firewall: move bogon script out of the way, priv-sep, lower retries

plist

@@ -140,7 +140,6 @@
 /usr/local/etc/rc.syshook.d/stop/80-freebsd
 /usr/local/etc/rc.syshook.d/stop/90-backup
 /usr/local/etc/rc.syshook.d/stop/99-config
-/usr/local/etc/rc.update_bogons
 /usr/local/etc/ssl/opnsense.cnf
 /usr/local/opnsense/contrib/IXR/IXR_Library.php
 /usr/local/opnsense/contrib/base32/Base32.php
@@ -641,6 +640,7 @@
 /usr/local/opnsense/scripts/filter/list_tables.py
 /usr/local/opnsense/scripts/filter/pfinfo.py
 /usr/local/opnsense/scripts/filter/read_log.py
+/usr/local/opnsense/scripts/filter/update_bogons.sh
 /usr/local/opnsense/scripts/filter/update_tables.py
 /usr/local/opnsense/scripts/firmware/changelog.sh
 /usr/local/opnsense/scripts/firmware/check.sh

src/etc/inc/plugins.inc.d/pf.inc

@@ -65,14 +65,14 @@ function pf_cron()
     /* bogons fetch always set in default config.xml */
     switch ($config['system']['bogons']['interval']) {
         case 'daily':
-            $jobs[]['autocron'] = array('/usr/local/etc/rc.update_bogons cron', '1', '3', '*', '*', '*');
+            $jobs[]['autocron'] = array('configctl filter update bogons cron', '1', '3', '*', '*', '*');
             break;
         case 'weekly':
-            $jobs[]['autocron'] = array('/usr/local/etc/rc.update_bogons cron', '1', '3', '*', '*', '0');
+            $jobs[]['autocron'] = array('configctl filter update bogons cron', '1', '3', '*', '*', '0');
             break;
         case 'monthly':
         default:
-            $jobs[]['autocron'] = array('/usr/local/etc/rc.update_bogons cron', '1', '3', '1', '*', '*');
+            $jobs[]['autocron'] = array('configctl filter update bogons cron', '1', '3', '1', '*', '*');
             break;
     }
 

src/opnsense/scripts/filter/update_bogons.sh

@@ -3,7 +3,7 @@
 DESTDIR="/usr/local/etc"
 WORKDIR="/tmp/bogons"
 FETCH="fetch -qT 30"
-RETRIES=5
+RETRIES=3
 
 COMMAND=${1}
 
@@ -12,16 +12,16 @@ SYS_ABI=$(opnsense-verify -a)
 
 URL="https://pkg.opnsense.org/${SYS_ABI}/${CORE_ABI}/sets/bogons.txz"
 
-echo "rc.update_bogons is starting up" | logger
+echo "bogons update starting" | logger
 
 while [ ${RETRIES} -gt 0 ]; do
     if [ "${COMMAND}" = "cron" ]; then
         VALUE=$(jot -r 1 1 900)
-        echo "rc.update_bogons is sleeping for ${VALUE} seconds" | logger
+        echo "bogons update is sleeping for ${VALUE} seconds" | logger
         sleep ${VALUE}
     fi
 
-    echo "rc.update_bogons is beginning the update cycle" | logger
+    echo "bogons update is beginning the update cycle" | logger
 
     rm -rf ${WORKDIR}
     mkdir -p ${WORKDIR}
@@ -30,11 +30,11 @@ while [ ${RETRIES} -gt 0 ]; do
     ${FETCH} -o ${WORKDIR}/bogons.txz "${URL}"
 
     if [ ! -f ${WORKDIR}/bogons.txz ]; then
-        echo "Could not download ${URL}" | logger
+        echo "bogons update cannot download ${URL}" | logger
     elif ! opnsense-verify -q ${WORKDIR}/bogons.txz; then
-        echo "Could not verify ${URL}" | logger
+        echo "bogons update cannot verify ${URL}" | logger
     elif ! tar -C ${WORKDIR} -xJf ${WORKDIR}/bogons.txz; then
-        echo "Could not extract ${URL}" | logger
+        echo "bogons update cannot extract ${URL}" | logger
     else
         break
     fi
@@ -47,7 +47,7 @@ while [ ${RETRIES} -gt 0 ]; do
 done
 
 if [ ${RETRIES} -eq 0 ]; then
-    echo "rc.update_bogons is aborting the update cycle" | logger
+    echo "update bogons is aborting the update cycle" | logger
     exit 1
 fi
 
@@ -89,4 +89,4 @@ else
     fi
 fi
 
-echo "rc.update_bogons is ending the update cycle" | logger
+echo "update bogons is ending the update cycle" | logger

src/opnsense/service/conf/actions.d/actions_filter.conf

@@ -72,10 +72,10 @@ type:script
 message:add entry to pf table ( %s / %s )
 
 [update.bogons]
-command:/usr/local/etc/rc.update_bogons
-parameters:
+command:/usr/local/opnsense/scripts/filter/update_bogons.sh
+parameters: %s
 type:script
-message:update bogons database
+message:update bogons database %s
 
 [diag.top]
 command:/usr/local/sbin/pftop