new type: __iptables_rule

Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
Nico Schottelius 2013-09-02 19:22:53 +02:00
parent 81fae9325f
commit 0f6b6f420c
5 changed files with 112 additions and 0 deletions

View file

@ -0,0 +1,63 @@
cdist-type__iptables_rule(7)
============================
Nico Schottelius <nico-cdist--@--schottelius.org>
NAME
----
cdist-type__iptables_rule - Deploy iptable rulesets
DESCRIPTION
-----------
This cdist type allows you to manage iptable rules
in a distribution independent manner.
REQUIRED PARAMETERS
-------------------
rule::
The rule to apply. Essentially an iptables command
line without iptables in front of it.
OPTIONAL PARAMETERS
-------------------
state::
'present' or 'absent', defaults to 'present'
EXAMPLES
--------
--------------------------------------------------------------------------------
# Deploy some policies
__iptables_rule policy-in --rule "-P INPUT DROP"
__iptables_rule policy-out --rule "-P OUTPUT ACCEPT"
__iptables_rule policy-fwd --rule "-P FORWARD DROP"
# The usual established rule
__iptables_rule established --rule "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
# Some service rules
__iptables_rule http --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
__iptables_rule ssh --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
__iptables_rule https --rule "-A INPUT -p tcp --dport 443 -j ACCEPT"
# Ensure some rules are not present anymore
__iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \
--state absent
--------------------------------------------------------------------------------
SEE ALSO
--------
- cdist-type(7)
- iptables(8)
COPYING
-------
Copyright \(C) 2013 Nico Schottelius. Free use of this software is
granted under the terms of the GNU General Public License version 3 (GPLv3).

View file

@ -0,0 +1,46 @@
#
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
base_dir=/etc/iptables.d
name="$__object_id"
if [ -f "$__object/parameter/state" ]; then
state="$(cat "$__object/parameter/state")"
else
state="present"
fi
################################################################################
# Basic setup
#
__directory "$base_dir" --state present
# Have apply do the real job
require="$__object_name" __iptables_apply
################################################################################
# The rule
#
require="__directory/$base_dir" __file "$base_dir/${name}" \
--source "$__object/parameter/rule" \
--state "$state"

View file

@ -0,0 +1 @@
state

View file

@ -0,0 +1 @@
rule

View file

@ -8,6 +8,7 @@ Changelog
* Core: Fix typo in argument parser
* Core: Code cleanup: Remove old install code (Steven Armstrong)
* Core: Improve error message when using non-existing type in requirement
* New Type: __iptables_rule
* Type __cdist: Also create home directory
* Type __cdist: Add support for --shell parameter
* Type __motd: Regenerate motd on Debian and Ubuntu