From 08aa7d8e8315652dbe86b6e8ad56227a28e80d3d Mon Sep 17 00:00:00 2001
From: Jake Guffey <jake.guffey@eprotex.com>
Date: Wed, 19 Sep 2012 16:15:06 -0400
Subject: [PATCH] Fleshed out gencode-remote logic

Added logic into gencode-remote to enable/disable pf
Added logic into gencode-remote to apply the new ruleset if necessary
Added explorer to find ${rcvar}
---
 conf/type/__pf_apply/explorer/rcvar | 36 +++++++++++++++++++++++++++++
 conf/type/__pf_apply/gencode-remote | 22 +++++++++++++++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100755 conf/type/__pf_apply/explorer/rcvar

diff --git a/conf/type/__pf_apply/explorer/rcvar b/conf/type/__pf_apply/explorer/rcvar
new file mode 100755
index 00000000..20e9dfcc
--- /dev/null
+++ b/conf/type/__pf_apply/explorer/rcvar
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+# 2012 Jake Guffey (jake.guffey at eprotex.com)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+# Get the location of the pf ruleset on the target host.
+#
+
+# Debug
+#exec >&2
+#set -x
+
+# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
+
+RC="/etc/rc.conf"
+PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
+echo ${PFCONF:-"/etc/pf.conf"}
+
+# Debug
+#set +x
+
diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote
index 309eb12d..83529859 100755
--- a/conf/type/__pf_apply/gencode-remote
+++ b/conf/type/__pf_apply/gencode-remote
@@ -25,8 +25,28 @@
 #exec >&2
 #set -x
 
+rcvar=$(cat "$__object/explorer/rcvar")
+
 cat <<EOF
-if [ "$
+if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf
+   pfctl -d
+   # Cleanup
+   rm -f "${rcvar}.old
+   # This file shouldn't exist, but just in case...
+   [ -f "${rcvar}" ] && rm -f "${rcvar}"
+elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it
+   # Ensure that pf is enabled in the first place
+   pfctl -e
+   pfctl -f "${rcvar}"
+   ret="$?"
+   # Cleanup
+   rm -f "${rcvar}.old
+   # This file shouldn't exist, but just in case...
+   [ -f "${rcvar}" ] && rm -f "${rcvar}"
+   if [ "$ret" -ne "0" ]; then # failed to configure new ruleset
+      echo "Failed to configure the new ruleset on ${__target_host}\!" >&2
+   fi
+fi
 EOF
 
 # Debug