From a2e96ac435cd8fa98fad2edade8d5798fcb8d57f Mon Sep 17 00:00:00 2001
From: Jake Guffey <jake.guffey@eprotex.com>
Date: Wed, 19 Sep 2012 14:50:28 -0400
Subject: [PATCH] Initial commit
Broke old __pf type into __pf_*
Initial commit of __pf_ruleset type with basic logic
---
conf/type/__pf_ruleset/explorer/cksum | 43 +++++++++++++
conf/type/__pf_ruleset/explorer/rcvar | 36 +++++++++++
conf/type/__pf_ruleset/gencode-local | 74 +++++++++++++++++++++++
conf/type/__pf_ruleset/gencode-remote | 41 +++++++++++++
conf/type/__pf_ruleset/man.text | 51 ++++++++++++++++
conf/type/__pf_ruleset/parameter/optional | 1 +
conf/type/__pf_ruleset/parameter/required | 1 +
conf/type/__pf_ruleset/singleton | 0
8 files changed, 247 insertions(+)
create mode 100755 conf/type/__pf_ruleset/explorer/cksum
create mode 100755 conf/type/__pf_ruleset/explorer/rcvar
create mode 100644 conf/type/__pf_ruleset/gencode-local
create mode 100644 conf/type/__pf_ruleset/gencode-remote
create mode 100644 conf/type/__pf_ruleset/man.text
create mode 100644 conf/type/__pf_ruleset/parameter/optional
create mode 100644 conf/type/__pf_ruleset/parameter/required
create mode 100644 conf/type/__pf_ruleset/singleton
diff --git a/conf/type/__pf_ruleset/explorer/cksum b/conf/type/__pf_ruleset/explorer/cksum
new file mode 100755
index 00000000..372e9193
--- /dev/null
+++ b/conf/type/__pf_ruleset/explorer/cksum
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
+# See if file exists and if so, get checksum
+
+RC="/etc/rc.conf"
+TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
+PFCONF="${TMP:-"/etc/pf.conf"}"
+
+if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
+ cksum -o 1 ${PFCONF} | cut -d= -f2 | sed 's/ //g'
+else # the pf config file doesn't exist
+ echo NOTEXIST
+fi
+
+# Debug
+#set +x
+
diff --git a/conf/type/__pf_ruleset/explorer/rcvar b/conf/type/__pf_ruleset/explorer/rcvar
new file mode 100755
index 00000000..20e9dfcc
--- /dev/null
+++ b/conf/type/__pf_ruleset/explorer/rcvar
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+# Get the location of the pf ruleset on the target host.
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
+
+RC="/etc/rc.conf"
+PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
+echo ${PFCONF:-"/etc/pf.conf"}
+
+# Debug
+#set +x
+
diff --git a/conf/type/__pf_ruleset/gencode-local b/conf/type/__pf_ruleset/gencode-local
new file mode 100644
index 00000000..7c2f877e
--- /dev/null
+++ b/conf/type/__pf_ruleset/gencode-local
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+# Manage pf(4) on *BSD
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Send files to $__target_host via $__remote_copy
+
+uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
+state=$(cat "$__object/parameter/state")
+
+if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
+ exit 0
+fi
+
+if [ -f "$__object/parameter/source" ]; then
+ source=$(cat "$__object/parameter/source")
+fi
+
+rcvar=$(cat "$__object/explorer/rcvar")
+cksum=$(cat "$__object/explorer/cksum")
+
+
+cat <<EOF
+case $uname in
+ Darwin)
+ currentSum=$(cksum -o 1 ${source} | cut '-d ' -f1)
+ ;;
+ Linux)
+ currentSum=$(cksum ${source} | cut '-d ' -f1)
+ ;;
+ FreeBSD)
+ currentSum=$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
+ ;;
+ *)
+ echo "Sorry, I do not know how to find a cksum on ${UNAME}." >&2
+ exit 1
+ ;;
+esac
+
+if [ ! "${cksum}" = "NOTEXIST" ]; then
+ if [ ! "\${currentSum}" = "${cksum}" ]; then
+ $__remote_copy "${source}" "$__target_host:${rcvar}.new"
+ fi
+else # File just doesn't exist yet
+ $__remote_copy "${source}" "$__target_host:${rcvar}.new"
+fi
+
+if [ -n "${testscript}" ]; then
+ $__remote_copy "${testscript}" "$__target_host:${rcvar}.test"
+fi
+EOF
+
diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote
new file mode 100644
index 00000000..56aee3cb
--- /dev/null
+++ b/conf/type/__pf_ruleset/gencode-remote
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+# Manage pf(4) on *BSD
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Remove ${rcvar} in the case of --state absent
+
+state=$(cat "$__object/parameter/state")
+
+if [ ! "$state" = "absent" ]; then # There is nothing more for a *remote* script to do
+ exit 0
+fi
+
+rcvar=$(cat "$__object/explorer/rcvar")
+
+# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
+echo rm \"${rcvar}.new\"
+echo mv \"${rcvar}\" \"${rcvar.old}\"
+
diff --git a/conf/type/__pf_ruleset/man.text b/conf/type/__pf_ruleset/man.text
new file mode 100644
index 00000000..68601fad
--- /dev/null
+++ b/conf/type/__pf_ruleset/man.text
@@ -0,0 +1,51 @@
+cdist-type__pf_ruleset(7)
+==================================
+Jake Guffey <jake.guffey--@--eprotex.com>
+
+
+NAME
+----
+cdist-type__pf_ruleset - Copy a pf(4) ruleset to $__target_host
+
+
+DESCRIPTION
+-----------
+This type is used on *BSD systems to manage the pf firewall's ruleset.
+
+
+REQUIRED PARAMETERS
+-------------------
+state::
+ Either "absent" (no ruleset at all) or "present"
+
+
+OPTIONAL PARAMETERS
+-------------------
+source::
+ If supplied, use to define the ruleset to load onto the $__target_host for pf(4).
+ Note that this type is almost useless without a ruleset defined, but it's technically not
+ needed, e.g. for the case of disabling the firewall temporarily.
+
+EXAMPLES
+--------
+
+--------------------------------------------------------------------------------
+# Remove the current ruleset in place
+__pf_ruleset --state absent
+
+# Enable the firewall with the ruleset defined in $__manifest/files/pf.conf
+__pf_ruleset --state present --source $__manifest/files/pf.conf
+
+--------------------------------------------------------------------------------
+
+
+SEE ALSO
+--------
+- cdist-type(7)
+- pf(4)
+
+
+COPYING
+-------
+Copyright \(C) 2012 Jake Guffey. Free use of this software is
+granted under the terms of the GNU General Public License version 3 (GPLv3).
diff --git a/conf/type/__pf_ruleset/parameter/optional b/conf/type/__pf_ruleset/parameter/optional
new file mode 100644
index 00000000..5a18cd2f
--- /dev/null
+++ b/conf/type/__pf_ruleset/parameter/optional
@@ -0,0 +1 @@
+source
diff --git a/conf/type/__pf_ruleset/parameter/required b/conf/type/__pf_ruleset/parameter/required
new file mode 100644
index 00000000..ff72b5c7
--- /dev/null
+++ b/conf/type/__pf_ruleset/parameter/required
@@ -0,0 +1 @@
+state
diff --git a/conf/type/__pf_ruleset/singleton b/conf/type/__pf_ruleset/singleton
new file mode 100644
index 00000000..e69de29b