Merge branch 'evilham-pf' into 'master'

[__pf*] (~) __pf_ruleset (+)__pf_apply_anchor, deprecate __pf_apply

See merge request ungleich-public/cdist!867

cdist/conf/type/__pf_apply/deprecated

@@ -0,0 +1 @@
+Consider moving to __pf_apply_anchor. Get in touch if you need __pf_apply.

cdist/conf/type/__pf_apply_anchor/gencode-remote

@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/sh -e
 #
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
+# 2016 Kamila Součková (coding at kamila.is)
 #
 # This file is part of cdist.
 #
@@ -18,24 +18,16 @@
 # along with cdist. If not, see <http://www.gnu.org/licenses/>.
 #
 #
-# Get the 256 bit SHA2 checksum of the pf ruleset on the target host.
+# Apply pf(4) ruleset on *BSD
 #
 
-# Debug
-#exec >&2
-#set -x
+ANCHORS_DIR="/etc/pf.d"
 
-# Check /etc/rc.conf for pf's configuration file name. Default to /etc/pf.conf
-# See if file exists and if so, get checksum
-
-RC="/etc/rc.conf"
-TMP="$(grep '^pf_rules=' ${RC} | cut -d= -f2 | sed 's/"//g')"
-PFCONF="${TMP:-"/etc/pf.conf"}"
-
-if [ -f "${PFCONF}" ]; then	# The pf config file exists, find its cksum.
-	cksum -o 1 "${PFCONF}" | cut -d= -f2 | awk '{print $1}'
+if [ -f "${__object}/parameter/anchor_name" ]; then
+    anchor_name="$(cat "${__object}/parameter/anchor_name")"
+else
+    anchor_name="${__object_id}"
 fi
+anchor_file="${ANCHORS_DIR}/${anchor_name}"
 
-# Debug
-#set +x
-
+echo "pfctl -a \"${anchor_name}\" -f \"${anchor_file}\""

cdist/conf/type/__pf_apply_anchor/man.rst

@@ -0,0 +1,62 @@
+cdist-type__pf_apply_anchor(7)
+==============================
+
+NAME
+----
+cdist-type__pf_apply_anchor - Apply a pf(4) anchor on $__target_host
+
+
+DESCRIPTION
+-----------
+This type is used on \*BSD systems to manage anchors for the pf firewall.
+
+Notice this type does not take care of copying the ruleset, that must be
+done by the user with, e.g. `__file`.
+
+
+OPTIONAL PARAMETERS
+-------------------
+anchor_name
+   The name of the anchor to apply. If not set, `${__object_id}` is used.
+   This type requires `/etc/pf.d/${anchor_name}` to exist on
+   `$__target_host`.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Copy anchor file to ${__target_host}
+    __file "/etc/pf.d/80_dns" --source - <<EOF
+    # Managed remotely, changes will be lost
+
+    pass quick proto {tcp,udp} from any to any port domain
+    EOF
+
+    # Apply the anchor
+    require="__file/etc/pf.d/80_dns" __pf_apply_anchor 80_dns
+    # This is roughly equivalent to:
+    #   pfctl -a "${anchor_name}" -f "/etc/pf.d/${anchor_name}"
+
+
+SEE ALSO
+--------
+:strong:`pf`\ (4)
+
+
+AUTHORS
+-------
+Evilham <contact--@--evilham.com>
+Kamila Součková <coding--@--kamila.is>
+Jake Guffey <jake.guffey--@--eprotex.com>
+
+
+COPYING
+-------
+Copyright \(C) 2020 Evilham.
+Copyright \(C) 2016 Kamila Součková.
+Copyright \(C) 2012 Jake Guffey. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__pf_apply_anchor/parameter/optional

