}
firewall { '001 allow boo':
- action => accept,
+ action => accept,
iniface => 'eth0',
sport => 123,
dport => 123,
nil
end
- # Executed if method is missing. In this case we are going to catch
+ # Executed if method is missing. In this case we are going to catch
# unqualified property methods for dynamic property setting and getting.
def method_missing(meth, *args, &block)
dynamic_methods = self.class.instance_variable_get('@resource_map').keys
:tosource => "--to-source",
}
- @resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
+ @resource_list = [:table, :source, :destination, :iniface, :outiface,
+ :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
:todest, :tosource, :toports, :log_level, :log_prefix, :reject]
end
Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Firewall do
include Puppet::Util::Firewall
-
+
@doc = "Iptables type provider"
has_feature :iptables
def update
debug 'Updating rule %s' % resource[:name]
- iptables update_args
+ iptables update_args
end
def delete
end
@property_hash.clear
end
-
+
def self.instances
debug "[instances]"
table = nil
keys << :chain
keys.zip(values.scan(/"[^"]*"|\S+/).reverse) { |f, v| hash[f] = v.gsub(/"/, '') }
-
+
[:dport, :sport, :port, :state].each do |prop|
hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
end
hash[:proto] = "all" if !hash.include?(:proto)
# If the jump parameter is set to one of: ACCEPT, REJECT or DROP then
- # we should set the action parameter instead.
+ # we should set the action parameter instead.
if ['ACCEPT','REJECT','DROP'].include?(hash[:jump]) then
hash[:action] = hash[:jump].downcase
hash.delete(:jump)
def delete_args
count = []
line = properties[:line].gsub(/\-A/, '-D').split
-
+
# Grab all comment indices
line.each do |v|
if v =~ /"/
count << line.index(v)
end
end
-
+
if ! count.empty?
# Remove quotes and set first comment index to full string
line[count.first] = line[count.first..count.last].join(' ').gsub(/"/, '')
line[i] = nil
end
end
-
+
# Return array without nils
line.compact
end
def insert_order
debug("[insert_order]")
rules = []
-
+
# Find list of current rules based on chain
self.class.instances.each do |rule|
rules << rule.name if rule.chain == resource[:chain].to_s
#
# This is a workaround for bug: #4248 whereby ruby files outside of the normal
# provider/type path do not load until pluginsync has occured on the puppetmaster
-#
+#
# In this case I'm trying the relative path first, then falling back to normal
# mechanisms. This should be fixed in future versions of puppet but it looks
# like we'll need to maintain this for some time perhaps.
include Puppet::Util::Firewall
@doc = <<-EOS
- This type provides the capability to manage firewall rules within
+ This type provides the capability to manage firewall rules within
puppet.
EOS
newproperty(:sport, :array_matching => :all) do
desc <<-EOS
- The source port to match for this filter (if the protocol supports
+ The source port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
newproperty(:dport, :array_matching => :all) do
desc <<-EOS
- The destination port to match for this filter (if the protocol supports
+ The destination port to match for this filter (if the protocol supports
ports). Will accept a single element or an array.
For some firewall providers you can pass a range of ports in the format:
This would cover ports 1 to 1024.
EOS
-
+
munge do |value|
@resource.string_to_port(value)
end
newproperty(:proto) do
desc <<-EOS
- The specific protocol to match for this rule. By default this is
+ The specific protocol to match for this rule. By default this is
*tcp*.
EOS
newproperty(:jump, :required_features => :iptables) do
desc <<-EOS
- The value for the iptables --jump parameter. Normal values are:
+ The value for the iptables --jump parameter. Normal values are:
* QUEUE
* RETURN
* DNAT
* SNAT
* LOG
- * MASQUERADE
+ * MASQUERADE
* REDIRECT
- But any valid chain name is allowed.
+ But any valid chain name is allowed.
- For the values ACCEPT, DROP and REJECT you must use the generic
+ For the values ACCEPT, DROP and REJECT you must use the generic
'action' parameter. This is to enfore the use of generic parameters where
possible for maximum cross-platform modelling.
validate do |value|
unless value =~ /^[a-zA-Z0-9\-_]+$/
raise ArgumentError, <<-EOS
- Jump destination must consist of alphanumeric characters, an
+ Jump destination must consist of alphanumeric characters, an
underscore or a yphen.
EOS
end
if ["accept","reject","drop"].include?(value.downcase)
raise ArgumentError, <<-EOS
- Jump destination should not be one of ACCEPT, REJECT or DENY. Use
+ Jump destination should not be one of ACCEPT, REJECT or DENY. Use
the action property instead.
EOS
end
# NAT specific properties
newproperty(:tosource, :required_features => :snat) do
desc <<-EOS
- When using jump => "SNAT" you can specify the new source address using
+ When using jump => "SNAT" you can specify the new source address using
this parameter.
EOS
end
newproperty(:todest, :required_features => :dnat) do
desc <<-EOS
- When using jump => "DNAT" you can specify the new destination address
+ When using jump => "DNAT" you can specify the new destination address
using this paramter.
