1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
# File 'manifests/init.pp', line 1
define ipset (
$set,
$ensure = 'present',
$type = 'hash:ip',
$options = {},
# do not touch what is inside the set, just its header (properties)
$ignore_contents = false,
# keep definition file and in-kernel runtime state in sync
$keep_in_sync = true,
) {
include ipset::params
include ipset::install
$default_options = {
'family' => 'inet',
'hashsize' => '1024',
'maxelem' => '65536',
}
$actual_options = merge($default_options, $options)
if $ensure == 'present' {
# assert "present" target
$opt_string = inline_template('<%= (@actual_options.sort.map { |k,v| k.to_s + " " + v.to_s }).join(" ") %>')
# header
file { "${::ipset::params::config_path}/${title}.hdr":
content => "create ${title} ${type} ${opt_string}\n",
notify => Exec["sync_ipset_${title}"],
}
# content
if is_array($set) {
# create file with ipset, one record per line
file { "${::ipset::params::config_path}/${title}.set":
ensure => present,
content => inline_template('<%= (@set.map { |i| i.to_s }).join("\n") %>'),
}
} elsif $set =~ /^puppet:\/\// {
# passed as puppet file
file { "${::ipset::params::config_path}/${title}.set":
ensure => present,
source => $set,
}
} elsif $set =~ /^file:\/\// {
# passed as target node file
file { "${::ipset::params::config_path}/${title}.set":
ensure => present,
source => regsubst($set, '^.{7}', ''),
}
} else {
# passed directly as content string (from template for example)
file { "${::ipset::params::config_path}/${title}.set":
ensure => present,
content => $set,
}
}
# add switch to script, if we
if $ignore_contents {
$ignore_contents_opt = ' -n'
} else {
$ignore_contents_opt = ''
}
# sync if needed by helper script
exec { "sync_ipset_${title}":
path => [ '/sbin', '/usr/sbin', '/bin', '/usr/bin' ],
# use helper script to do the sync
command => "/usr/local/sbin/ipset_sync -c '${::ipset::params::config_path}' -i ${title}${ignore_contents_opt}",
# only when difference with in-kernel set is detected
unless => "/usr/local/sbin/ipset_sync -c '${::ipset::params::config_path}' -d -i ${title}${ignore_contents_opt}",
require => Package['ipset'],
}
if $keep_in_sync {
File["${::ipset::params::config_path}/${title}.set"] ~> Exec["sync_ipset_${title}"]
}
} elsif $ensure == 'absent' {
# ensuring absence
# do not contain config files
file { ["${::ipset::params::config_path}/${title}.set", "${::ipset::params::config_path}/${title}.hdr"]:
ensure => absent,
}
# clear ipset from kernel
exec { "ipset destroy ${title}":
path => [ '/sbin', '/usr/sbin', '/bin', '/usr/bin' ],
command => "/usr/sbin/ipset destroy ${title}",
onlyif => "/usr/sbin/ipset list -name ${title} &>/dev/null",
require => Package['ipset'],
}
} else {
fail('Unsupported "ensure" parameter.')
}
}
|