aboutsummaryrefslogtreecommitdiff
path: root/ops/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'ops/firewall')
-rw-r--r--ops/firewall65
1 files changed, 65 insertions, 0 deletions
diff --git a/ops/firewall b/ops/firewall
new file mode 100644
index 0000000..e20b730
--- /dev/null
+++ b/ops/firewall
@@ -0,0 +1,65 @@
+# vim:ft=sh:noexpandtab
+# Firewall configuration (iptables on linux)
+# TODO FreeBSD
+
+FIREWALL_PREFIX="./files/firewall/$(hostname)"
+
+firewall_check_common() {
+ if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \
+ "Firewall IPv$1 service config changes"; then
+ ops_require "ipv$1_config"
+ fi
+ if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \
+ "Firewall IPv$1 changes"; then
+ ops_require "ipv$1"
+ fi
+}
+
+firewall_check() {
+ ops_set_current firewall
+ if ! ( which iptables && which ip6tables ) >/dev/null; then
+ echo_error "Firewall operation requires iptables and ip6tables."
+ return 0
+ fi
+
+ firewall_check_common 4 iptables
+ [ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \
+ firewall_check_common 6 ip6tables
+
+ ops_required_any "Firewall" # return 1 fall trough
+}
+
+firewall_prepare() {
+ # We have nothing to do for prepare
+ true
+}
+
+firewall_apply_common() {
+ local RELOAD=false
+ if ops_is_required "ipv$1_config"; then
+ echo_trace "Updating $2 service config"
+ cp "./files/firewall/$2.conf" "/etc/conf.d/$2"
+ RELOAD=true
+ fi
+ if ops_is_required "ipv$1"; then
+ echo_trace "Updating ipv$1 tables"
+ mkdir -p /etc/iptables
+ cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1"
+ RELOAD=true
+ fi
+ if $RELOAD; then
+ echo_trace "Reloading service $2"
+ service "$2" reload
+ fi
+}
+
+firewall_apply() {
+ ops_set_current firewall
+ firewall_apply_common 4 iptables
+ firewall_apply_common 6 ip6tables
+}
+
+firewall_clean() {
+ # We have nothing to do for clean
+ true
+}