new type: __iptables_apply
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
		
							parent
							
								
									0f6b6f420c
								
							
						
					
					
						commit
						f8d3e36efb
					
				
					 7 changed files with 120 additions and 0 deletions
				
			
		
							
								
								
									
										48
									
								
								cdist/conf/type/__iptables_apply/files/init-script
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										48
									
								
								cdist/conf/type/__iptables_apply/files/init-script
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,48 @@ | ||||||
|  | #!/bin/sh | ||||||
|  | # Nico Schottelius | ||||||
|  | # Zürisee, Mon Sep  2 18:38:27 CEST 2013 | ||||||
|  | # | ||||||
|  | ### BEGIN INIT INFO | ||||||
|  | # Provides:          iptables | ||||||
|  | # Required-Start:    $local_fs $remote_fs | ||||||
|  | # Required-Stop:     $local_fs $remote_fs | ||||||
|  | # X-Start-Before:    fail2ban | ||||||
|  | # Default-Start:     2 3 4 5 | ||||||
|  | # Default-Stop:      0 1 6 | ||||||
|  | # Short-Description: Applies iptables ruleset | ||||||
|  | # Description:       Applies all rules found in /etc/iptables.d | ||||||
|  | #                    and saves/restores previous status | ||||||
|  | ### END INIT INFO | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | basedir=/etc/iptables.d | ||||||
|  | status="${basedir}/.pre-start" | ||||||
|  | 
 | ||||||
|  | case $1 in | ||||||
|  |     start) | ||||||
|  |         # Save status | ||||||
|  |         iptables-save > "$status" | ||||||
|  | 
 | ||||||
|  |         # Apply our ruleset | ||||||
|  |         cd "$basedir" | ||||||
|  |         count="$(ls -1 | wc -l)" | ||||||
|  | 
 | ||||||
|  |         # Only do something if there are rules | ||||||
|  |         if [ "$count" -ge 1 ]; then | ||||||
|  |             for rule in *; do | ||||||
|  |                 echo "Applying iptables rule $rule ..." | ||||||
|  |                 iptables $(cat "$rule") | ||||||
|  |             done | ||||||
|  |         fi | ||||||
|  |     ;; | ||||||
|  | 
 | ||||||
|  |     stop) | ||||||
|  |         # Restore from status before, if there is something to restore | ||||||
|  |         if [ -f "$status" ]; then | ||||||
|  |             iptables-restore < "$status" | ||||||
|  |         fi | ||||||
|  |     ;; | ||||||
|  |     restart) | ||||||
|  |         "$0" stop &&  "$0" start | ||||||
|  |     ;; | ||||||
|  | esac | ||||||
							
								
								
									
										2
									
								
								cdist/conf/type/__iptables_apply/gencode-remote
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								cdist/conf/type/__iptables_apply/gencode-remote
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,2 @@ | ||||||
|  | # Rebuild rules - FIXME: do conditionally as soon as cdist supports it | ||||||
|  | echo /etc/init.d/iptables restart | ||||||
							
								
								
									
										42
									
								
								cdist/conf/type/__iptables_apply/man.text
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										42
									
								
								cdist/conf/type/__iptables_apply/man.text
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,42 @@ | ||||||
|  | cdist-type__iptables_apply(7) | ||||||
|  | ============================= | ||||||
|  | Nico Schottelius <nico-cdist--@--schottelius.org> | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | NAME | ||||||
|  | ---- | ||||||
|  | cdist-type__iptables_apply - Apply the rules | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | DESCRIPTION | ||||||
|  | ----------- | ||||||
|  | This cdist type deploys an init script that triggers | ||||||
|  | the configured rules and also re-applies them on | ||||||
|  | configuration. | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | REQUIRED PARAMETERS | ||||||
|  | ------------------- | ||||||
|  | None | ||||||
|  | 
 | ||||||
|  | OPTIONAL PARAMETERS | ||||||
|  | ------------------- | ||||||
|  | None | ||||||
|  | 
 | ||||||
|  | EXAMPLES | ||||||
|  | -------- | ||||||
|  | 
 | ||||||
|  | None (__iptables_apply is used by __iptables_rule) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | SEE ALSO | ||||||
|  | -------- | ||||||
|  | - cdist-type(7) | ||||||
|  | - cdist-type__iptables_rule(7) | ||||||
|  | - iptables(8) | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | COPYING | ||||||
|  | ------- | ||||||
|  | Copyright \(C) 2013 Nico Schottelius. Free use of this software is | ||||||
|  | granted under the terms of the GNU General Public License version 3 (GPLv3). | ||||||
							
								
								
									
										26
									
								
								cdist/conf/type/__iptables_apply/manifest
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								cdist/conf/type/__iptables_apply/manifest
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,26 @@ | ||||||
|  | # | ||||||
|  | # 2013 Nico Schottelius (nico-cdist at schottelius.org) | ||||||
|  | # | ||||||
|  | # This file is part of cdist. | ||||||
|  | # | ||||||
|  | # cdist is free software: you can redistribute it and/or modify | ||||||
|  | # it under the terms of the GNU General Public License as published by | ||||||
|  | # the Free Software Foundation, either version 3 of the License, or | ||||||
|  | # (at your option) any later version. | ||||||
|  | # | ||||||
|  | # cdist is distributed in the hope that it will be useful, | ||||||
|  | # but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|  | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|  | # GNU General Public License for more details. | ||||||
|  | # | ||||||
|  | # You should have received a copy of the GNU General Public License | ||||||
|  | # along with cdist. If not, see <http://www.gnu.org/licenses/>. | ||||||
|  | # | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | __file /etc/init.d/iptables \ | ||||||
|  |     --source "$__type/files/init-script" \ | ||||||
|  |     --state present \ | ||||||
|  |     --mode 0755 | ||||||
|  | 
 | ||||||
|  | require="__file/etc/init.d/iptables" __start_on_boot iptables | ||||||
							
								
								
									
										0
									
								
								cdist/conf/type/__iptables_apply/singleton
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								cdist/conf/type/__iptables_apply/singleton
									
										
									
									
									
										Normal file
									
								
							|  | @ -54,6 +54,7 @@ __iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \ | ||||||
| SEE ALSO | SEE ALSO | ||||||
| -------- | -------- | ||||||
| - cdist-type(7) | - cdist-type(7) | ||||||
|  | - cdist-type__iptables_apply(7) | ||||||
| - iptables(8) | - iptables(8) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -9,6 +9,7 @@ Changelog | ||||||
| 	* Core: Code cleanup: Remove old install code (Steven Armstrong) | 	* Core: Code cleanup: Remove old install code (Steven Armstrong) | ||||||
| 	* Core: Improve error message when using non-existing type in requirement | 	* Core: Improve error message when using non-existing type in requirement | ||||||
| 	* New Type: __iptables_rule | 	* New Type: __iptables_rule | ||||||
|  | 	* New Type: __iptables_apply | ||||||
| 	* Type __cdist: Also create home directory | 	* Type __cdist: Also create home directory | ||||||
| 	* Type __cdist: Add support for --shell parameter | 	* Type __cdist: Add support for --shell parameter | ||||||
| 	* Type __motd: Regenerate motd on Debian and Ubuntu | 	* Type __motd: Regenerate motd on Debian and Ubuntu | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue