From a2e96ac435cd8fa98fad2edade8d5798fcb8d57f Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 14:50:28 -0400 Subject: [PATCH 1/6] Initial commit Broke old __pf type into __pf_* Initial commit of __pf_ruleset type with basic logic --- conf/type/__pf_ruleset/explorer/cksum | 43 +++++++++++++ conf/type/__pf_ruleset/explorer/rcvar | 36 +++++++++++ conf/type/__pf_ruleset/gencode-local | 74 +++++++++++++++++++++++ conf/type/__pf_ruleset/gencode-remote | 41 +++++++++++++ conf/type/__pf_ruleset/man.text | 51 ++++++++++++++++ conf/type/__pf_ruleset/parameter/optional | 1 + conf/type/__pf_ruleset/parameter/required | 1 + conf/type/__pf_ruleset/singleton | 0 8 files changed, 247 insertions(+) create mode 100755 conf/type/__pf_ruleset/explorer/cksum create mode 100755 conf/type/__pf_ruleset/explorer/rcvar create mode 100644 conf/type/__pf_ruleset/gencode-local create mode 100644 conf/type/__pf_ruleset/gencode-remote create mode 100644 conf/type/__pf_ruleset/man.text create mode 100644 conf/type/__pf_ruleset/parameter/optional create mode 100644 conf/type/__pf_ruleset/parameter/required create mode 100644 conf/type/__pf_ruleset/singleton diff --git a/conf/type/__pf_ruleset/explorer/cksum b/conf/type/__pf_ruleset/explorer/cksum new file mode 100755 index 00000000..372e9193 --- /dev/null +++ b/conf/type/__pf_ruleset/explorer/cksum @@ -0,0 +1,43 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Get the 256 bit SHA2 checksum of the pf ruleset on the target host. +# + +# Debug +#exec >&2 +#set -x + +# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf +# See if file exists and if so, get checksum + +RC="/etc/rc.conf" +TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" +PFCONF="${TMP:-"/etc/pf.conf"}" + +if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum. + cksum -o 1 ${PFCONF} | cut -d= -f2 | sed 's/ //g' +else # the pf config file doesn't exist + echo NOTEXIST +fi + +# Debug +#set +x + diff --git a/conf/type/__pf_ruleset/explorer/rcvar b/conf/type/__pf_ruleset/explorer/rcvar new file mode 100755 index 00000000..20e9dfcc --- /dev/null +++ b/conf/type/__pf_ruleset/explorer/rcvar @@ -0,0 +1,36 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Get the location of the pf ruleset on the target host. +# + +# Debug +#exec >&2 +#set -x + +# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf + +RC="/etc/rc.conf" +PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" +echo ${PFCONF:-"/etc/pf.conf"} + +# Debug +#set +x + diff --git a/conf/type/__pf_ruleset/gencode-local b/conf/type/__pf_ruleset/gencode-local new file mode 100644 index 00000000..7c2f877e --- /dev/null +++ b/conf/type/__pf_ruleset/gencode-local @@ -0,0 +1,74 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Manage pf(4) on *BSD +# + +# Debug +#exec >&2 +#set -x + +# Send files to $__target_host via $__remote_copy + +uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum +state=$(cat "$__object/parameter/state") + +if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do + exit 0 +fi + +if [ -f "$__object/parameter/source" ]; then + source=$(cat "$__object/parameter/source") +fi + +rcvar=$(cat "$__object/explorer/rcvar") +cksum=$(cat "$__object/explorer/cksum") + + +cat <&2 + exit 1 + ;; +esac + +if [ ! "${cksum}" = "NOTEXIST" ]; then + if [ ! "\${currentSum}" = "${cksum}" ]; then + $__remote_copy "${source}" "$__target_host:${rcvar}.new" + fi +else # File just doesn't exist yet + $__remote_copy "${source}" "$__target_host:${rcvar}.new" +fi + +if [ -n "${testscript}" ]; then + $__remote_copy "${testscript}" "$__target_host:${rcvar}.test" +fi +EOF + diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote new file mode 100644 index 00000000..56aee3cb --- /dev/null +++ b/conf/type/__pf_ruleset/gencode-remote @@ -0,0 +1,41 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Manage pf(4) on *BSD +# + +# Debug +#exec >&2 +#set -x + +# Remove ${rcvar} in the case of --state absent + +state=$(cat "$__object/parameter/state") + +if [ ! "$state" = "absent" ]; then # There is nothing more for a *remote* script to do + exit 0 +fi + +rcvar=$(cat "$__object/explorer/rcvar") + +# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old +echo rm \"${rcvar}.new\" +echo mv \"${rcvar}\" \"${rcvar.old}\" + diff --git a/conf/type/__pf_ruleset/man.text b/conf/type/__pf_ruleset/man.text new file mode 100644 index 00000000..68601fad --- /dev/null +++ b/conf/type/__pf_ruleset/man.text @@ -0,0 +1,51 @@ +cdist-type__pf_ruleset(7) +================================== +Jake Guffey + + +NAME +---- +cdist-type__pf_ruleset - Copy a pf(4) ruleset to $__target_host + + +DESCRIPTION +----------- +This type is used on *BSD systems to manage the pf firewall's ruleset. + + +REQUIRED PARAMETERS +------------------- +state:: + Either "absent" (no ruleset at all) or "present" + + +OPTIONAL PARAMETERS +------------------- +source:: + If supplied, use to define the ruleset to load onto the $__target_host for pf(4). + Note that this type is almost useless without a ruleset defined, but it's technically not + needed, e.g. for the case of disabling the firewall temporarily. + +EXAMPLES +-------- + +-------------------------------------------------------------------------------- +# Remove the current ruleset in place +__pf_ruleset --state absent + +# Enable the firewall with the ruleset defined in $__manifest/files/pf.conf +__pf_ruleset --state present --source $__manifest/files/pf.conf + +-------------------------------------------------------------------------------- + + +SEE ALSO +-------- +- cdist-type(7) +- pf(4) + + +COPYING +------- +Copyright \(C) 2012 Jake Guffey. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/conf/type/__pf_ruleset/parameter/optional b/conf/type/__pf_ruleset/parameter/optional new file mode 100644 index 00000000..5a18cd2f --- /dev/null +++ b/conf/type/__pf_ruleset/parameter/optional @@ -0,0 +1 @@ +source diff --git a/conf/type/__pf_ruleset/parameter/required b/conf/type/__pf_ruleset/parameter/required new file mode 100644 index 00000000..ff72b5c7 --- /dev/null +++ b/conf/type/__pf_ruleset/parameter/required @@ -0,0 +1 @@ +state diff --git a/conf/type/__pf_ruleset/singleton b/conf/type/__pf_ruleset/singleton new file mode 100644 index 00000000..e69de29b From 205f32c78bcedd5f4291457753b7250f1ec95e7c Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 16:37:18 -0400 Subject: [PATCH 2/6] Fixed generated code and explorer Generated code needed subshell escaped Explorer wasn't parsing output of cksum properly --- conf/type/__pf_ruleset/explorer/cksum | 2 +- conf/type/__pf_ruleset/gencode-local | 13 ++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/conf/type/__pf_ruleset/explorer/cksum b/conf/type/__pf_ruleset/explorer/cksum index 372e9193..ce188ba0 100755 --- a/conf/type/__pf_ruleset/explorer/cksum +++ b/conf/type/__pf_ruleset/explorer/cksum @@ -33,7 +33,7 @@ TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" PFCONF="${TMP:-"/etc/pf.conf"}" if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum. - cksum -o 1 ${PFCONF} | cut -d= -f2 | sed 's/ //g' + cksum -o 1 ${PFCONF} | cut -d= -f2 | awk '{print $1}' else # the pf config file doesn't exist echo NOTEXIST fi diff --git a/conf/type/__pf_ruleset/gencode-local b/conf/type/__pf_ruleset/gencode-local index 7c2f877e..b1ee6a14 100644 --- a/conf/type/__pf_ruleset/gencode-local +++ b/conf/type/__pf_ruleset/gencode-local @@ -45,13 +45,13 @@ cksum=$(cat "$__object/explorer/cksum") cat <&2 @@ -66,9 +66,8 @@ if [ ! "${cksum}" = "NOTEXIST" ]; then else # File just doesn't exist yet $__remote_copy "${source}" "$__target_host:${rcvar}.new" fi - -if [ -n "${testscript}" ]; then - $__remote_copy "${testscript}" "$__target_host:${rcvar}.test" -fi EOF +# Debug +#exec +x + From 34ca94ffa2716404d456a095c65f6c88fdbb004c Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:10:48 -0400 Subject: [PATCH 3/6] Fix