@@ -0,0 +1 @@
+anchor_name

cdist/conf/type/__pf_ruleset/gencode-local

@@ -1,81 +0,0 @@
-#!/bin/sh -e
-#
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
-#
-# This file is part of cdist.
-#
-# cdist is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# cdist is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with cdist. If not, see <http://www.gnu.org/licenses/>.
-#
-#
-# Manage pf(4) on *BSD
-#
-
-# Debug
-#exec >&2
-#set -x
-
-# Send files to $__target_host via $__remote_copy
-
-uname=$(uname)   # Need to know what the cdist host is running so we know how to compute the ruleset's checksum
-state=$(cat "$__object/parameter/state")
-
-if [ "$state" = "absent" ]; then   # There is nothing more for a *local* script to do
-   exit 0
-fi
-
-if [ -f "$__object/parameter/source" ]; then
-   source=$(cat "$__object/parameter/source")
-fi
-
-rcvar=$(cat "$__object/explorer/rcvar")
-cksum=$(cat "$__object/explorer/cksum")
-
-
-cat <<EOF
-case $uname in
-   Darwin)
-      currentSum=\$(cksum -o 1 ${source} | cut '-d ' -f1)
-      ;;
-   Linux)
-      currentSum=\$(cksum ${source} | cut '-d ' -f1)
-      ;;
-   FreeBSD)
-      currentSum=\$(cksum -o 1 ${source} | cut -d= -f2 | sed 's/ //g')
-      ;;
-   *)
-      echo "Sorry, I do not know how to find a cksum on ${uname}." >&2
-      exit 1
-      ;;
-esac
-
-# IPv6 fix
-if $(echo "${__target_host}" | grep -q -E '^[0-9a-fA-F:]+$')
-then
-    my_target_host="[${__target_host}]"
-else
-    my_target_host="${__target_host}"
-fi
-
-if [ -n "${cksum}" ]; then
-   if [ ! "\${currentSum}" = "${cksum}" ]; then
-      $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-   fi
-else # File just doesn't exist yet
-   $__remote_copy "${source}" "\${my_target_host}:${rcvar}.new"
-fi
-EOF
-
-# Debug
-#exec +x
-

cdist/conf/type/__pf_ruleset/man.rst

@@ -10,6 +10,9 @@ DESCRIPTION
 -----------
 This type is used on \*BSD systems to manage the pf firewall's ruleset.
 
+It will also enable and disable the pf firewall as requested in the `state`
+parameter.
+
 
 REQUIRED PARAMETERS
 -------------------
@@ -20,9 +23,8 @@ state
 OPTIONAL PARAMETERS
 -------------------
 source
-   If supplied, use to define the ruleset to load onto the $__target_host for pf(4).
-   Note that this type is almost useless without a ruleset defined, but it's technically not
-   needed, e.g. for the case of disabling the firewall temporarily.
+   Required when state is "present".
+   Defines the ruleset to load onto the $__target_host for `pf(4)`.
 
 
 EXAMPLES
@@ -30,10 +32,10 @@ EXAMPLES
 
 .. code-block:: sh
 
-    # Remove the current ruleset in place
+    # Remove the current ruleset in place and disable pf
     __pf_ruleset --state absent
 
-    # Enable the firewall with the ruleset defined in $__manifest/files/pf.conf
+    # Enable pf with the ruleset defined in $__manifest/files/pf.conf
     __pf_ruleset --state present --source $__manifest/files/pf.conf
 
 
@@ -44,11 +46,13 @@ SEE ALSO
 
 AUTHORS
 -------
+Kamila Součková <coding--@--kamila.is>
 Jake Guffey <jake.guffey--@--eprotex.com>
 
 
 COPYING
 -------
+Copyright \(C) 2016 Kamila Součková.
 Copyright \(C) 2012 Jake Guffey. You can redistribute it
 and/or modify it under the terms of the GNU General Public License as
 published by the Free Software Foundation, either version 3 of the

cdist/conf/type/__pf_ruleset/manifest

@@ -1,6 +1,6 @@
 #!/bin/sh -e
 #
-# 2012 Jake Guffey (jake.guffey at eprotex.com)
+# 2016 Kamila Součková (coding at kamila.is)
 #
 # This file is part of cdist.
 #
@@ -21,29 +21,26 @@
 # Manage pf(4) on *BSD
 #
 
-# Debug
-#exec >&2
-#set -x
-
-# Remove ${rcvar} in the case of --state absent
-
-state=$(cat "$__object/parameter/state")
-rcvar=$(cat "$__object/explorer/rcvar")
+rcvar="$(cat "${__object}/explorer/rcvar")"
+state="$(cat "${__object}/parameter/state")"
+if [ -f "${__object}/parameter/source" ]; then
+    source="$(cat "${__object}/parameter/source")"
+fi
 
-if [ "$state" = "present" ]; then   # There is nothing more for a *remote* script to do
-   exit 0
-elif [ "$state" = "absent" ]; then
-   # --state absent, so ensure that .new doesn't exist and that conf is renamed to .old
-   cat <<EOF
-   if [ -f "${rcvar}.new" ]; then
-      rm "${rcvar}.new"
-   fi
-   if [ -f "${rcvar}" ]; then
-      mv "${rcvar}" "${rcvar}.old"
-   fi
-EOF
+if [ "${state}" = "absent" ]; then
+    action="/etc/rc.d/pf stop"
 else
-   echo "Unknown state ${state}!" >&2
-   exit 1
+    action="/etc/rc.d/pf reload || /etc/rc.d/pf start"
 fi
 
+__key_value __pf_ruleset/rcvar \
+    --state "${state}" \
+    --file /etc/rc.conf \
+    --delimiter "=" \
+    --key "pf_enable" \
+    --value "YES"
+
+require="__key_value/__pf_ruleset/rcvar" __config_file "${rcvar}" \
+    --source "${source}" \
+    --state "${state}" \
+    --onchange "${action}"