From f8d3e36efbd6185a2ac0d085b92d0ce3fe9c7dc5 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Mon, 2 Sep 2013 19:29:11 +0200 Subject: [PATCH] new type: __iptables_apply Signed-off-by: Nico Schottelius --- .../type/__iptables_apply/files/init-script | 48 +++++++++++++++++++ .../conf/type/__iptables_apply/gencode-remote | 2 + cdist/conf/type/__iptables_apply/man.text | 42 ++++++++++++++++ cdist/conf/type/__iptables_apply/manifest | 26 ++++++++++ cdist/conf/type/__iptables_apply/singleton | 0 cdist/conf/type/__iptables_rule/man.text | 1 + docs/changelog | 1 + 7 files changed, 120 insertions(+) create mode 100644 cdist/conf/type/__iptables_apply/files/init-script create mode 100644 cdist/conf/type/__iptables_apply/gencode-remote create mode 100644 cdist/conf/type/__iptables_apply/man.text create mode 100644 cdist/conf/type/__iptables_apply/manifest create mode 100644 cdist/conf/type/__iptables_apply/singleton diff --git a/cdist/conf/type/__iptables_apply/files/init-script b/cdist/conf/type/__iptables_apply/files/init-script new file mode 100644 index 00000000..2dc952e9 --- /dev/null +++ b/cdist/conf/type/__iptables_apply/files/init-script @@ -0,0 +1,48 @@ +#!/bin/sh +# Nico Schottelius +# Zürisee, Mon Sep 2 18:38:27 CEST 2013 +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# X-Start-Before: fail2ban +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Applies iptables ruleset +# Description: Applies all rules found in /etc/iptables.d +# and saves/restores previous status +### END INIT INFO + + +basedir=/etc/iptables.d +status="${basedir}/.pre-start" + +case $1 in + start) + # Save status + iptables-save > "$status" + + # Apply our ruleset + cd "$basedir" + count="$(ls -1 | wc -l)" + + # Only do something if there are rules + if [ "$count" -ge 1 ]; then + for rule in *; do + echo "Applying iptables rule $rule ..." + iptables $(cat "$rule") + done + fi + ;; + + stop) + # Restore from status before, if there is something to restore + if [ -f "$status" ]; then + iptables-restore < "$status" + fi + ;; + restart) + "$0" stop && "$0" start + ;; +esac diff --git a/cdist/conf/type/__iptables_apply/gencode-remote b/cdist/conf/type/__iptables_apply/gencode-remote new file mode 100644 index 00000000..0773b452 --- /dev/null +++ b/cdist/conf/type/__iptables_apply/gencode-remote @@ -0,0 +1,2 @@ +# Rebuild rules - FIXME: do conditionally as soon as cdist supports it +echo /etc/init.d/iptables restart diff --git a/cdist/conf/type/__iptables_apply/man.text b/cdist/conf/type/__iptables_apply/man.text new file mode 100644 index 00000000..87f4b4ee --- /dev/null +++ b/cdist/conf/type/__iptables_apply/man.text @@ -0,0 +1,42 @@ +cdist-type__iptables_apply(7) +============================= +Nico Schottelius + + +NAME +---- +cdist-type__iptables_apply - Apply the rules + + +DESCRIPTION +----------- +This cdist type deploys an init script that triggers +the configured rules and also re-applies them on +configuration. + + +REQUIRED PARAMETERS +------------------- +None + +OPTIONAL PARAMETERS +------------------- +None + +EXAMPLES +-------- + +None (__iptables_apply is used by __iptables_rule) + + +SEE ALSO +-------- +- cdist-type(7) +- cdist-type__iptables_rule(7) +- iptables(8) + + +COPYING +------- +Copyright \(C) 2013 Nico Schottelius. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/cdist/conf/type/__iptables_apply/manifest b/cdist/conf/type/__iptables_apply/manifest new file mode 100644 index 00000000..a22901ba --- /dev/null +++ b/cdist/conf/type/__iptables_apply/manifest @@ -0,0 +1,26 @@ +# +# 2013 Nico Schottelius (nico-cdist at schottelius.org) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# + +__file /etc/init.d/iptables \ + --source "$__type/files/init-script" \ + --state present \ + --mode 0755 + +require="__file/etc/init.d/iptables" __start_on_boot iptables diff --git a/cdist/conf/type/__iptables_apply/singleton b/cdist/conf/type/__iptables_apply/singleton new file mode 100644 index 00000000..e69de29b diff --git a/cdist/conf/type/__iptables_rule/man.text b/cdist/conf/type/__iptables_rule/man.text index 4e5d2f26..eb230093 100644 --- a/cdist/conf/type/__iptables_rule/man.text +++ b/cdist/conf/type/__iptables_rule/man.text @@ -54,6 +54,7 @@ __iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \ SEE ALSO -------- - cdist-type(7) +- cdist-type__iptables_apply(7) - iptables(8) diff --git a/docs/changelog b/docs/changelog index c53227ca..f6fd1c2c 100644 --- a/docs/changelog +++ b/docs/changelog @@ -9,6 +9,7 @@ Changelog * Core: Code cleanup: Remove old install code (Steven Armstrong) * Core: Improve error message when using non-existing type in requirement * New Type: __iptables_rule + * New Type: __iptables_apply * Type __cdist: Also create home directory * Type __cdist: Add support for --shell parameter * Type __motd: Regenerate motd on Debian and Ubuntu