Merge branch 'evilham-pf' into 'master'

[__pf*] (~) __pf_ruleset (+)__pf_apply_anchor, deprecate __pf_apply

See merge request ungleich-public/cdist!867
This commit is contained in:
poljakowski 2020-04-26 09:59:24 +02:00
commit 8074f02bb3
7 changed files with 105 additions and 129 deletions

View file

@ -0,0 +1 @@
Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply.

View file

@ -1,6 +1,6 @@
#!/bin/sh
#!/bin/sh -e
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
# 2016 Kamila Součková (coding at kamila.is)
#
# This file is part of cdist.
#
@ -18,24 +18,16 @@
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
# Apply pf(4) ruleset on *BSD
#
# Debug
#exec >&2
#set -x
ANCHORS_DIR="/etc/pf.d"
# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
# See if file exists and if so, get checksum
RC="/etc/rc.conf"
TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
PFCONF="${TMP:-"/etc/pf.conf"}"
if [ -f "${PFCONF}" ]; then # The pf config file exists, find its cksum.
cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
if [ -f "${__object}/parameter/anchor_name" ]; then
anchor_name="$(cat "${__object}/parameter/anchor_name")"
else
anchor_name="${__object_id}"
fi
anchor_file="${ANCHORS_DIR}/${anchor_name}"
# Debug
#set +x
echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""

View file

@ -0,0 +1,62 @@
cdist-type__pf_apply_anchor(7)
==============================
NAME
----
cdist-type__pf_apply_anchor - Apply a pf(4) anchor on $__target_host
DESCRIPTION
-----------
This type is used on \*BSD systems to manage anchors for the pf firewall.
Notice this type does not take care of copying the ruleset, that must be
done by the user with, e.g. `__file`.
OPTIONAL PARAMETERS
-------------------
anchor_name
The name of the anchor to apply. If not set, `${__object_id}` is used.
This type requires `/etc/pf.d/${anchor_name}` to exist on
`$__target_host`.
EXAMPLES
--------
.. code-block:: sh
# Copy anchor file to ${__target_host}
__file "/etc/pf.d/80_dns" --source - <<EOF
# Managed remotely, changes will be lost
pass quick proto {tcp,udp} from any to any port domain
EOF
# Apply the anchor
require="__file/etc/pf.d/80_dns" __pf_apply_anchor 80_dns
# This is roughly equivalent to:
# pfctl -a "${anchor_name}" -f "/etc/pf.d/${anchor_name}"
SEE ALSO
--------
:strong:`pf`\ (4)
AUTHORS
-------
Evilham <contact--@--evilham.com>
Kamila Součková <coding--@--kamila.is>
Jake Guffey <jake.guffey--@--eprotex.com>
COPYING
-------
Copyright \(C) 2020 Evilham.
Copyright \(C) 2016 Kamila Součková.
Copyright \(C) 2012 Jake Guffey. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1 @@
anchor_name

View file

@ -1,81 +0,0 @@
#!/bin/sh -e
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
#
# This file is part of cdist.
#
# cdist is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# cdist is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
#
#
# Manage pf(4) on *BSD
#
# Debug
#exec >&2
#set -x
# Send files to $__target_host via $__remote_copy
uname=$(uname) # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
state=$(cat "$__object/parameter/state")
if [ "$state" = "absent" ]; then # There is nothing more for a *local* script to do
exit 0
fi
if [ -f "$__object/parameter/source" ]; then
source=$(cat "$__object/parameter/source")
fi
rcvar=$(cat "$__object/explorer/rcvar")
cksum=$(cat "$__object/explorer/cksum")
cat <<EOF
case $uname in
Darwin)
currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
;;
Linux)
currentSum=\$(cksum ${source} | cut '-d ' -f1)
;;
FreeBSD)
currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
;;
*)
echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
exit 1
;;
esac
# IPv6 fix
if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
then
my_target_host="[${__target_host}]"
else
my_target_host="${__target_host}"
fi
if [ -n "${cksum}" ]; then
if [ ! "\${currentSum}" = "${cksum}" ]; then
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
fi
else # File just doesn't exist yet
$__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
fi
EOF
# Debug
#exec +x

View file

@ -10,6 +10,9 @@ DESCRIPTION
-----------
This type is used on \*BSD systems to manage the pf firewall's ruleset.
It will also enable and disable the pf firewall as requested in the `state`
parameter.
REQUIRED PARAMETERS
-------------------
@ -20,9 +23,8 @@ state
OPTIONAL PARAMETERS
-------------------
source
If supplied, use to define the ruleset to load onto the $__target_host for pf(4).
Note that this type is almost useless without a ruleset defined, but it's technically not
needed, e.g. for the case of disabling the firewall temporarily.
Required when state is "present".
Defines the ruleset to load onto the $__target_host for `pf(4)`.
EXAMPLES
@ -30,10 +32,10 @@ EXAMPLES
.. code-block:: sh
# Remove the current ruleset in place
# Remove the current ruleset in place and disable pf
__pf_ruleset --state absent
# Enable the firewall with the ruleset defined in $__manifest/files/pf.conf
# Enable pf with the ruleset defined in $__manifest/files/pf.conf
__pf_ruleset --state present --source $__manifest/files/pf.conf
@ -44,11 +46,13 @@ SEE ALSO
AUTHORS
-------
Kamila Součková <coding--@--kamila.is>
Jake Guffey <jake.guffey--@--eprotex.com>
COPYING
-------
Copyright \(C) 2016 Kamila Součková.
Copyright \(C) 2012 Jake Guffey. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the

View file

@ -1,6 +1,6 @@
#!/bin/sh -e
#
# 2012 Jake Guffey (jake.guffey at eprotex.com)
# 2016 Kamila Součková (coding at kamila.is)
#
# This file is part of cdist.
#
@ -21,29 +21,26 @@
# Manage pf(4) on *BSD
#
# Debug
#exec >&2
#set -x
# Remove ${rcvar} in the case of --state absent
state=$(cat "$__object/parameter/state")
rcvar=$(cat "$__object/explorer/rcvar")
if [ "$state" = "present" ]; then # There is nothing more for a *remote* script to do
exit 0
elif [ "$state" = "absent" ]; then
# --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
cat <<EOF
if [ -f "${rcvar}.new" ]; then
rm "${rcvar}.new"
fi
if [ -f "${rcvar}" ]; then
mv "${rcvar}" "${rcvar}.old"
fi
EOF
else
echo "Unknown state ${state}!" >&2
exit 1
rcvar="$(cat "${__object}/explorer/rcvar")"
state="$(cat "${__object}/parameter/state")"
if [ -f "${__object}/parameter/source" ]; then
source="$(cat "${__object}/parameter/source")"
fi
if [ "${state}" = "absent" ]; then
action="/etc/rc.d/pf stop"
else
action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
fi
__key_value __pf_ruleset/rcvar \
--state "${state}" \
--file /etc/rc.conf \
--delimiter "=" \
--key "pf_enable" \
--value "YES"
require="__key_value/__pf_ruleset/rcvar" __config_file "${rcvar}" \
--source "${source}" \
--state "${state}" \
--onchange "${action}"