forked from ungleich-public/cdist
new type: __iptables_apply
Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
parent
0f6b6f420c
commit
f8d3e36efb
7 changed files with 120 additions and 0 deletions
48
cdist/conf/type/__iptables_apply/files/init-script
Normal file
48
cdist/conf/type/__iptables_apply/files/init-script
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# Nico Schottelius
|
||||||
|
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
|
||||||
|
#
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: iptables
|
||||||
|
# Required-Start: $local_fs $remote_fs
|
||||||
|
# Required-Stop: $local_fs $remote_fs
|
||||||
|
# X-Start-Before: fail2ban
|
||||||
|
# Default-Start: 2 3 4 5
|
||||||
|
# Default-Stop: 0 1 6
|
||||||
|
# Short-Description: Applies iptables ruleset
|
||||||
|
# Description: Applies all rules found in /etc/iptables.d
|
||||||
|
# and saves/restores previous status
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
|
||||||
|
basedir=/etc/iptables.d
|
||||||
|
status="${basedir}/.pre-start"
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
start)
|
||||||
|
# Save status
|
||||||
|
iptables-save > "$status"
|
||||||
|
|
||||||
|
# Apply our ruleset
|
||||||
|
cd "$basedir"
|
||||||
|
count="$(ls -1 | wc -l)"
|
||||||
|
|
||||||
|
# Only do something if there are rules
|
||||||
|
if [ "$count" -ge 1 ]; then
|
||||||
|
for rule in *; do
|
||||||
|
echo "Applying iptables rule $rule ..."
|
||||||
|
iptables $(cat "$rule")
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
stop)
|
||||||
|
# Restore from status before, if there is something to restore
|
||||||
|
if [ -f "$status" ]; then
|
||||||
|
iptables-restore < "$status"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
"$0" stop && "$0" start
|
||||||
|
;;
|
||||||
|
esac
|
2
cdist/conf/type/__iptables_apply/gencode-remote
Normal file
2
cdist/conf/type/__iptables_apply/gencode-remote
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# Rebuild rules - FIXME: do conditionally as soon as cdist supports it
|
||||||
|
echo /etc/init.d/iptables restart
|
42
cdist/conf/type/__iptables_apply/man.text
Normal file
42
cdist/conf/type/__iptables_apply/man.text
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
cdist-type__iptables_apply(7)
|
||||||
|
=============================
|
||||||
|
Nico Schottelius <nico-cdist--@--schottelius.org>
|
||||||
|
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__iptables_apply - Apply the rules
|
||||||
|
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
This cdist type deploys an init script that triggers
|
||||||
|
the configured rules and also re-applies them on
|
||||||
|
configuration.
|
||||||
|
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
None
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
None
|
||||||
|
|
||||||
|
EXAMPLES
|
||||||
|
--------
|
||||||
|
|
||||||
|
None (__iptables_apply is used by __iptables_rule)
|
||||||
|
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
- cdist-type(7)
|
||||||
|
- cdist-type__iptables_rule(7)
|
||||||
|
- iptables(8)
|
||||||
|
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2013 Nico Schottelius. Free use of this software is
|
||||||
|
granted under the terms of the GNU General Public License version 3 (GPLv3).
|
26
cdist/conf/type/__iptables_apply/manifest
Normal file
26
cdist/conf/type/__iptables_apply/manifest
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
#
|
||||||
|
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
|
||||||
|
#
|
||||||
|
# This file is part of cdist.
|
||||||
|
#
|
||||||
|
# cdist is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# cdist is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
__file /etc/init.d/iptables \
|
||||||
|
--source "$__type/files/init-script" \
|
||||||
|
--state present \
|
||||||
|
--mode 0755
|
||||||
|
|
||||||
|
require="__file/etc/init.d/iptables" __start_on_boot iptables
|
0
cdist/conf/type/__iptables_apply/singleton
Normal file
0
cdist/conf/type/__iptables_apply/singleton
Normal file
|
@ -54,6 +54,7 @@ __iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \
|
||||||
SEE ALSO
|
SEE ALSO
|
||||||
--------
|
--------
|
||||||
- cdist-type(7)
|
- cdist-type(7)
|
||||||
|
- cdist-type__iptables_apply(7)
|
||||||
- iptables(8)
|
- iptables(8)
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@ Changelog
|
||||||
* Core: Code cleanup: Remove old install code (Steven Armstrong)
|
* Core: Code cleanup: Remove old install code (Steven Armstrong)
|
||||||
* Core: Improve error message when using non-existing type in requirement
|
* Core: Improve error message when using non-existing type in requirement
|
||||||
* New Type: __iptables_rule
|
* New Type: __iptables_rule
|
||||||
|
* New Type: __iptables_apply
|
||||||
* Type __cdist: Also create home directory
|
* Type __cdist: Also create home directory
|
||||||
* Type __cdist: Add support for --shell parameter
|
* Type __cdist: Add support for --shell parameter
|
||||||
* Type __motd: Regenerate motd on Debian and Ubuntu
|
* Type __motd: Regenerate motd on Debian and Ubuntu
|
||||||
|
|
Loading…
Reference in a new issue