has_feature :dnat
has_feature :interface_match
has_feature :icmp_match
+ has_feature :owner
has_feature :state_match
has_feature :reject_type
has_feature :log_level
:burst => "--limit-burst",
:destination => "-d",
:dport => "-m multiport --dports",
+ :gid => "-m owner --gid-owner",
:icmp => "-m icmp6 --icmpv6-type",
:iniface => "-i",
:jump => "-j",
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
+ :uid => "-m owner --uid-owner",
}
+ # This is the order of resources as they appear in iptables-save output,
+ # we need it to properly parse and apply rules, if the order of resource
+ # changes between puppet runs, the changed rules will be re-applied again.
+ # This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
+ :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
:todest, :tosource, :toports, :log_level, :log_prefix, :reject]
end
has_feature :dnat
has_feature :interface_match
has_feature :icmp_match
+ has_feature :owner
has_feature :state_match
has_feature :reject_type
has_feature :log_level
:burst => "--limit-burst",
:destination => "-d",
:dport => "-m multiport --dports",
+ :gid => "-m owner --gid-owner",
:icmp => "-m icmp --icmp-type",
:iniface => "-i",
:jump => "-j",
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
+ :uid => "-m owner --uid-owner",
}
+ # This is the order of resources as they appear in iptables-save output,
+ # we need it to properly parse and apply rules, if the order of resource
+ # changes between puppet runs, the changed rules will be re-applied again.
+ # This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+ :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
def insert
feature :dnat, "Destination NATing"
feature :interface_match, "Interface matching"
feature :icmp_match, "Matching ICMP types"
+ feature :owner, "Matching owners"
feature :state_match, "Matching stateful firewall states"
feature :reject_type, "The ability to control reject messages"
feature :log_level, "The ability to control the log level"
newvalue(/^\d+$/)
end
+ newproperty(:uid, :array_matching =>:all, :required_features => :owner) do
+ desc <<-EOS
+ UID or Username owner matching rule. Accepts a string argument
+ only, as iptables does not accept multiple uid in a single
+ statement.
+ EOS
+ end
+
+ newproperty(:gid, :array_matching =>:all, :required_features => :owner) do
+ desc <<-EOS
+ GID or Group owner matching rule. Accepts a string argument
+ only, as iptables does not accept multiple gid in a single
+ statement.
+ EOS
+ end
+
newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
end
end
+ if value(:uid)
+ unless value(:chain).to_s =~ /OUTPUT|POSTROUTING/
+ self.fail "Parameter uid only applies to chains " \
+ "OUTPUT,POSTROUTING"
+ end
+ end
+
+ if value(:gid)
+ unless value(:chain).to_s =~ /OUTPUT|POSTROUTING/
+ self.fail "Parameter gid only applies to chains " \
+ "OUTPUT,POSTROUTING"
+ end
+ end
+
if value(:dport)
unless value(:proto).to_s =~ /tcp|udp|sctp/
self.fail "[%s] Parameter dport only applies to sctp, tcp and udp " \
:table => 'filter',
:params => {
:proto => 'ipencap',
+ }
+ },
+ 'load_uid_owner_filter_module' => {
+ :line => '-A OUTPUT -m owner --uid-owner root -m comment --comment "057 OUTPUT uid root only" -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :action => 'accept',
+ :uid => 'root',
+ :chain => 'OUTPUT',
+ },
+ },
+ 'load_uid_owner_postrouting_module' => {
+ :line => '-t mangle -A POSTROUTING -m owner --uid-owner root -m comment --comment "057 POSTROUTING uid root only" -j ACCEPT',
+ :table => 'mangle',
+ :params => {
+ :action => 'accept',
+ :chain => 'POSTROUTING',
+ :uid => 'root',
+ },
+ },
+ 'load_gid_owner_filter_module' => {
+ :line => '-A OUTPUT -m owner --gid-owner root -m comment --comment "057 OUTPUT gid root only" -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :action => 'accept',
+ :chain => 'OUTPUT',
+ :gid => 'root',
+ },
+ },
+ 'load_gid_owner_postrouting_module' => {
+ :line => '-t mangle -A POSTROUTING -m owner --gid-owner root -m comment --comment "057 POSTROUTING gid root only" -j ACCEPT',
+ :table => 'mangle',
+ :params => {
+ :action => 'accept',
+ :chain => 'POSTROUTING',
+ :gid => 'root',
},
},
}
},
:args => ['-t', :filter, '-p', :ipencap, '-m', 'comment', '--comment', '0100 INPUT accept ipencap'],
},
+ 'load_uid_owner_filter_module' => {
+ :params => {
+ :name => '057 OUTPUT uid root only',
+ :table => 'filter',
+ :uid => 'root',
+ :action => 'accept',
+ :chain => 'OUTPUT',
+ :proto => 'all',
+ },
+ :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT uid root only', '-j', 'ACCEPT'],
+ },
+ 'load_uid_owner_postrouting_module' => {
+ :params => {
+ :name => '057 POSTROUTING uid root only',
+ :table => 'mangle',
+ :uid => 'root',
+ :action => 'accept',
+ :chain => 'POSTROUTING',
+ :proto => 'all',
+ },
+ :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING uid root only', '-j', 'ACCEPT'],
+ },
+ 'load_gid_owner_filter_module' => {
+ :params => {
+ :name => '057 OUTPUT gid root only',
+ :table => 'filter',
+ :chain => 'OUTPUT',
+ :gid => 'root',
+ :action => 'accept',
+ :proto => 'all',
+ },
+ :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT gid root only', '-j', 'ACCEPT'],
+ },
+ 'load_gid_owner_postrouting_module' => {
+ :params => {
+ :name => '057 POSTROUTING gid root only',
+ :table => 'mangle',
+ :gid => 'root',
+ :action => 'accept',
+ :chain => 'POSTROUTING',
+ :proto => 'all',
+ },
+ :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING gid root only', '-j', 'ACCEPT'],
+ },
}
}.should raise_error(Puppet::Error, /^Only one of the parameters 'action' and 'jump' can be set$/)
end
end
+ describe ':gid and :uid' do
+ it 'should allow me to set uid' do
+ @resource[:uid] = 'root'
+ @resource[:uid].should == ['root']
+ end
+ it 'should allow me to set uid as an array, breaking iptables' do
+ @resource[:uid] = ['root', 'bobby']
+ @resource[:uid].should == ['root', 'bobby']
+ end
+ it 'should allow me to set gid' do
+ @resource[:gid] = 'root'
+ @resource[:gid].should == ['root']
+ end
+ it 'should allow me to set gid as an array, breaking iptables' do
+ @resource[:gid] = ['root', 'bobby']
+ @resource[:gid].should == ['root', 'bobby']
+ end
+ end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff