On Fri, Feb 10, 2012 at 06:24:12PM +0000, John Mitchell said:
> firewall. I can do a iptables --list to get a list, but I'm not quite
> sure how to set a value on a match for a process. Ideally I'd like to do
> something along the lines of
>
> classes:
> "https_port_allowed" => if_line_in_program_output("/sbin/iptables
> --list","^ACCEPT.*state NEW tcp dpt:www")
>
> But I have no clue on how to do this, could someone point me in the
> right direction.
How about this. It's pretty clumsy, as others have pointed out you'd be
better off doing edit lines on the save file, but in the interests of
scientific enquiry, this might work. I haven't run or tested this, so
it's likely riven with typos and logic errors.
classes
webserver::
"need_http_port_enabled"
not => returnszero("/sbin/iptables -n -L RH-Firewall-1-INPUT
| /bin/grep -q "^ACCEPT.*state NEW tcp dpt:www","use shell");
!webserver::
"need_http_port_disabled"
expression => returnszero("/sbin/iptables -n -L RH-Firewall-1-INPUT
| /bin/grep -q "^ACCEPT.*state NEW tcp dpt:www","use shell");
commands
need_http_port_enabled::
"/sbin/iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
-p tcp --dport 80 -j ACCEPT"
classes => if_repaired("save_iptables");
need_http_port_disabled::
"/sbin/iptables -D RH-Firewall-1-INPUT -m state --state NEW -m tcp
-p tcp --dport 80 -j ACCEPT"
classes => if_repaired("save_iptables");
save_iptables::
"/sbin/iptables-save"
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