typo referenced ${rcvar.old} rather than ${rcvar}.old --- conf/type/__pf_ruleset/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote index 56aee3cb..b35c47c4 100644 --- a/conf/type/__pf_ruleset/gencode-remote +++ b/conf/type/__pf_ruleset/gencode-remote @@ -37,5 +37,5 @@ rcvar=$(cat "$__object/explorer/rcvar") # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old echo rm \"${rcvar}.new\" -echo mv \"${rcvar}\" \"${rcvar.old}\" +echo mv \"${rcvar}\" \"${rcvar}.old\" From a1793f66ff8445298c8b86b523e073f374cb80ac Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:16:00 -0400 Subject: [PATCH 4/6] Add logic to check for existence of files before interacting with them if ${rcvar} or ${rcvar}.new don't exist, we can't rm/mv them. --- conf/type/__pf_ruleset/gencode-remote | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote index b35c47c4..4018bbd7 100644 --- a/conf/type/__pf_ruleset/gencode-remote +++ b/conf/type/__pf_ruleset/gencode-remote @@ -36,6 +36,6 @@ fi rcvar=$(cat "$__object/explorer/rcvar") # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old -echo rm \"${rcvar}.new\" -echo mv \"${rcvar}\" \"${rcvar}.old\" +echo "[ -f \"${rcvar}.new\" ] && rm \"${rcvar}.new\"" +echo "[ -f \"${rcvar}\" ] && mv \"${rcvar}\" \"${rcvar}.old\"" From d77c67b56f95789c731bd6827ee480dfedcf793f Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:27:40 -0400 Subject: [PATCH 5/6] set -e doesn't like [ blah ] && blah syntax changed to if [ blah ]; then blah; fi format migrated echo usage to cat with HEREDOC to improve readability --- conf/type/__pf_ruleset/gencode-remote | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote index 4018bbd7..e5eece64 100644 --- a/conf/type/__pf_ruleset/gencode-remote +++ b/conf/type/__pf_ruleset/gencode-remote @@ -36,6 +36,12 @@ fi rcvar=$(cat "$__object/explorer/rcvar") # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old -echo "[ -f \"${rcvar}.new\" ] && rm \"${rcvar}.new\"" -echo "[ -f \"${rcvar}\" ] && mv \"${rcvar}\" \"${rcvar}.old\"" +cat < Date: Fri, 21 Sep 2012 10:06:16 -0400 Subject: [PATCH 6/6] Implement Nico's suggestions Modified behavior of cksum explorer to print nothing if the file doesn't exist Modified gencode-local to reflect cksum's new behavior Modified gencode-remote to check states explicitly and error on invalid state. --- conf/type/__pf_ruleset/explorer/cksum | 2 -- conf/type/__pf_ruleset/gencode-local | 2 +- conf/type/__pf_ruleset/gencode-remote | 28 ++++++++++++++------------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/conf/type/__pf_ruleset/explorer/cksum b/conf/type/__pf_ruleset/explorer/cksum index ce188ba0..f8679836 100755 --- a/conf/type/__pf_ruleset/explorer/cksum +++ b/conf/type/__pf_ruleset/explorer/cksum @@ -34,8 +34,6 @@ PFCONF="${TMP:-"/etc/pf.conf"}" if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum. cksum -o 1 ${PFCONF} | cut -d= -f2 | awk '{print $1}' -else # the pf config file doesn't exist - echo NOTEXIST fi # Debug diff --git a/conf/type/__pf_ruleset/gencode-local b/conf/type/__pf_ruleset/gencode-local index b1ee6a14..c2495509 100644 --- a/conf/type/__pf_ruleset/gencode-local +++ b/conf/type/__pf_ruleset/gencode-local @@ -59,7 +59,7 @@ case $uname in ;; esac -if [ ! "${cksum}" = "NOTEXIST" ]; then +if [ -n "${cksum}" ]; then if [ ! "\${currentSum}" = "${cksum}" ]; then $__remote_copy "${source}" "$__target_host:${rcvar}.new" fi diff --git a/conf/type/__pf_ruleset/gencode-remote b/conf/type/__pf_ruleset/gencode-remote index e5eece64..6e9030ea 100644 --- a/conf/type/__pf_ruleset/gencode-remote +++ b/conf/type/__pf_ruleset/gencode-remote @@ -28,20 +28,22 @@ # Remove ${rcvar} in the case of --state absent state=$(cat "$__object/parameter/state") - -if [ ! "$state" = "absent" ]; then # There is nothing more for a *remote* script to do - exit 0 -fi - rcvar=$(cat "$__object/explorer/rcvar") -# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old -cat <&2 + exit 1 +fi