup of your $pf_file"
+				cp -v "$pf_file" "$pf_file".bkp-pot
+				# delete incomplete/broken ancory entries - just in case
+				sed -i '' '/^nat-anchor pot-nat$/d' "$pf_file"
+				sed -i '' '/^rdr-anchor "pot-rdr\/\*"$/d' "$pf_file"
+			else
+				touch "$pf_file"
+			fi
+			echo "auto-magically editing your $pf_file"
+			printf "%s\n" 0a "nat-anchor pot-nat" "rdr-anchor \"pot-rdr/*\"" . x | ex "$pf_file"
+			echo "Please, check that your PF configuration file $pf_file is still valid!"
 		fi
-		echo "auto-magically editing your $pf_file"
-		printf "%s\n" 0a "nat-anchor pot-nat" "rdr-anchor \"pot-rdr/*\"" . x | ex "$pf_file"
-		echo "Please, check that your PF configuration file $pf_file is still valid!"
+	else
+		_debug "pf configuration skipped"
 	fi
 }