Browse Source

Merge pull request #99 from jdguffey/__pf_apply

__pf_apply
2.0
Nico Schottelius 10 years ago
parent
commit
21ca688e63
  1. 36
      conf/type/__pf_apply/explorer/rcvar
  2. 51
      conf/type/__pf_apply/gencode-remote
  3. 52
      conf/type/__pf_apply/man.text
  4. 0
      conf/type/__pf_apply/singleton

36
conf/type/__pf_apply/explorer/rcvar

@ -0,0 +1,36 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Get the location of the pf ruleset on the target host.
#
# Debug
#exec >&2
#set -x
# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
RC="/etc/rc.conf"
PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
echo ${PFCONF:-"/etc/pf.conf"}
# Debug
#set +x

51
conf/type/__pf_apply/gencode-remote

@ -0,0 +1,51 @@
#!/bin/sh
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Apply pf(4) ruleset on *BSD
#
# Debug
#exec >&2
#set -x
rcvar=$(cat "$__object/explorer/rcvar")
cat <<EOF
if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf
# Disable pf
# If it already is disabled, pfctl -d returns 1, go on with life
pfctl -d || true
# Cleanup
rm -f "${rcvar}.old"
elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it
# Ensure that pf is enabled in the first place
# If it already is enabled, pfctl -e returns 1, go on with life
mv "${rcvar}.new" "${rcvar}"
pfctl -e || true
pfctl -f "${rcvar}"
if [ "\$?" -ne "0" ]; then # failed to configure new ruleset
echo "Failed to configure the new ruleset on ${__target_host}!" >&2
fi
fi
EOF
# Debug
#set +x

52
conf/type/__pf_apply/man.text

@ -0,0 +1,52 @@
cdist-type__pf_apply(7)
==================================
Jake Guffey <jake.guffey--@--eprotex.com>
NAME
----
cdist-type__pf_apply - Apply pf(4) ruleset on *BSD
DESCRIPTION
-----------
This type is used on *BSD systems to manage the pf firewall's active ruleset.
REQUIRED PARAMETERS
-------------------
NONE
OPTIONAL PARAMETERS
-------------------
NONE
EXAMPLES
--------
--------------------------------------------------------------------------------
# Modify the ruleset on $__target_host:
__pf_ruleset --state present --source /my/pf/ruleset.conf
require="__pf_ruleset" \
__pf_apply
# Remove the ruleset on $__target_host (implies disabling pf(4):
__pf_ruleset --state absent
require="__pf_ruleset" \
__pf_apply
--------------------------------------------------------------------------------
SEE ALSO
--------
- cdist-type(7)
- cdist-type__pf_ruleset(7)
- pf(4)
COPYING
-------
Copyright \(C) 2012 Jake Guffey. Free use of this software is
granted under the terms of the GNU General Public License version 3 (GPLv3).

0
conf/type/__pf_apply/singleton

Loading…
Cancel
Save