From: matt.cover Date: Fri, 30 Oct 2015 18:32:45 +0000 (-0700) Subject: Add security table for iptables. X-Git-Tag: 1.8.0~28^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=46719830310672f4459d24e36d38766b39e570f8;p=puppet-modules%2Fpuppetlabs-firewall.git Add security table for iptables. --- diff --git a/lib/puppet/provider/firewallchain/iptables_chain.rb b/lib/puppet/provider/firewallchain/iptables_chain.rb index df166f6..ec10ecc 100644 --- a/lib/puppet/provider/firewallchain/iptables_chain.rb +++ b/lib/puppet/provider/firewallchain/iptables_chain.rb @@ -38,7 +38,7 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do } } InternalChains = /^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$/ - Tables = 'nat|mangle|filter|raw|rawpost|broute' + Tables = 'nat|mangle|filter|raw|rawpost|broute|security' Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/ def create diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb index cb2c614..9bdc20f 100644 --- a/lib/puppet/type/firewallchain.rb +++ b/lib/puppet/type/firewallchain.rb @@ -41,7 +41,7 @@ Puppet::Type.newtype(:firewallchain) do validate do |value| if value !~ Nameformat then - raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'" + raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE, SECURITY or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'" else chain = $1 table = $2 @@ -73,6 +73,10 @@ Puppet::Type.newtype(:firewallchain) do if chain =~ /^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$/ raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'broute\'' end + when 'security' + if chain =~ /^(PREROUTING|POSTROUTING|BROUTING)$/ + raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'security'" + end end if chain == 'BROUTING' && ( protocol != 'ethernet' || table!='broute') raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'BROUTE\' with protocol \'ethernet\' i.e. \'broute:BROUTING:enternet\'' diff --git a/spec/unit/puppet/provider/iptables_chain_spec.rb b/spec/unit/puppet/provider/iptables_chain_spec.rb index e2c0fd3..d8eade2 100755 --- a/spec/unit/puppet/provider/iptables_chain_spec.rb +++ b/spec/unit/puppet/provider/iptables_chain_spec.rb @@ -138,6 +138,9 @@ describe 'iptables chain resource parsing' do 'NAT:mangle:IPv4', 'NAT:mangle:IPv4', 'NAT:mangle:IPv4', + 'security:INPUT:IPv4', + 'security:FORWARD:IPv4', + 'security:OUTPUT:IPv4', ':$5()*&%\'"^$): :IPv4', ] allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return(' @@ -184,6 +187,9 @@ COMMIT 'mangle:OUTPUT:IPv6', 'mangle:POSTROUTING:IPv6', 'mangle:ff:IPv6', + 'security:INPUT:IPv6', + 'security:FORWARD:IPv6', + 'security:OUTPUT:IPv6', ':INPUT:IPv6', ':FORWARD:IPv6', ':OUTPUT:IPv6', diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb index e627603..0658d63 100755 --- a/spec/unit/puppet/type/firewallchain_spec.rb +++ b/spec/unit/puppet/type/firewallchain_spec.rb @@ -30,7 +30,8 @@ describe firewallchain do 'mangle' => [ 'PREROUTING', 'POSTROUTING', 'INPUT', 'FORWARD', 'OUTPUT' ], 'filter' => ['INPUT','OUTPUT','FORWARD'], 'raw' => [ 'PREROUTING', 'OUTPUT'], - 'broute' => ['BROUTING'] + 'broute' => ['BROUTING'], + 'security' => ['INPUT','OUTPUT','FORWARD'] }.each_pair do |table, allowedinternalchains| ['IPv4', 'IPv6', 'ethernet'].each do |protocol| [ 'test', '$5()*&%\'"^$09):' ].each do |chainname|