mhameed/cdist-contrib
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

new type __ipset

Browse source
This commit is contained in:
mhameed 2021-01-19 11:24:31 +00:00
parent 4918ef464f
commit 0d3bd4485a
13 changed files with 387 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
type/__ipset/explorer/content Executable file
View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list | grep -qFx "Name: $name"; then
ipset list "$name" | sed '0,/^Members:/d'
else
echo "x_missing_x"
fi

26
type/__ipset/explorer/state Executable file
View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list "$name" >/dev/null; then
echo "present"
else
echo "absent"
fi

26
type/__ipset/explorer/type Executable file
View file

@ -0,0 +1,26 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
name="$__object_id"
if ipset -t list | grep -qFx "Name: $name"; then
ipset -t list "$name" | grep "^Type: " | awk '{print $2}'
else
echo "x_missing_x"
fi

48
type/__ipset/files/ipset-persistent Executable file
View file

@ -0,0 +1,48 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
### BEGIN INIT INFO
# Provides: ipset
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# X-Start-Before: iptables
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Create ipset lists before iptables rules require them
# Description: Applies lists found in /etc/ipset.d/*.saved
# and saves/restores previous status
### END INIT INFO
case $1 in
start)
# Restore previous state:
/usr/local/bin/ipsets-restore
;;
stop)
# Save current state before exiting:
/usr/local/bin/ipsets-save
;;
restart)
"$0" stop && "$0" start
;;
reset)
ipset flush
;;
esac

28
type/__ipset/files/ipsets-restore Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
mkdir -p /etc/ipset.d/
if [ -n "$1" ]; then
ipset -! restore < "/etc/ipset.d/$1"
else
find /etc/ipset.d/ -iname "*.saved" | while read s; do
ipset -! restore <$s
done
fi

28
type/__ipset/files/ipsets-save Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
mkdir -p /etc/ipset.d/
if [ -n "$1" ]; then
ipset save "$1" > "/etc/ipset.d/${1}.saved"
else
ipset -t list | grep "^Name:" | awk '{print $2}' | while read s; do
ipset save $s > /etc/ipset.d/$s.saved
done
fi

79
type/__ipset/gencode-remote Executable file
View file

@ -0,0 +1,79 @@
#!/bin/sh
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
e="$__object/explorer"
p="$__object/parameter"
name="$__object_id"
type_is="$(cat "$e/type")"
type_should="$(cat "$p/type")"
state_is="$(cat "$e/state")"
state_should="$(cat "$p/state")"
needToSave=0
case $state_should in
present)
if [ "$state_is" = "absent" ]; then
echo ipset create "$name" "$type_should"
needToSave=1
elif [ "$state_is" = "present" ] && [ "$type_is" != "$type_should" ]; then
echo ipset destroy "$name"
echo "rm \"/etc/ipset.d/${name}.saved\" || true"
echo ipset create "$name" "$type_should"
needToSave=1
fi
;;
absent)
if [ "$state_is" = "present" ]; then
echo ipset destroy "$name"
echo "rm \"/etc/ipset.d/${name}.saved\" || true"
fi
;;
*)
echo "Unknown state: $state_should" >&2
exit 1
;;
esac
if [ "$state_should" = "present" ]; then
if [ -f "$p/ensure-present" ]; then
while read -r value; do
if ! grep -qFx "$value" "$e/content"; then
echo "ipset -! add $name $value"
needToSave=1
fi
done < "$p/ensure-present"
fi
if [ -f "$p/ensure-absent" ]; then
while read -r value; do
if grep -qFx "$value" "$e/content"; then
echo "ipset -! del $name $value"
needToSave=1
fi
done < "$p/ensure-absent"
fi
elif [ "$state_should" = "absent" ] && \( [ -f "$p/ensure-present" ] || [ -f "$p/ensure-absent" ] \); then
echo "Error: ipset state absent is incompatible with --ensure-present or --ensure-absent" >&2
exit 1
fi
if [ $needToSave -ne 0 ]; then
echo /usr/local/bin/ipsets-save "$name"
fi

76
type/__ipset/man.rst Normal file
View file

@ -0,0 +1,76 @@
cdist-type__ipset(7)
====================
NAME
----
cdist-type__ipset - Manage ipset sets
DESCRIPTION
-----------
Making use of ipset sets in iptable rules can make your rules more expressive, maintainable and efficient.
.. note::
The defined sets are not exclusive. i.e. this type will ensure the given entries are present/absent, but there might be
other elements in the set that are not defined through cdist.
REQUIRED PARAMETERS
-------------------
type
One of the supported ipset set types, for a full list see:
``ipset help``
OPTIONAL PARAMETERS
-------------------
ensure-present
The entry that must exist in the given set.
Can be used multiple times.
ensure-absent
The entry that must not exist in the given set.
Can be used multiple times.
state
Can be:
- ``present``: ensure that the given set exists.
- ``absent``: ensure the given set doesn't exist.
BOOLEAN PARAMETERS
------------------
None.
EXAMPLES
--------
.. code-block:: sh
# Make sure a set with the given name/type exists:
__ipset testset1 --type hash:ip
# Ensure allowed_ssh_clients contains at least the specified private range:
__ipset allowed_ssh_hosts --type hash:net \
--ensure-present 192.168.0.0/24 --ensure-present 10.0.0.0/8
# Make sure host is not on the blocked list:
__ipset blocked_hosts --type hash:ip \
--ensure-absent 1.2.3.4
SEE ALSO
--------
:strong:`cdist-type__iptables_rule`\ (7), :strong:`iptables`\ (8)
AUTHORS
-------
Mesar Hameed <mesar.hameed--@--gmail.com>
COPYING
-------
Copyright \(C) 2021 Mesar Hameed. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

45
type/__ipset/manifest Executable file
View file

@ -0,0 +1,45 @@
#!/bin/sh -e
#
# 2021 Mesar Hameed (mesar.hameed at gmail.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
os=$(cat "$__global/explorer/os")
case "$os" in
debian)
:
;;
ubuntu)
:
;;
*)
echo "OS $os currently not supported" >&2
exit 1
;;
esac
export CDIST_ORDER_DEPENDENCY=on
# install packages
__package ipset
__file /etc/init.d/ipset-persistent --mode 0755 --source "${__type}/files/ipset-persistent"
__file /usr/local/bin/ipsets-restore --mode 0755 --source "${__type}/files/ipsets-restore"
__file /usr/local/bin/ipsets-save --mode 0755 --source "${__type}/files/ipsets-save"
__systemd_unit ipset-persistent --enablement-state enabled --restart
unset CDIST_ORDER_DEPENDENCY

1
type/__ipset/parameter/default/state Normal file
View file

@ -0,0 +1 @@
present

1
type/__ipset/parameter/optional Normal file
View file

@ -0,0 +1 @@
state

2
type/__ipset/parameter/optional_multiple Normal file
View file

@ -0,0 +1,2 @@
ensure-present
ensure-absent

1
type/__ipset/parameter/required Normal file
View file

@ -0,0 +1 @@
type