From c551bbbb692e03d3035165f7798c85e9cb76c8b9 Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 15:49:36 -0400 Subject: [PATCH 01/10] Initial commit Initial commit of __pf_apply type before actually creating logic --- conf/type/__pf_apply/gencode-remote | 34 +++++++++++++++++++ conf/type/__pf_apply/man.text | 52 +++++++++++++++++++++++++++++ conf/type/__pf_apply/singleton | 0 3 files changed, 86 insertions(+) create mode 100755 conf/type/__pf_apply/gencode-remote create mode 100644 conf/type/__pf_apply/man.text create mode 100644 conf/type/__pf_apply/singleton diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote new file mode 100755 index 00000000..309eb12d --- /dev/null +++ b/conf/type/__pf_apply/gencode-remote @@ -0,0 +1,34 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Apply pf(4) ruleset on *BSD +# + +# Debug +#exec >&2 +#set -x + +cat < + + +NAME +---- +cdist-type__pf_apply - Apply pf(4) ruleset on *BSD + + +DESCRIPTION +----------- +This type is used on *BSD systems to manage the pf firewall's active ruleset. + + +REQUIRED PARAMETERS +------------------- +NONE + + +OPTIONAL PARAMETERS +------------------- +NONE + + +EXAMPLES +-------- + +-------------------------------------------------------------------------------- +# Modify the ruleset on $__target_host: +__pf_ruleset --state present --source /my/pf/ruleset.conf +require="__pf_ruleset" \ + __pf_apply + +# Remove the ruleset on $__target_host (implies disabling pf(4): +__pf_ruleset --state absent +require="__pf_ruleset" \ + __pf_apply +-------------------------------------------------------------------------------- + + +SEE ALSO +-------- +- cdist-type(7) +- cdist-type__pf_ruleset(7) +- pf(4) + + +COPYING +------- +Copyright \(C) 2012 Jake Guffey. Free use of this software is +granted under the terms of the GNU General Public License version 3 (GPLv3). diff --git a/conf/type/__pf_apply/singleton b/conf/type/__pf_apply/singleton new file mode 100644 index 00000000..e69de29b From 08aa7d8e8315652dbe86b6e8ad56227a28e80d3d Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 16:15:06 -0400 Subject: [PATCH 02/10] Fleshed out gencode-remote logic Added logic into gencode-remote to enable/disable pf Added logic into gencode-remote to apply the new ruleset if necessary Added explorer to find ${rcvar} --- conf/type/__pf_apply/explorer/rcvar | 36 +++++++++++++++++++++++++++++ conf/type/__pf_apply/gencode-remote | 22 +++++++++++++++++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100755 conf/type/__pf_apply/explorer/rcvar diff --git a/conf/type/__pf_apply/explorer/rcvar b/conf/type/__pf_apply/explorer/rcvar new file mode 100755 index 00000000..20e9dfcc --- /dev/null +++ b/conf/type/__pf_apply/explorer/rcvar @@ -0,0 +1,36 @@ +#!/bin/sh +# +# 2012 Jake Guffey (jake.guffey at eprotex.com) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# +# +# Get the location of the pf ruleset on the target host. +# + +# Debug +#exec >&2 +#set -x + +# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf + +RC="/etc/rc.conf" +PFCONF="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')" +echo ${PFCONF:-"/etc/pf.conf"} + +# Debug +#set +x + diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 309eb12d..83529859 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -25,8 +25,28 @@ #exec >&2 #set -x +rcvar=$(cat "$__object/explorer/rcvar") + cat <&2 + fi +fi EOF # Debug From 995265d4a64df5d57cdaa61ca841cc49c3d1b440 Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 16:42:15 -0400 Subject: [PATCH 03/10] Allow pfctl -[de] to return 1 If pf is already enabled or disabled and we try to enable/disable it again, it returns 1. --- conf/type/__pf_apply/gencode-remote | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 83529859..72200b59 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -29,6 +29,8 @@ rcvar=$(cat "$__object/explorer/rcvar") cat < Date: Wed, 19 Sep 2012 17:00:22 -0400 Subject: [PATCH 04/10] Fix typo Generated code had unterminated string in first check, causing future check to fail --- conf/type/__pf_apply/gencode-remote | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 72200b59..aa3864b0 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -33,7 +33,7 @@ if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf # If it already is disabled, pfctl -d returns 1, go on with life pfctl -d # Cleanup - rm -f "${rcvar}.old + rm -f "${rcvar}.old" # This file shouldn't exist, but just in case... [ -f "${rcvar}" ] && rm -f "${rcvar}" elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it @@ -43,12 +43,15 @@ elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it pfctl -f "${rcvar}" ret="$?" # Cleanup - rm -f "${rcvar}.old + rm -f "${rcvar}.old" # This file shouldn't exist, but just in case... [ -f "${rcvar}" ] && rm -f "${rcvar}" if [ "$ret" -ne "0" ]; then # failed to configure new ruleset - echo "Failed to configure the new ruleset on ${__target_host}\!" >&2 + echo "Failed to configure the new ruleset on ${__target_host}!" >&2 fi +else # neither ${rcvar}.old nor ${rcvar}.new exist? error. + echo "Neither ${rcvar}.old nor ${rcvar}.new exist! Something is wrong." >&2 + exit 1 fi EOF From 629f751726e61ff77ef8ec344e66031c37c0bc50 Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:04:03 -0400 Subject: [PATCH 05/10] Removed ${rcvar} but never renamed ${rcvar}.new Was trying to load ${rcvar} into pf, but couldn't because new ruleset was never renamed. --- conf/type/__pf_apply/gencode-remote | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index aa3864b0..9288d3e2 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -39,13 +39,14 @@ if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it # Ensure that pf is enabled in the first place # If it already is enabled, pfctl -e returns 1, go on with life + [ -f "${rcvar}" ] && rm -f "${rcvar}" + mv "${rcvar}.new" "${rcvar}" pfctl -e || true pfctl -f "${rcvar}" ret="$?" # Cleanup + # This file shouldn't exist, but just in case rm -f "${rcvar}.old" - # This file shouldn't exist, but just in case... - [ -f "${rcvar}" ] && rm -f "${rcvar}" if [ "$ret" -ne "0" ]; then # failed to configure new ruleset echo "Failed to configure the new ruleset on ${__target_host}!" >&2 fi From 269b9eff84316b9390bf428dc523d98e42091f0d Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:07:56 -0400 Subject: [PATCH 06/10] Escape inner variable ret was being set and checked in generated code but the $ wasn't being escaped --- conf/type/__pf_apply/gencode-remote | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 9288d3e2..5a027984 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -47,12 +47,9 @@ elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it # Cleanup # This file shouldn't exist, but just in case rm -f "${rcvar}.old" - if [ "$ret" -ne "0" ]; then # failed to configure new ruleset + if [ "\$ret" -ne "0" ]; then # failed to configure new ruleset echo "Failed to configure the new ruleset on ${__target_host}!" >&2 fi -else # neither ${rcvar}.old nor ${rcvar}.new exist? error. - echo "Neither ${rcvar}.old nor ${rcvar}.new exist! Something is wrong." >&2 - exit 1 fi EOF From 7a67f8bc16e75330d95a11a3b35ab354dbdbad51 Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:18:45 -0400 Subject: [PATCH 07/10] Make code match up with comments If pf was already disabled, the code would exit upon trying to disable it again --- conf/type/__pf_apply/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 5a027984..94d02b3b 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -31,7 +31,7 @@ cat < Date: Wed, 19 Sep 2012 17:33:42 -0400 Subject: [PATCH 08/10] Migrate conditional syntax set -e doesn't like [ X ] && Y syntax, migrate to if [ X ]; then Y; fi --- conf/type/__pf_apply/gencode-remote | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 94d02b3b..1185696f 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -35,11 +35,15 @@ if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf # Cleanup rm -f "${rcvar}.old" # This file shouldn't exist, but just in case... - [ -f "${rcvar}" ] && rm -f "${rcvar}" + if [ -f "${rcvar}" ]; then + rm -f "${rcvar}" + fi elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it # Ensure that pf is enabled in the first place # If it already is enabled, pfctl -e returns 1, go on with life - [ -f "${rcvar}" ] && rm -f "${rcvar}" + if [ -f "${rcvar}" ]; + rm -f "${rcvar}" + fi mv "${rcvar}.new" "${rcvar}" pfctl -e || true pfctl -f "${rcvar}" From c01a7ebc456f5ec97b68c14384af4317c3baa301 Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Wed, 19 Sep 2012 17:37:19 -0400 Subject: [PATCH 09/10] Left out ; then --- conf/type/__pf_apply/gencode-remote | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 1185696f..3045ee60 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -41,7 +41,7 @@ if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it # Ensure that pf is enabled in the first place # If it already is enabled, pfctl -e returns 1, go on with life - if [ -f "${rcvar}" ]; + if [ -f "${rcvar}" ]; then rm -f "${rcvar}" fi mv "${rcvar}.new" "${rcvar}" From 9a45333e82327a4754be0d54c3b083c717cf961e Mon Sep 17 00:00:00 2001 From: Jake Guffey Date: Fri, 21 Sep 2012 10:11:56 -0400 Subject: [PATCH 10/10] Implement Nico's suggestions Removed unnecessary code from gencode-remote --- conf/type/__pf_apply/gencode-remote | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/conf/type/__pf_apply/gencode-remote b/conf/type/__pf_apply/gencode-remote index 3045ee60..f7c889b4 100755 --- a/conf/type/__pf_apply/gencode-remote +++ b/conf/type/__pf_apply/gencode-remote @@ -34,24 +34,13 @@ if [ -f "${rcvar}.old" ]; then # rcvar.old exists, we must need to disable pf pfctl -d || true # Cleanup rm -f "${rcvar}.old" - # This file shouldn't exist, but just in case... - if [ -f "${rcvar}" ]; then - rm -f "${rcvar}" - fi elif [ -f "${rcvar}.new" ]; then # rcvar.new exists, we must need to apply it # Ensure that pf is enabled in the first place # If it already is enabled, pfctl -e returns 1, go on with life - if [ -f "${rcvar}" ]; then - rm -f "${rcvar}" - fi mv "${rcvar}.new" "${rcvar}" pfctl -e || true pfctl -f "${rcvar}" - ret="$?" - # Cleanup - # This file shouldn't exist, but just in case - rm -f "${rcvar}.old" - if [ "\$ret" -ne "0" ]; then # failed to configure new ruleset + if [ "\$?" -ne "0" ]; then # failed to configure new ruleset echo "Failed to configure the new ruleset on ${__target_host}!" >&2 fi fi