Simon Martin [Thu, 3 Apr 2014 09:33:09 +0000 (10:33 +0100)]
In lib/puppet/provider/firewall/iptables.rb we test on boolean flags when building iptables args:
# If socket is true then do not add the value as -m socket is standalone
if known_booleans.include?(res) then
if resource[res] == :true then
resource_value = nil
else
# If the property is not :true then we don't want to add the value
# to the args list
next
end
end
This evaluates to false on the reap flag in a definition like this:
firewall { '001 rate limit ssh attempts':
port => [22],
proto => tcp,
tcp_flags => "FIN,SYN,RST,ACK SYN",
recent => 'rcheck',
rsource => true,
rname => 'ssh-syn4',
rseconds => 30,
rhitcount => 3,
reap => true,
jump => drop,
}
This is because the value is not defined as a string, so the reap flag is not added to the args. This patch defines reap as a string true or false to match others like rsource.
RHEL 7 replaces legacy init with systemd, and must be treated like
Fedora w/r/t iptables persistence. This patches checks
operatingsystemrelease in addition to operatingsystem in order
to differentiate between RHEL 7 and earlier releases.
Both RHEL 7 and recent Fedora releases require the iptables-services
package to support the commands in lib/puppet/util/firewall.rb.
This also corrects the path to /usr/libexec/iptables/iptables.init.
Lauren Rother [Sat, 1 Mar 2014 01:41:47 +0000 (17:41 -0800)]
Adds "Release Notes/Known Bugs" to Changelog, updates file format to markdown, standardizes the format of previous entries
Per a request to have initial release notes that specifically listed known issues for this PE 3.2 release, and barred by time constraints from automating a pull from open issues in JIRA, this commit adds a Release Note and Known Bug section to the Changelog for the imminent 3.2 release. As it will display on the Forge, updates file type to markdown and standardizes previous entries. Adds template for release notes to be filled in later.
Hunter Haugen [Wed, 19 Feb 2014 23:32:24 +0000 (15:32 -0800)]
Bugfix: Account for rules sorted after unmanaged rules
The offset calculation assumed unmanaged rules are numbered 9000+ and
would be sorted to the end and didn't need to be accounted for. This
caused failures when people used9-numbered rules. This should fix that.
Additionally, for rules that are 9-numbered, they should be ordered
*after* unmanaged rules, so this fixes that too.
So when encountering unmanaged rules, the order will be something like
this:
- Managed rules that begin with 0 through 8
- Unmanaged rules (which are assigned 9-numbers)
- Managed rules that begin with 9 (but not numbered lower than the
unmanaged rules)
Mixing unmanaged rules with managed rules is still not officially
supported, but at least we can try and behave with them.
Hunter Haugen [Tue, 18 Feb 2014 21:13:22 +0000 (13:13 -0800)]
Fix various differences for rhel5
iptables 1.3.5 ships on rhel 5 and is really old. It doesn't support
`--comment` on ip6tables, doesn't support `-m socket` or `--random`, and
the format of netmasks uses subnet mask format instead of CIDR.
Justin Stoller [Sat, 15 Feb 2014 06:20:35 +0000 (22:20 -0800)]
Remove acceptance/basic_spec
This removes the legacy "basic_spec" that was used as an introduction to
module testing. It assumes the FOSS path for the module dir. Since the
default module dir changes in PE depending on whether or not the module
is distributed with PE or not, these basic specs have been removed from
other modules.
Hunter Haugen [Fri, 14 Feb 2014 21:19:54 +0000 (13:19 -0800)]
Use iptables-save and parse the output
`iptables -S` didn't work on older OSs, so the tests have been adapted
for that.
There was one test for the NAT table that I'm not sure what the purpose
was, since it seemed to be testing munge instead. I edited it to get it
to pass.
Hunter Haugen [Mon, 10 Feb 2014 23:53:42 +0000 (15:53 -0800)]
Release 0.5.0
Summary:
This is a bigger release that brings in "recent" connection limiting (think
"port knocking"), firewall chain purging on a per-chain/per-table basis, and
support for a few other use cases. This release also fixes a major bug which
could cause modifications to the wrong rules when unmanaged rules are present.
New Features:
* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
`rname`, `rseconds`, `rsource`, and `rttl`
* Add negation support for source and destination
* Add per-chain/table purging support to `firewallchain`
* IPv4 specific
* Add random port forwarding support
* Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
* IPv6 specific
* Add support for hop limiting via `hop_limit` parameter
* Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
* Add support for conntrack stateful firewall matching via `ctstate`
Bugfixes:
- Boolean fixups allowing false values
- Better detection of unmanaged rules
- Fix multiport rule detection
- Fix sport/dport rule detection
- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
- Allow INPUT with the nat table
- Fix `src_range` & `dst_range` order detection
- Documentation clarifications
- Fixes to spec tests
Hunter Haugen [Thu, 6 Feb 2014 23:47:27 +0000 (15:47 -0800)]
Fix for #286 for pre-existing rules at the start of a chain
In #286 we fixed rule offset detection for existing managed and
unmanaged rules, but in the case where the first rule in a chain was
unmanaged, managed rules were still being inserted under it.
This patch changes it so that if the first rule detected for offset is
unmanaged, then we should insert before that for more consistent
behavior.
Hunter Haugen [Thu, 6 Feb 2014 20:42:46 +0000 (12:42 -0800)]
Fix #300 for match extension protocol
So... #300 fixed matching `-m (tcp|udp)` at the beginning of `-m
multiport` or `--dport` or `--sport` rules, but broke actual *creation*
of those rules because `-m (tcp|udp)` was used as an iptables argument,
which it is not.
This change removes the problematic argument from `@resource_map` and
instead just substitutes `-m (tcp|udp)` out of any existing rules before
matching. The `-m tcp` match extension arguments are optional anyway,
and not needed for iptables functionality and don't change the semantics
at all.
Hunter Haugen [Thu, 6 Feb 2014 00:02:56 +0000 (16:02 -0800)]
(MODULES-451) Match extension protocol for multiport
The `-m (tcp|udp)` match extension flag before multiport `--sport` and
`--dport` flags is considered optional, but may be present on some
rules. This patches the provides recognition of those rules.
Code Review / puppet-modules / puppetlabs-firewall.git / log