diff options
Diffstat (limited to 'ops/firewall')
-rw-r--r-- | ops/firewall | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/ops/firewall b/ops/firewall new file mode 100644 index 0000000..e20b730 --- /dev/null +++ b/ops/firewall @@ -0,0 +1,65 @@ +# vim:ft=sh:noexpandtab +# Firewall configuration (iptables on linux) +# TODO FreeBSD + +FIREWALL_PREFIX="./files/firewall/$(hostname)" + +firewall_check_common() { + if do_diff "./files/firewall/$2.conf" "/etc/conf.d/$2" \ + "Firewall IPv$1 service config changes"; then + ops_require "ipv$1_config" + fi + if do_diff "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" \ + "Firewall IPv$1 changes"; then + ops_require "ipv$1" + fi +} + +firewall_check() { + ops_set_current firewall + if ! ( which iptables && which ip6tables ) >/dev/null; then + echo_error "Firewall operation requires iptables and ip6tables." + return 0 + fi + + firewall_check_common 4 iptables + [ -n "$FIREWALL_NO_IPV6" ] && [ "$FIREWALL_NO_IPV6" = "true" ] || \ + firewall_check_common 6 ip6tables + + ops_required_any "Firewall" # return 1 fall trough +} + +firewall_prepare() { + # We have nothing to do for prepare + true +} + +firewall_apply_common() { + local RELOAD=false + if ops_is_required "ipv$1_config"; then + echo_trace "Updating $2 service config" + cp "./files/firewall/$2.conf" "/etc/conf.d/$2" + RELOAD=true + fi + if ops_is_required "ipv$1"; then + echo_trace "Updating ipv$1 tables" + mkdir -p /etc/iptables + cp "$FIREWALL_PREFIX.ipv$1" "/etc/iptables/ipv$1" + RELOAD=true + fi + if $RELOAD; then + echo_trace "Reloading service $2" + service "$2" reload + fi +} + +firewall_apply() { + ops_set_current firewall + firewall_apply_common 4 iptables + firewall_apply_common 6 ip6tables +} + +firewall_clean() { + # We have nothing to do for clean + true +} |