On 2024/10/05 12:11, Nick Owens wrote:
> On Sat, Sep 28, 2024 at 11:40 PM Nick Owens <mischief@offblast.org> wrote:
> >
> > hi,
> >
> > i spent today doing a little work on my prometheus (sysutils/prometheus)
> > exporter for pf. this program exports some metrics for pf. it can
> > export the top level pf stats (states, searches, etc), the loginterface
> > stats, and the drop/transmit counts for each queue.
> >
> > my personal usage of pf is pretty limited to my own home firewall, so i
> > can't really say this is battle tested, but i thought since i updated
> > it, i'd try my hand at my first ever openbsd port, so here it is :-)
> >
> > there are certainly warts, like the questionable file descriptor passing
> > and use of the 'nobody' user in the rc.d script, but feedback is
> > welcome.
> >
> > cheers,
> > nick
> >
> 
> ping
> 

  5 daemon_user="nobody"
  6 daemon_flags="-pf.fd 3"                                                   7                                                                           8 . /etc/rc.d/rc.subr
  9
 10 eval "$(typeset -f rc_start | sed -e 's/rc_start/rc_start_real/' -e 's/\    ^I//g' -e 's/\^J//g' )"
 11 rc_start(){
 12         3<>/dev/pf rc_start_real
 13 }

The FD passing in the rc-script is questionable - at the very least if
the script relies on -pf.fd 3 it should be added to daemon_command and
not overridable from rc.conf.local via flags - that eval is a bit nasty
too.

daemon_user=nobody is not allowed, it should use a distinct user.