From 08aa7d8e8315652dbe86b6e8ad56227a28e80d3d Mon Sep 17 00:00:00 2001 From: Jake Guffey <jake.guffey@eprotex.com> Date: Wed, 19 Sep 2012 16:15:06 -0400 Subject: [PATCH] Fleshed out gencode-remote logic Added logic into gencode-remote to enable/disable pf Added logic into gencode-remote to apply the new ruleset if necessary Added explorer to find ${rcvar} --- conf/type/__pf_apply/explorer/rcvar | 36 +++++++++++++++++++++++++++++ conf/type/__pf_apply/gencode-remote | 22 +++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100755 conf/type/__pf_apply/explorer/rcvar diff --git a/conf/type/__pf_apply/explorer/rcvar b/conf/type/__pf_apply/explorer/rcvar new file mode 100755 index 00000000..20e9dfcc --- /dev/null +++ b/conf/type/__pf_apply/explorer/rcvar @@ -0,0 +1,36 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see <http://www.gnu.org/licenses/>. +# +# +# Get the location of the pf ruleset on the target host. +# + +# Debug +#exec >&2 +#set -x + +# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf + +RC="/etc/rc.conf" +PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" +echo ${PFCONF:-"/etc/pf.conf"} + +# Debug +#set +x + diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 309eb12d..83529859 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -25,8 +25,28 @@ #exec >&2 #set -x +rcvar=$(cat "$__object/explorer/rcvar") + cat <<EOF -if [ "$ +if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf + pfctl -d + # Cleanup + rm -f "${rcvar}.old + # This file shouldn't exist, but just in case... + [ -f "${rcvar}" ] && rm -f "${rcvar}" +elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it + # Ensure that pf is enabled in the first place + pfctl -e + pfctl -f "${rcvar}" + ret="$?" + # Cleanup + rm -f "${rcvar}.old + # This file shouldn't exist, but just in case... + [ -f "${rcvar}" ] && rm -f "${rcvar}" + if [ "$ret" -ne "0" ]; then # failed to configure new ruleset + echo "Failed to configure the new ruleset on ${__target_host}\!" >&2 + fi +fi EOF # Debug