EOS
end
# Reject ICMP type
newproperty(:reject, :required_features => :reject_type) do
desc <<-EOS
- When combined with jump => "REJECT" you can specify a different icmp
+ When combined with jump => "REJECT" you can specify a different icmp
response to be sent back to the packet sender.
EOS
end
# Logging properties
newproperty(:log_level, :required_features => :log_level) do
desc <<-EOS
- When combined with jump => "LOG" specifies the system log level to log
+ When combined with jump => "LOG" specifies the system log level to log
to.
EOS
end
newproperty(:log_prefix, :required_features => :log_prefix) do
desc <<-EOS
- When combined with jump => "LOG" specifies the log prefix to use when
+ When combined with jump => "LOG" specifies the log prefix to use when
logging.
EOS
end
end
end
- newproperty(:state, :array_matching => :all, :required_features =>
+ newproperty(:state, :array_matching => :all, :required_features =>
:state_match) do
desc <<-EOS
- Matches a packet based on its state in the firewall stateful inspection
+ Matches a packet based on its state in the firewall stateful inspection
table. Values can be:
* INVALID
# Rate limiting properties
newproperty(:limit, :required_features => :rate_limiting) do
desc <<-EOS
- Rate limiting value for matched packets. The format is:
+ Rate limiting value for matched packets. The format is:
rate/[/second/|/minute|/hour|/day].
Example values are: '50/sec', '40/min', '30/hour', '10/day'."
Read-only property for caching the rule line.
EOS
end
-
+
validate do
debug("[validate]")
end
# First we make sure the chains and tables are valid combinations
- if value(:table).to_s == "filter" &&
+ if value(:table).to_s == "filter" &&
value(:chain) =~ /PREROUTING|POSTROUTING/
self.fail "PREROUTING and POSTROUTING cannot be used in table 'filter'"
self.fail "INPUT and FORWARD cannot be used in table 'nat'"
end
- if value(:table).to_s == "raw" &&
+ if value(:table).to_s == "raw" &&
value(:chain) =~ /INPUT|FORWARD|POSTROUTING/
self.fail "INPUT, FORWARD and POSTROUTING cannot be used in table raw"
# This method takes a string and attempts to convert it to a port number
# if valid.
- #
+ #
# If the string already contains a port number or perhaps a range of ports
# in the format 22:1000 for example, it simply returns the string and does
# nothing.
module Puppet
module Util
class IPCidr < IPAddr
-
+
def netmask
_to_string(@mask_addr)
end
# This hash is for testing a line conversion to a hash of parameters
# which will be used to create a resource.
-ARGS_TO_HASH = {
+ARGS_TO_HASH = {
'long_rule_1' => {
:line => '-A INPUT -s 1.1.1.1 -d 1.1.1.1 -p tcp -m multiport --dports 7061,7062 -m multiport --sports 7061,7062 -m comment --comment "000 allow foo" -j ACCEPT',
:table => 'filter',
:source => "1.1.1.1",
:sport => ["7061","7062"],
:table => "filter",
- },
- },
+ },
+ },
'action_drop_1' => {
:line => '-A INPUT -m comment --comment "000 allow foo" -j DROP',
:table => 'filter',
:params => {
:jump => nil,
:action => "drop",
- },
- },
+ },
+ },
'action_reject_1' => {
:line => '-A INPUT -m comment --comment "000 allow foo" -j REJECT',
:table => 'filter',
:params => {
:jump => nil,
:action => "reject",
- },
+ },
},
'action_nil_1' => {
:line => '-A INPUT -m comment --comment "000 allow foo"',
}
# This hash is for testing converting a hash to an argument line.
-HASH_TO_ARGS = {
+HASH_TO_ARGS = {
'long_rule_1' => {
:params => {
:action => "accept",
:source => "1.1.1.1",
:sport => ["7061","7062"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-s", "1.1.1.1", "-d", "1.1.1.1", "-p", :tcp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061,7062", "-m", "comment", "--comment", "000 allow foo", "-j", "ACCEPT"],
- },
+ },
'long_rule_2' => {
:params => {
:chain => "INPUT",
:source => "1.1.1.1",
:sport => ["7061","7062"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-s", "1.1.1.1", "-d", "2.10.13.3/24", "-p", :udp, "-m", "multiport", "--sports", "7061,7062", "-m", "multiport", "--dports", "7061", "-m", "comment", "--comment", "700 allow bar", "-j", "my_custom_chain"],
- },
+ },
'no_action' => {
:params => {
:name => "100 no action",
:table => "filter",
- },
- :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment",
+ },
+ :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment",
"100 no action"],
},
'sport_range_1' => {
:name => "100 sport range",
:sport => ["1-1024"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--sports", "1:1024", "-m", "comment", "--comment", "100 sport range"],
},
'sport_range_2' => {
:name => "100 sport range",
:sport => ["15","512-1024"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--sports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
},
'dport_range_1' => {
:name => "100 sport range",
:dport => ["1-1024"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "1:1024", "-m", "comment", "--comment", "100 sport range"],
},
'dport_range_2' => {
:name => "100 sport range",
:dport => ["15","512-1024"],
:table => "filter",
- },
+ },
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
},
'states_set_from_array' => {
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff