NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity
Files
feat/opnsense-bootstrap-score
harmony/data/opnsense/ethname.LICENSE
Sylvain Tremblay 9eeede18b8
Some checks failed
Run Check Script / check (pull_request) Failing after 40s
Details
feat(opnsense): pin physical NIC names to MAC addresses via vendored ethname 
On multi-NIC FreeBSD/OPNsense boxes (Wize 5070 and similar), PCIe enumeration
order shuffles igc0/igc1/... across reboots. OPNsense binds wan/lan
assignments to interface names, so a shuffle silently re-points them at the
wrong physical ports and breaks firewall rules.

Validated fix from OPNsense forum #27023 (endorsed by franco): the upstream
`ethname` rc.d script (MIT, © Eric Borisch 2016–2019, frozen at v2.0.1) does
a two-stage rename in early boot — before `netif` — mapping MACs to fixed
interface names.

Vendor the 280-line script inline rather than `pkg install ethname`.
`pkg install` on a fresh ISO often fails because the firmware lags the live
pkg repo, and the firmware-upgrade reboot is precisely the boot we need to
defend against. Vendoring sidesteps the chicken-and-egg.

Adds:

  harmony/data/opnsense/ethname.sh        vendored upstream script (verbatim)
  harmony/data/opnsense/ethname.LICENSE   preserves MIT terms

  bootstrap.rs:
    ETHNAME_SCRIPT (const, include_str!)
    DEFAULT_PHYSICAL_DRIVER_PREFIXES (const)
    list_physical_nics_via_ssh / read_ethname_mac_set_via_ssh /
    install_ethname_via_ssh (pub SSH helpers)

  pin_nic_names module:
    pin_nic_names_step       — the shared one-shot logic
    OPNsensePinNicNamesScore — Score<OPNsenseBootstrapTopology> for
                               ad-hoc re-pinning / standalone use

OPNsenseBootstrapScore composes pin_nic_names_step internally as a mandatory
step between the web UI dance and API key mint — every firewall
bootstrapped through harmony gets pinned NIC names automatically, no caller
code change required. Idempotent: re-running on a firewall whose MAC set
already matches /etc/rc.conf.d/ethname is a NOOP.

The existence probe for the config file is wrapped in `sh -c '...'` because
OPNsense's root login shell is /bin/csh (tcsh); bare Bourne if/then/else
fails there. Simple `&&` chains (the pattern in the other SSH helpers) work
in both shells.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 10:49:59 -04:00

22 lines
1.0 KiB
Plaintext
Raw Permalink Blame History

The MIT License (MIT)
Copyright (c) 2016
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Reference in New Issue View Git Blame Copy Permalink