ungleich-public/cdist-contrib
ungleich-public
/
cdist-contrib
7
2
Fork 3
Code Issues 5 Pull Requests 5 Projects Releases Wiki Activity

__ipset: allow for strict and relaxed mode when specifying sets

This commit is contained in:
mhameed 2021-01-30 10:06:09 +00:00
parent 0d3bd4485a
commit a7565bce22
4 changed files with 40 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
type/__ipset/gencode-remote
View File

@ -25,8 +25,21 @@ type_is="$(cat "$e/type")"
type_should="$(cat "$p/type")"
state_is="$(cat "$e/state")"
state_should="$(cat "$p/state")"
mode="$(cat "$p/mode")"
needToSave=0
if [ "$mode" != "strict" ] && [ "$mode" != "relaxed" ]; then
echo "ERROR: --mode needs to be either strict or relaxed" >&2
exit 1
elif [ "$mode" = "strict" ] && [ -f "$p/ensure-absent" ]; then
echo "ERROR: --mode strict automatically removes elements that are not in the ensure-present list. --ensure-absent is ment to be used with --mode relaxed" >&2
exit 1
elif [ "$state_should" = "absent" ] && \( [ -f "$p/ensure-present" ] || [ -f "$p/ensure-absent" ] \); then
echo "ERROR: ipset state absent is incompatible with --ensure-present or --ensure-absent" >&2
exit 1
fi
case $state_should in
present)
if [ "$state_is" = "absent" ]; then
@ -53,15 +66,29 @@ esac
if [ "$state_should" = "present" ]; then
if [ -f "$p/ensure-present" ]; then
# add elements that we want to ensure are present but are not currently in the set:
while read -r value; do
if ! grep -qFx "$value" "$e/content"; then
echo "ipset -! add $name $value"
needToSave=1
fi
done < "$p/ensure-present"
# if strict mode is required, then remove any other elements in the set that that are not specified by ensure-present
if [ "$mode" = "strict" ]; then
while read -r value; do
if [ "$value" = "x_missing_x" ]; then continue; fi
if ! grep -qFx "$value" "$p/ensure-present"; then
echo "ipset -! del $name $value"
needToSave=1
fi
done < "$e/content"
fi
fi
if [ -f "$p/ensure-absent" ]; then
# ensure-absent makes sure we do not accidentally block particular elements
# if they are in the set then remove.
while read -r value; do
if grep -qFx "$value" "$e/content"; then
echo "ipset -! del $name $value"
@ -69,9 +96,6 @@ if [ "$state_should" = "present" ]; then
fi
done < "$p/ensure-absent"
fi
elif [ "$state_should" = "absent" ] && \( [ -f "$p/ensure-present" ] || [ -f "$p/ensure-absent" ] \); then
echo "Error: ipset state absent is incompatible with --ensure-present or --ensure-absent" >&2
exit 1
fi
if [ $needToSave -ne 0 ]; then

17
type/__ipset/man.rst
View File

@ -9,10 +9,6 @@ DESCRIPTION
-----------
Making use of ipset sets in iptable rules can make your rules more expressive, maintainable and efficient.
.. note::
The defined sets are not exclusive. i.e. this type will ensure the given entries are present/absent, but there might be
other elements in the set that are not defined through cdist.
REQUIRED PARAMETERS
-------------------
type
@ -32,6 +28,12 @@ ensure-absent
Can be used multiple times.
mode
Can be:
- ``strict``: ensure only the specified elements in the set are present.
- ``relaxed``: ensure that the elements specified are in the set, but allow for other elements to co-exist.
state
Can be:
@ -50,12 +52,15 @@ EXAMPLES
# Make sure a set with the given name/type exists:
__ipset testset1 --type hash:ip
# ensure only the given ip address is in the allowed vnc set:
__ipset allowed_vnc --type hash:ip --ensure-present 10.1.1.1
# Ensure allowed_ssh_clients contains at least the specified private range:
__ipset allowed_ssh_hosts --type hash:net \
__ipset allowed_ssh_hosts --type hash:net --mode relaxed \
--ensure-present 192.168.0.0/24 --ensure-present 10.0.0.0/8
# Make sure host is not on the blocked list:
__ipset blocked_hosts --type hash:ip \
__ipset blocked_hosts --type hash:ip --mode relaxed \
--ensure-absent 1.2.3.4

1
type/__ipset/parameter/default/mode Normal file
View File

@ -0,0 +1 @@
strict

1
type/__ipset/parameter/optional
View File

@ -1 +1,2 @@
state
mode