fwtool: initial ipv6 support and puppet integration

[hcoop/domtool2.git] / scripts / domtool-publish

diff --git a/scripts/domtool-publish b/scripts/domtool-publish
index cd5e196..3450703 100755 (executable)
--- a/scripts/domtool-publish
+++ b/scripts/domtool-publish
@@ -95,6 +95,26 @@ case $1 in
               # rules?
               /bin/cp /var/domtool/firewall/*.conf /etc/ferm/
               /etc/init.d/ferm reload
+              ;;
+       firewallpuppet)
+              # new firewall publishing method that integrates with puppet (sort of)
+              /bin/cp /var/domtool/firewall/*.conf /etc/ferm/
+              if [ ! -d /etc/puppetlabs ]; then
+                  # legacy node
+                  /etc/init.d/ferm reload
+                  exit
+              fi
+              if ( /usr/sbin/ferm --noexec /etc/ferm/ferm.conf ); then
+                  for chain in FERM-INPUT FERM-OUTPUT; do
+                      /sbin/iptables -F $chain
+                      /sbin/ip6tables -F $chain
+
+                      /usr/sbin/ferm --domain ip  --noexec --lines /etc/ferm/ferm.conf | iptables-restore --noflush
+                              /usr/sbin/ferm --domain ip6 --noexec --lines /etc/ferm/ferm.conf | ip6tables-restore --noflush
+                  done
+              else
+                  echo "firewall: ferm failed, aborting regeneration."
+              fi
        ;;
        *)
                echo "Usage: domtool-publish [apache|bind|courier|exim|mailman|smtplog STRING|users|firewall]"