On 2024/10/05 12:11, Nick Owens wrote:
> On Sat, Sep 28, 2024 at 11:40 PM Nick Owens <misch...@offblast.org> wrote:
> >
> > hi,
> >
> > i spent today doing a little work on my prometheus (sysutils/prometheus)
> > exporter for pf. this program exports some metrics for pf. it can
> > export the top level pf stats (states, searches, etc), the loginterface
> > stats, and the drop/transmit counts for each queue.
> >
> > my personal usage of pf is pretty limited to my own home firewall, so i
> > can't really say this is battle tested, but i thought since i updated
> > it, i'd try my hand at my first ever openbsd port, so here it is :-)
> >
> > there are certainly warts, like the questionable file descriptor passing
> > and use of the 'nobody' user in the rc.d script, but feedback is
> > welcome.
> >
> > cheers,
> > nick
> >
>
> ping
>
5 daemon_user="nobody"
6 daemon_flags="-pf.fd 3" 7
8 .
/etc/rc.d/rc.subr
9
10 eval "$(typeset -f rc_start | sed -e 's/rc_start/rc_start_real/' -e 's/\
^I//g' -e 's/\^J//g' )"
11 rc_start(){
12 3<>/dev/pf rc_start_real
13 }
The FD passing in the rc-script is questionable - at the very least if
the script relies on -pf.fd 3 it should be added to daemon_command and
not overridable from rc.conf.local via flags - that eval is a bit nasty
too.
daemon_user=nobody is not allowed, it should use a distinct user.
