it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Apply outbound restriction in exam_mode on macvtap interfaces too

Browse source
This commit is contained in:
Raphael Dannecker 2025-12-17 13:24:24 +01:00
parent a986254abc
commit 1f45184d0c
3 changed files with 57 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
roles/lmn_exam/files/pam-exec.sh
View file

@ -5,10 +5,16 @@
if [[ "${PAM_USER}" =~ -exam$ ]]; then
systemctl start firewalld.service
if [[ -f /usr/local/sbin/no-way-out-nftable ]]; then
/usr/local/sbin/no-way-out-nftable || true
fi
if systemctl is-enabled --quiet libvirtd.service; then
systemctl restart libvirtd.service
fi
elif ! (users | grep -q -- "-exam"); then
if /usr/sbin/nft list tables | /usr/bin/grep -q filtermacvtap; then
/usr/sbin/nft delete table netdev filtermacvtap || true
fi
systemctl stop firewalld.service
if systemctl is-enabled --quiet libvirtd.service; then
systemctl restart libvirtd.service