Commit current statecomplicated

1 files changed, 65 insertions, 0 deletions

diff --git a/ops/firewall b/ops/firewall
new file mode 100644
index 0000000..e20b730
--- /dev/null
+++ b/ops/firewall
@@ -0,0 +1,65 @@
+# vim:ft=sh:noexpandtab
+# Firewall configuration (iptables on linux)
+# TODO FreeBSD
+
+FIREWALL_PREFIX="./files/firewall/$(hostname)"
+
+firewall_check_common() {
+	if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \
+			"Firewall IPv$1 service config changes"; then
+		ops_require "ipv$1_config"
+	fi
+	if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \
+			"Firewall IPv$1 changes"; then
+		ops_require "ipv$1"
+	fi
+}
+
+firewall_check() {
+	ops_set_current firewall
+	if ! ( which iptables && which ip6tables ) >/dev/null; then
+		echo_error "Firewall operation requires iptables and ip6tables."
+		return 0
+	fi
+
+	firewall_check_common 4 iptables
+	[ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \
+		firewall_check_common 6 ip6tables
+
+	ops_required_any "Firewall" # return 1 fall trough
+}
+
+firewall_prepare() {
+	# We have nothing to do for prepare
+	true
+}
+
+firewall_apply_common() {
+	local RELOAD=false
+	if ops_is_required "ipv$1_config"; then
+		echo_trace "Updating $2 service config"
+		cp "./files/firewall/$2.conf" "/etc/conf.d/$2"
+		RELOAD=true
+	fi
+	if ops_is_required "ipv$1"; then
+		echo_trace "Updating ipv$1 tables"
+		mkdir -p /etc/iptables
+		cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1"
+		RELOAD=true
+	fi
+	if $RELOAD; then
+		echo_trace "Reloading service $2"
+		service "$2" reload
+	fi
+}
+
+firewall_apply() {
+	ops_set_current firewall
+	firewall_apply_common 4 iptables
+	firewall_apply_common 6 ip6tables
+}
+
+firewall_clean() {
+	# We have nothing to do for clean
+	true
+}