Defined Type: ipset

Defined in:
manifests/init.pp

Overview

Parameters:

  • set (Any)
  • ensure (Any) (defaults to: 'present')
  • type (Any) (defaults to: 'hash:ip')
  • options (Any) (defaults to: {})
  • ignore_contents (Any) (defaults to: false)
  • keep_in_sync (Any) (defaults to: true)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# File 'manifests/init.pp', line 1

define ipset (
  $set,
  $ensure       = 'present',
  $type         = 'hash:ip',
  $options      = {},
  # do not touch what is inside the set, just its header (properties)
  $ignore_contents = false,
  # keep definition file and in-kernel runtime state in sync
  $keep_in_sync = true,
) {
  include ipset::params

  include ipset::install

  $default_options = {
    'family'   => 'inet',
    'hashsize' => '1024',
    'maxelem'  => '65536',
  }

  $actual_options = merge($default_options, $options)

  if $ensure == 'present' {
    # assert "present" target

    $opt_string = inline_template('<%= (@actual_options.sort.map { |k,v| k.to_s + " " + v.to_s }).join(" ") %>')

    # header
    file { "${::ipset::params::config_path}/${title}.hdr":
      content => "create ${title} ${type} ${opt_string}\n",
      notify  => Exec["sync_ipset_${title}"],
    }

    # content
    if is_array($set) {
      # create file with ipset, one record per line
      file { "${::ipset::params::config_path}/${title}.set":
        ensure  => present,
        content => inline_template('<%= (@set.map { |i| i.to_s }).join("\n") %>'),
      }
    } elsif $set =~ /^puppet:\/\// {
      # passed as puppet file
      file { "${::ipset::params::config_path}/${title}.set":
        ensure => present,
        source => $set,
      }
    } elsif $set =~ /^file:\/\// {
      # passed as target node file
      file { "${::ipset::params::config_path}/${title}.set":
        ensure => present,
        source => regsubst($set, '^.{7}', ''),
      }
    } else {
      # passed directly as content string (from template for example)
      file { "${::ipset::params::config_path}/${title}.set":
        ensure  => present,
        content => $set,
      }
    }

    # add switch to script, if we 
    if $ignore_contents {
      $ignore_contents_opt = ' -n'
    } else {
      $ignore_contents_opt = ''
    }

    # sync if needed by helper script
    exec { "sync_ipset_${title}":
      path    => [ '/sbin', '/usr/sbin', '/bin', '/usr/bin' ],

      # use helper script to do the sync
      command => "/usr/local/sbin/ipset_sync -c '${::ipset::params::config_path}'    -i ${title}${ignore_contents_opt}",

      # only when difference with in-kernel set is detected
      unless  => "/usr/local/sbin/ipset_sync -c '${::ipset::params::config_path}' -d -i ${title}${ignore_contents_opt}",

      require => Package['ipset'],
    }

    if $keep_in_sync {
        File["${::ipset::params::config_path}/${title}.set"] ~> Exec["sync_ipset_${title}"]
    }
  } elsif $ensure == 'absent' {
    # ensuring absence

    # do not contain config files
    file { ["${::ipset::params::config_path}/${title}.set", "${::ipset::params::config_path}/${title}.hdr"]:
      ensure  => absent,
    }

    # clear ipset from kernel
    exec { "ipset destroy ${title}":
      path    => [ '/sbin', '/usr/sbin', '/bin', '/usr/bin' ],

      command => "/usr/sbin/ipset destroy ${title}",
      onlyif  => "/usr/sbin/ipset list -name ${title} &>/dev/null",

      require => Package['ipset'],
    }
  } else {
    fail('Unsupported "ensure" parameter.')
  }
}