Apply outbound restriction in exam_mode on macvtap interfaces too

2025-12-17 13:24:24 +01:00 · 2025-12-17 13:24:24 +01:00 · 1f45184d0c
commit 1f45184d0c
parent a986254abc
3 changed files with 57 additions and 0 deletions
--- a/roles/lmn_exam/files/pam-exec.sh
+++ b/roles/lmn_exam/files/pam-exec.sh
@ -5,10 +5,16 @@

 if [[ "${PAM_USER}" =~ -exam$ ]]; then
  systemctl start firewalld.service
+  if [[ -f /usr/local/sbin/no-way-out-nftable ]]; then
+    /usr/local/sbin/no-way-out-nftable || true
+  fi
  if systemctl is-enabled --quiet libvirtd.service; then
    systemctl restart libvirtd.service
  fi
 elif ! (users | grep -q -- "-exam"); then
+  if /usr/sbin/nft list tables | /usr/bin/grep -q filtermacvtap; then
+    /usr/sbin/nft delete table netdev filtermacvtap || true
+  fi
  systemctl stop firewalld.service
  if systemctl is-enabled --quiet libvirtd.service; then
    systemctl restart libvirtd.service