openbsd: pf: enable forwarding persistency

openbsd/pf/Rexfile

@@ -18,7 +18,7 @@ my %pfvars = (
     "allow_icmp" => 1,
 
     # enable nat? 0= disabled, 1=enabled
-    # enable ip forwarding but not persistent yet
+    # enable / disable ip forwarding (now and for further boots)
     "nat" => 0,
 
     # interface that is behind the NAT
@@ -44,22 +44,17 @@ task "configure", sub {
 
     if($pfvars{nat}) {
         sysctl "net.inet.ip.forwarding" => 1;
+        append_if_no_such_line "/etc/sysctl.conf", "net.inet.ip.forwarding=1", /^net.inet.ip.forwarding/;
     } else {
         sysctl "net.inet.ip.forwarding" => 0;
+        delete_lines_matching "/etc/sysctl.conf" => "net.inet.ip.forwarding=";
     }
 };
 
 __DATA__
 @pfconf
-<% if (@{$TCPports}) {
-%>
-services_tcp="{ <%= join(" ",@{$TCPports}) %> }"
-<% } %>
-
-<% if (@{$UDPports}) {
-%>
-services_udp="{ <%= join(" ",@{$UDPports}) %> }"
-<% } %>
+<% if (@{$TCPports}) { %>services_tcp="{ <%= join(" ",@{$TCPports}) %> }"<% } %>
+<% if (@{$UDPports}) { %>services_udp="{ <%= join(" ",@{$UDPports}) %> }"<% } %>
 
 set skip on lo
 set block-policy drop
@@ -73,18 +68,15 @@ pass in from <%= $nat_from_interface %>
 pass out quick on egress from <%= $nat_from_interface %>:network to any nat-to <%= $nat_to_interface %>
 <% } %>
 
-<% if (@{$TCPports}) { %>
-# allow TCP
+<% if (@{$TCPports}) { %># allow TCP
 pass in on egress inet proto tcp from any to (egress) port $services_tcp
 <% } %>
 
-<% if (@{$UDPports}) { %>
-# allow UDP
+<% if (@{$UDPports}) { %># allow UDP
 pass in on egress inet proto udp from any to (egress) port $services_udp
 <% } %>
 
-<% if ($allow_icmp) { %>
-# allow ICMP (over ipv4)
+<% if ($allow_icmp) { %># allow ICMP (over ipv4)
 pass in on egress inet proto icmp from any to (egress)
 <% } %>