clawdie-iso/scripts/bhyve-pf-allow.sh

#!/bin/sh
# Allow bhyve test VM egress by adding a PF include file.
# This is opt-in and idempotent; it does not replace the main ruleset.

set -eu

PF_CONF="/etc/pf.conf"
PF_BHYVE_INCLUDE="/etc/pf.bhyve.conf"

require_root() {
  if [ "$(id -u)" -ne 0 ]; then
    echo "ERROR: must run as root"
    exit 1
  fi
}

detect_ext_if() {
  if [ -n "${EXT_IF:-}" ]; then
    echo "$EXT_IF"
    return
  fi

  if command -v route >/dev/null 2>&1; then
    if out="$(route -n get default 2>/dev/null)"; then
      iface="$(echo "$out" | awk '/interface:/ { print $2; exit }')"
      if [ -n "$iface" ]; then
        echo "$iface"
        return
      fi
    fi
  fi

  echo "vtnet0"
}

ensure_include_line() {
  line="include \"$PF_BHYVE_INCLUDE\""
  if ! grep -Fxq "$line" "$PF_CONF"; then
    printf '\n%s\n' "$line" >> "$PF_CONF"
  fi
}

pf_enabled() {
  pfctl -s info 2>/dev/null | grep -qi "Status: Enabled"
}

require_root

if [ ! -f "$PF_CONF" ]; then
  echo "ERROR: missing $PF_CONF"
  exit 1
fi

BHYVE_BRIDGE="${BHYVE_BRIDGE:-bhyve0}"
BHYVE_NET="${BHYVE_NET:-10.99.0.0/24}"
EXT_IF="$(detect_ext_if)"

cat <<EOF > "$PF_BHYVE_INCLUDE"
ext_if = "$EXT_IF"
bhyve_if = "$BHYVE_BRIDGE"
bhyve_net = "$BHYVE_NET"

nat on \$ext_if from \$bhyve_net to any -> (\$ext_if)
pass quick on \$bhyve_if inet from \$bhyve_net to any keep state
EOF

chmod 0644 "$PF_BHYVE_INCLUDE"
ensure_include_line

pfctl -nf "$PF_CONF"
pfctl -f "$PF_CONF"

if ! pf_enabled; then
  pfctl -e
fi

echo "PF updated for ${BHYVE_NET} on ${BHYVE_BRIDGE} (ext: ${EXT_IF})"
echo "Include: ${PF_BHYVE_INCLUDE}"
Harden bhyve tests and home.arpa defaults (Sam & Codex) --- Build: not run \| Tests: not run 2026-04-04 09:49:01 +00:00			`#!/bin/sh`
			`# Allow bhyve test VM egress by adding a PF include file.`
			`# This is opt-in and idempotent; it does not replace the main ruleset.`

			`set -eu`

			`PF_CONF="/etc/pf.conf"`
			`PF_BHYVE_INCLUDE="/etc/pf.bhyve.conf"`

			`require_root() {`
			`if [ "$(id -u)" -ne 0 ]; then`
			`echo "ERROR: must run as root"`
			`exit 1`
			`fi`
			`}`

			`detect_ext_if() {`
			`if [ -n "${EXT_IF:-}" ]; then`
			`echo "$EXT_IF"`
			`return`
			`fi`

			`if command -v route >/dev/null 2>&1; then`
			`if out="$(route -n get default 2>/dev/null)"; then`
			`iface="$(echo "$out" \| awk '/interface:/ { print $2; exit }')"`
			`if [ -n "$iface" ]; then`
			`echo "$iface"`
			`return`
			`fi`
			`fi`
			`fi`

			`echo "vtnet0"`
			`}`

			`ensure_include_line() {`
			`line="include \"$PF_BHYVE_INCLUDE\""`
			`if ! grep -Fxq "$line" "$PF_CONF"; then`
			`printf '\n%s\n' "$line" >> "$PF_CONF"`
			`fi`
			`}`

			`pf_enabled() {`
			`pfctl -s info 2>/dev/null \| grep -qi "Status: Enabled"`
			`}`

			`require_root`

			`if [ ! -f "$PF_CONF" ]; then`
			`echo "ERROR: missing $PF_CONF"`
			`exit 1`
			`fi`

			`BHYVE_BRIDGE="${BHYVE_BRIDGE:-bhyve0}"`
			`BHYVE_NET="${BHYVE_NET:-10.99.0.0/24}"`
			`EXT_IF="$(detect_ext_if)"`

			`cat <<EOF > "$PF_BHYVE_INCLUDE"`
			`ext_if = "$EXT_IF"`
			`bhyve_if = "$BHYVE_BRIDGE"`
			`bhyve_net = "$BHYVE_NET"`

			`nat on \$ext_if from \$bhyve_net to any -> (\$ext_if)`
			`pass quick on \$bhyve_if inet from \$bhyve_net to any keep state`
			`EOF`

			`chmod 0644 "$PF_BHYVE_INCLUDE"`
			`ensure_include_line`

			`pfctl -nf "$PF_CONF"`
			`pfctl -f "$PF_CONF"`

			`if ! pf_enabled; then`
			`pfctl -e`
			`fi`

			`echo "PF updated for ${BHYVE_NET} on ${BHYVE_BRIDGE} (ext: ${EXT_IF})"`
			`echo "Include: ${PF_BHYVE_INCLUDE}"`