diff --git a/cdist/conf/type/__iptables_rule/man.text b/cdist/conf/type/__iptables_rule/man.text new file mode 100644 index 00000000..4e5d2f26 --- /dev/null +++ b/cdist/conf/type/__iptables_rule/man.text @@ -0,0 +1,63 @@ +cdist-type__iptables_rule(7) +============================ +Nico Schottelius + + +NAME +---- +cdist-type__iptables_rule - Deploy iptable rulesets + + +DESCRIPTION +----------- +This cdist type allows you to manage iptable rules +in a distribution independent manner. + + +REQUIRED PARAMETERS +------------------- +rule:: + The rule to apply. Essentially an iptables command + line without iptables in front of it. + + +OPTIONAL PARAMETERS +------------------- +state:: + 'present' or 'absent', defaults to 'present' + + +EXAMPLES +-------- + +-------------------------------------------------------------------------------- +# Deploy some policies +__iptables_rule policy-in --rule "-P INPUT DROP" +__iptables_rule policy-out --rule "-P OUTPUT ACCEPT" +__iptables_rule policy-fwd --rule "-P FORWARD DROP" + +# The usual established rule +__iptables_rule established --rule "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" + +# Some service rules +__iptables_rule http --rule "-A INPUT -p tcp --dport 80 -j ACCEPT" +__iptables_rule ssh --rule "-A INPUT -p tcp --dport 80 -j ACCEPT" +__iptables_rule https --rule "-A INPUT -p tcp --dport 443 -j ACCEPT" + +# Ensure some rules are not present anymore +__iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \ + --state absent + +-------------------------------------------------------------------------------- + + +SEE ALSO +-------- +- cdist-type(7) +- iptables(8) + + +COPYING +------- +Copyright \(C) 2013 Nico Schottelius. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/cdist/conf/type/__iptables_rule/manifest b/cdist/conf/type/__iptables_rule/manifest new file mode 100644 index 00000000..a6abbd5e --- /dev/null +++ b/cdist/conf/type/__iptables_rule/manifest @@ -0,0 +1,46 @@ +# +# 2013 Nico Schottelius (nico-cdist at schottelius.org) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# + +base_dir=/etc/iptables.d + +name="$__object_id" + +if [ -f "$__object/parameter/state" ]; then + state="$(cat "$__object/parameter/state")" +else + state="present" +fi + +################################################################################ +# Basic setup +# + +__directory "$base_dir" --state present + +# Have apply do the real job +require="$__object_name" __iptables_apply + +################################################################################ +# The rule +# + +require="__directory/$base_dir" __file "$base_dir/${name}" \ + --source "$__object/parameter/rule" \ + --state "$state" diff --git a/cdist/conf/type/__iptables_rule/parameter/optional b/cdist/conf/type/__iptables_rule/parameter/optional new file mode 100644 index 00000000..ff72b5c7 --- /dev/null +++ b/cdist/conf/type/__iptables_rule/parameter/optional @@ -0,0 +1 @@ +state diff --git a/cdist/conf/type/__iptables_rule/parameter/required b/cdist/conf/type/__iptables_rule/parameter/required new file mode 100644 index 00000000..2b254dff --- /dev/null +++ b/cdist/conf/type/__iptables_rule/parameter/required @@ -0,0 +1 @@ +rule diff --git a/docs/changelog b/docs/changelog index 78701e5d..c53227ca 100644 --- a/docs/changelog +++ b/docs/changelog @@ -8,6 +8,7 @@ Changelog * Core: Fix typo in argument parser * Core: Code cleanup: Remove old install code (Steven Armstrong) * Core: Improve error message when using non-existing type in requirement + * New Type: __iptables_rule * Type __cdist: Also create home directory * Type __cdist: Add support for --shell parameter * Type __motd: Regenerate motd on Debian and Ubuntu