Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implements PostUp and PostDown commands using /bin/sh #25

Merged
merged 1 commit into from
Nov 19, 2020
Merged

Implements PostUp and PostDown commands using /bin/sh #25

merged 1 commit into from
Nov 19, 2020

Conversation

fs111
Copy link
Contributor

@fs111 fs111 commented Nov 19, 2020

This introduces PostUp and PostDown in dsnet. PostUp and PostDown allow
the user to run arbitrary commands after the device is up or down. These
are typically used to change the firewall rules via iptables. A working
example would be

...
"PostUp" : "iptables -A FORWARD -i dsnet -j ACCEPT; iptables -A FORWARD -o dsnet -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE ",
"PostDown" : "iptables -D FORWARD -i dsnet -j ACCEPT; iptables -D FORWARD -o dsnet -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE ",
...

All commands are executed by /bin/sh and no filtering or sandboxing is
applied. Users of this should know what they are doing.

Fixes #16

botto
botto approved these changes Nov 19, 2020
View reviewed changes
Copy link
Collaborator

@botto botto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very cool!

util.go Outdated
@@ -35,6 +36,16 @@ func ExitFail(format string, a ...interface{}) {
os.Exit(1)
}

func ShellOut(command *string, name string) {
if command != nil {
shell := exec.Command("/bin/sh", "-c", *command)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it emit a message before running so we are aware what it just did?

I.e:

fmt.Printf("Running %s commands:\n %s", name, command)

@naggie naggie requested review from botto and removed request for frillip and botto November 19, 2020 21:00
@naggie
Copy link
Owner

naggie commented Nov 19, 2020

Thanks @fs111 looks good. I think @botto is right, it should probably log the command it's running to stdout so I'll add that before releasing unless you beat me to it.

Regarding using pointers to strings as they're optional fields -- I assume that will serialise as null? I think I'd rather an empty string is used as that follows the precedence set by the optional IPv6 (and now IPv4) configuration -- empty string means unset and is more obvious when hand-editing the file.

@fs111
Implements PostUp and PostDown commands using /bin/sh
e782db3 
This introduces PostUp and PostDown in dsnet. PostUp and PostDown allow
the user to run arbitrary commands after the device is up or down. These
are typically used to change the firewall rules via iptables. A working
example would be

...
    "PostUp" : "iptables -A FORWARD -i dsnet -j ACCEPT; iptables -A FORWARD -o dsnet -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE ",
    "PostDown" : "iptables -D FORWARD -i dsnet -j ACCEPT; iptables -D FORWARD -o dsnet -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE ",
...

All commands are executed by `/bin/sh` and no filtering or sandboxing is
applied. Users of this should know what they are doing.

Fixes naggie#16
@fs111
Copy link
Contributor Author

fs111 commented Nov 19, 2020

I have updated the PR with the comments addressed.

I am personally more a fan of the "Rule of silence" and would not have added the print, but it is fine either way.

@naggie
Copy link
Owner

naggie commented Nov 19, 2020

I'll have a think about the rule of silence, but for now I'll release. Thanks @fs111 !

@naggie naggie merged commit 0579b4c into naggie:master Nov 19, 2020
@fs111 fs111 deleted the up-down branch November 19, 2020 22:56
@naggie
Copy link
Owner

naggie commented Nov 19, 2020

I thought about it and decided against the extra print command. Sorry @botto :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@botto botto botto approved these changes

@naggie naggie Awaiting requested review from naggie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Post-up and post-down for firewall rules?
3 participants
@fs111 @naggie @botto