new type: __iptables_apply

Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>

cdist/conf/type/__iptables_apply/files/init-script

@@ -0,0 +1,48 @@
+#!/bin/sh
+# Nico Schottelius
+# Zürisee, Mon Sep  2 18:38:27 CEST 2013
+#
+### BEGIN INIT INFO
+# Provides:          iptables
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# X-Start-Before:    fail2ban
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Applies iptables ruleset
+# Description:       Applies all rules found in /etc/iptables.d
+#                    and saves/restores previous status
+### END INIT INFO
+
+
+basedir=/etc/iptables.d
+status="${basedir}/.pre-start"
+
+case $1 in
+    start)
+        # Save status
+        iptables-save > "$status"
+
+        # Apply our ruleset
+        cd "$basedir"
+        count="$(ls -1 | wc -l)"
+
+        # Only do something if there are rules
+        if [ "$count" -ge 1 ]; then
+            for rule in *; do
+                echo "Applying iptables rule $rule ..."
+                iptables $(cat "$rule")
+            done
+        fi
+    ;;
+
+    stop)
+        # Restore from status before, if there is something to restore
+        if [ -f "$status" ]; then
+            iptables-restore < "$status"
+        fi
+    ;;
+    restart)
+        "$0" stop &&  "$0" start
+    ;;
+esac

cdist/conf/type/__iptables_apply/gencode-remote

@@ -0,0 +1,2 @@
+# Rebuild rules - FIXME: do conditionally as soon as cdist supports it
+echo /etc/init.d/iptables restart

cdist/conf/type/__iptables_apply/man.text

@@ -0,0 +1,42 @@
+cdist-type__iptables_apply(7)
+=============================
+Nico Schottelius <nico-cdist--@--schottelius.org>
+
+
+NAME
+----
+cdist-type__iptables_apply - Apply the rules
+
+
+DESCRIPTION
+-----------
+This cdist type deploys an init script that triggers
+the configured rules and also re-applies them on
+configuration.
+
+
+REQUIRED PARAMETERS
+-------------------
+None
+
+OPTIONAL PARAMETERS
+-------------------
+None
+
+EXAMPLES
+--------
+
+None (__iptables_apply is used by __iptables_rule)
+
+
+SEE ALSO
+--------
+- cdist-type(7)
+- cdist-type__iptables_rule(7)
+- iptables(8)
+
+
+COPYING
+-------
+Copyright \(C) 2013 Nico Schottelius. Free use of this software is
+granted under the terms of the GNU General Public License version 3 (GPLv3).

cdist/conf/type/__iptables_apply/manifest

@@ -0,0 +1,26 @@
+#
+# 2013 Nico Schottelius (nico-cdist at schottelius.org)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+__file /etc/init.d/iptables \
+    --source "$__type/files/init-script" \
+    --state present \
+    --mode 0755
+
+require="__file/etc/init.d/iptables" __start_on_boot iptables

cdist/conf/type/__iptables_rule/man.text

@@ -54,6 +54,7 @@ __iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \
 SEE ALSO
 --------
 - cdist-type(7)
+- cdist-type__iptables_apply(7)
 - iptables(8)
 
 

docs/changelog

@@ -9,6 +9,7 @@ Changelog
 	* Core: Code cleanup: Remove old install code (Steven Armstrong)
 	* Core: Improve error message when using non-existing type in requirement
 	* New Type: __iptables_rule
+	* New Type: __iptables_apply
 	* Type __cdist: Also create home directory
 	* Type __cdist: Add support for --shell parameter
 	* Type __motd: Regenerate motd on Debian and Ubuntu