matthijs/cdist
1
0
Fork 0
forked from ungleich-public/cdist
Code Issues Pull requests Projects Releases Wiki Activity

[__pf*] (~) __pf_ruleset (+)__pf_apply_anchor, deprecate __pf_apply

Browse source 
__pf_apply the way it exists on cdist is not really useful and __pf_ruleset does
not take advantage of other types as it should, being instead overly complex and
not as reliable.

The new __pf_ruleset is compatible with the previous one, and __pf_apply_anchors
allows for a simple and powerful way of managing pf anchors.
The functionality previously provided by __pf_apply is still possible out of the
box in __pf_ruleset.

These patches were mostly contributed by Kamila Součková and made fit for
upstreaming by Evilham.
This commit is contained in:
evilham 2020-04-25 12:23:27 +02:00
parent 41e59a748d
commit fefe90e9c9
7 changed files with 105 additions and 129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
cdist/conf/type/__pf_apply/deprecated Normal file
View file

@ -0,0 +1 @@
Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply.

28
cdist/conf/type/__pf_ruleset/explorer/cksum → cdist/conf/type/__pf_apply_anchor/gencode-remote
View file

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh -e
# #
# 2012 Jake Guffey (jake.guffey at eprotex.com) # 2016 Kamila Součková (coding at kamila.is)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -18,24 +18,16 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
# #
# #
# Get the 256 bit SHA2 checksum of the pf ruleset on the target host. # Apply pf(4) ruleset on *BSD
# #
# Debug ANCHORS_DIR="/etc/pf.d"
#exec >&2
#set -x
# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf if [ -f "${__object}/parameter/anchor_name" ]; then
# See if file exists and if so, get checksum anchor_name="$(cat "${__object}/parameter/anchor_name")"
else
RC="/etc/rc.conf" anchor_name="${__object_id}"
TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
PFCONF="${TMP:-"/etc/pf.conf"}"
if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
fi fi
anchor_file="${ANCHORS_DIR}/${anchor_name}"
# Debug echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""
#set +x

62
cdist/conf/type/__pf_apply_anchor/man.rst Normal file
View file

@ -0,0 +1,62 @@
cdist-type__pf_apply_anchor(7)
==============================
NAME
----
cdist-type__pf_apply_anchor - Apply a pf(4) anchor on $__target_host
DESCRIPTION
-----------
This type is used on \*BSD systems to manage anchors for the pf firewall.
Notice this type does not take care of copying the ruleset, that must be
done by the user with, e.g. `__file`.
OPTIONAL PARAMETERS
-------------------
anchor_name
The name of the anchor to apply. If not set, `${__object_id}` is used.
This type requires `/etc/pf.d/${anchor_name}` to exist on
`$__target_host`.
EXAMPLES
--------
.. code-block:: sh
# Copy anchor file to ${__target_host}
__file "/etc/pf.d/80_dns" --source - <<EOF
# Managed remotely, changes will be lost
pass quick proto {tcp,udp} from any to any port domain
EOF
# Apply the anchor
require="__file/etc/pf.d/80_dns" __pf_apply_anchor 80_dns
# This is roughly equivalent to:
# pfctl -a "${anchor_name}" -f "/etc/pf.d/${anchor_name}"
SEE ALSO
--------
:strong:`pf`\ (4)
AUTHORS
-------
Evilham <contact--@--evilham.com>
Kamila Součková <coding--@--kamila.is>
Jake Guffey <jake.guffey--@--eprotex.com>
COPYING
-------
Copyright \(C) 2020 Evilham.
Copyright \(C) 2016 Kamila Součková.
Copyright \(C) 2012 Jake Guffey. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

1
cdist/conf/type/__pf_apply_anchor/parameter/optional Normal file
View file

@ -0,0 +1 @@
anchor_name

81
cdist/conf/type/__pf_ruleset/gencode-local
View file

@ -1,81 +0,0 @@
#!/bin/sh -e
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Manage pf(4) on *BSD
#
# Debug
#exec >&2
#set -x
# Send files to $__target_host via $__remote_copy
uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
state=$(cat "$__object/parameter/state")
if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
exit 0
fi
if [ -f "$__object/parameter/source" ]; then
source=$(cat "$__object/parameter/source")
fi
rcvar=$(cat "$__object/explorer/rcvar")
cksum=$(cat "$__object/explorer/cksum")
cat <<EOF
case $uname in
Darwin)
currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
;;
Linux)
currentSum=\$(cksum ${source} | cut '-d ' -f1)
;;
FreeBSD)
currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
;;
*)
echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
exit 1
;;
esac
# IPv6 fix
if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
if [ -n "${cksum}" ]; then
if [ ! "\${currentSum}" = "${cksum}" ]; then
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
fi
else # File just doesn't exist yet
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
fi
EOF
# Debug
#exec +x

14
cdist/conf/type/__pf_ruleset/man.rst
View file

@ -10,6 +10,9 @@ DESCRIPTION
----------- -----------
This type is used on \*BSD systems to manage the pf firewall's ruleset. This type is used on \*BSD systems to manage the pf firewall's ruleset.
It will also enable and disable the pf firewall as requested in the `state`
parameter.
REQUIRED PARAMETERS REQUIRED PARAMETERS
------------------- -------------------
@ -20,9 +23,8 @@ state
OPTIONAL PARAMETERS OPTIONAL PARAMETERS
------------------- -------------------
source source
If supplied, use to define the ruleset to load onto the $__target_host for pf(4). Required when state is "present".
Note that this type is almost useless without a ruleset defined, but it's technically not Defines the ruleset to load onto the $__target_host for `pf(4)`.
needed, e.g. for the case of disabling the firewall temporarily.
EXAMPLES EXAMPLES
@ -30,10 +32,10 @@ EXAMPLES
.. code-block:: sh .. code-block:: sh
# Remove the current ruleset in place # Remove the current ruleset in place and disable pf
__pf_ruleset --state absent __pf_ruleset --state absent
# Enable the firewall with the ruleset defined in $__manifest/files/pf.conf # Enable pf with the ruleset defined in $__manifest/files/pf.conf
__pf_ruleset --state present --source $__manifest/files/pf.conf __pf_ruleset --state present --source $__manifest/files/pf.conf
@ -44,11 +46,13 @@ SEE ALSO
AUTHORS AUTHORS
------- -------
Kamila Součková <coding--@--kamila.is>
Jake Guffey <jake.guffey--@--eprotex.com> Jake Guffey <jake.guffey--@--eprotex.com>
COPYING COPYING
------- -------
Copyright \(C) 2016 Kamila Součková.
Copyright \(C) 2012 Jake Guffey. You can redistribute it Copyright \(C) 2012 Jake Guffey. You can redistribute it
and/or modify it under the terms of the GNU General Public License as and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the published by the Free Software Foundation, either version 3 of the

47
cdist/conf/type/__pf_ruleset/gencode-remote → cdist/conf/type/__pf_ruleset/manifest
View file

@ -1,6 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
# #
# 2012 Jake Guffey (jake.guffey at eprotex.com) # 2016 Kamila Součková (coding at kamila.is)
# #
# This file is part of cdist. # This file is part of cdist.
# #
@ -21,29 +21,26 @@
# Manage pf(4) on *BSD # Manage pf(4) on *BSD
# #
# Debug rcvar="$(cat "${__object}/explorer/rcvar")"
#exec >&2 state="$(cat "${__object}/parameter/state")"
#set -x if [ -f "${__object}/parameter/source" ]; then
source="$(cat "${__object}/parameter/source")"
# Remove ${rcvar} in the case of --state absent
state=$(cat "$__object/parameter/state")
rcvar=$(cat "$__object/explorer/rcvar")
if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do
exit 0
elif [ "$state" = "absent" ]; then
# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
cat <<EOF
if [ -f "${rcvar}.new" ]; then
rm "${rcvar}.new"
fi
if [ -f "${rcvar}" ]; then
mv "${rcvar}" "${rcvar}.old"
fi
EOF
else
echo "Unknown state ${state}!" >&2
exit 1
fi fi
if [ "${state}" = "absent" ]; then
action="/etc/rc.d/pf stop"
else
action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
fi
__key_value __pf_ruleset/rcvar \
--state "${state}" \
--file /etc/rc.conf \
--delimiter "=" \
--key "pf_enable" \
--value "YES"
require="__key_value/__pf_ruleset/rcvar" __config_file ${rcvar} \
--source "${source}" \
--state "${state}" \
--onchange "${action}"