Ken Barber [Wed, 20 Jun 2012 17:26:05 +0000 (18:26 +0100)]
(#14755) Stub iptables_version for now so tests run on non-Linux hosts
Without a stub some tests fail on non-Linux hosts. This is because they are
expecting a particular version of iptables to exist which isn't always true.
The right answer for the provider is to actually allow the fact to be set
per test, but for now we are doing a global override just to make tests pass.
Dan Carley [Thu, 24 May 2012 18:02:06 +0000 (19:02 +0100)]
(#9364 #10085) Normalise iptables-save to CIDR
Normalise all source and destination addresses to CIDR notation as they are
reverse-parsed from iptables-save. This ensures that they match how
addresses are forward-parsed by the type with Util::Firewall.host_to_ip.
Fixes two issues which both principally affect EL5 and may affect other
providers in the future.
Issue #9364:
Single IP addresses not representing a range should be qualified in CIDR
notation with /32 for IPv4 and /128 for IPv6.
Issue #10085:
Addresses with a dotted quad netmask representing a range should be
qualifed with in CIDR notation instead.
Dan Carley [Thu, 24 May 2012 17:57:46 +0000 (18:57 +0100)]
(#9364 #10085) Convert an existing test to CIDR
Modify an existing test which has a source IP address without CIDR notation.
This will break after normalisation because [:params][:source] is expected
to be CIDR. Updating -s within [:line] too, since we aren't explcitly testing
that behaviour with this fixture.
Dan Carley [Fri, 25 May 2012 06:41:36 +0000 (07:41 +0100)]
(#10274) Nullify addresses with zero prefixlen
Modify the behaviour of Util::Firewall.host_to_ip, as used by the type to
parse source and destination addresses, to return nil if the resulting CIDR
represented address has a prefix length of zero. Includes type and provider
tests for IPv4 and IPv6.
IPtables silently omits rules with source and destination addresses that
have a prefix length of zero (eg. 0.0.0.0/0) because they are functionally
equivialent to not specifying any address. This was causing rules to be
unecessarily reloaded.
The behaviour of Util::IPcidr remains the same. Now includes some additional
tests for it's identification of zero prefixlen IPv4 and IPv6 addresses.
Sharif Nassar [Sat, 21 Jan 2012 01:22:16 +0000 (17:22 -0800)]
(#14590) Fix for when iptables-save spews out "FATAL" errors.
On some broken Virtuozzo containers, /lib/modules/$(uname -r)/modules.dep is
absent. This causes iptables-save to give some "FATAL" errors. This patch
fixes the parser to ignore them instead of generating garbage rules that make
for errors in the puppet agent run.
Ken Barber [Sun, 13 May 2012 21:52:58 +0000 (22:52 +0100)]
Merge branch 'ticket/master/14455'
* ticket/master/14455:
(#14455) Add tests for interface names containing a "+". Add a few missing tests for VLAN support.
(#14455) Support interface names containing "+"
Dan Carley [Mon, 26 Mar 2012 08:44:38 +0000 (01:44 -0700)]
Merge pull request #69 from kbarber/ticket/10619-Unable_to_purge_rules
* (#10619) Add the table when deleting rules
* (#10619) Fix tests since we are now prefixing -t <table> during delete
* Fix extraneous trailing whitespace
Ken Barber [Mon, 19 Mar 2012 17:44:48 +0000 (17:44 +0000)]
(#13216) Fix README so setup instructions actually work
The old setup instructions were vague, and incorrect. This fixes those
instructions so they actually work, and breaks them out into their own
section.(#13216) Fix README so setup instructions actually work
Dan Carley [Sat, 17 Mar 2012 11:00:56 +0000 (11:00 +0000)]
(#13201) Firewall autorequire Firewallchains
Autorequire Firewallchain resources for Firewall resources that have jump or
chain parameters. Remove require params from README examples now that
they're not essential.
Only deals with iptables and ip6tables providers, which have support for
chains. Doesn't attempt to weed out chains that might be builtin. Just let
Puppet determine which of the resources are really managed.
Ken Barber [Mon, 12 Mar 2012 04:16:33 +0000 (21:16 -0700)]
(#10162) Various fixes for firewallchain resource
* Convert commands to optional_commands to avoid iptables installation chicken
& egg scenarios.
* Downcase tables to match the table names in xtables
* Force fully qualifying the name as <table>:<chain>:<protocol>, we can add
meaningful defaults later.
* puppet resource <name> command wasn't working as expected, but stripping out
some of the meaningful defaults I was able to get this to work.
* Reformat some of the code to avoid overrunning 80 chars where possible
* Remove trailing whitespace
* Add flush to provider so that resource modifications immediately update the
resource in reports and when using puppet resource.
* Removed any commented out code
* Improved documentation
* Change policy so its undefined when not set, instead of being :empty
* Fix test mocking so they will run on a Mac
Daniel Black [Thu, 1 Mar 2012 01:46:02 +0000 (12:46 +1100)]
(#10162) add firewallchain type and iptables_chain provider
Add firewallchain type and iptables_chain provider. This is required
to support the firewall class and it is envisaged that an autorequire
will be used to automatically require the user chain. This type can also set
policies on inbuilt chains.
Dan Carley [Fri, 9 Mar 2012 09:13:33 +0000 (09:13 +0000)]
(#10164) Reject and document icmp => "any"
iptables accepts the string "any" as an ICMP type and stores it behind the
scenes as the fake (IANA reserved) numeric 255. This is functionally
equivalent to not specifying an `--icmp-type` argument.
ip6tables didn't carry this "feature" over. Like many other providers, the
matching of any ICMP packet type is only achieved by omitting the
`--icmpv6-type` arugment.
For the purpose of simpler logic and future provider compatibility we
prevent people from using the value "any" and advise them to omit/undefine
the param instead.
Include a test that somewhat duplicates the prevention of invalid strings
but would preserve this behaviour should icmp_name_to_number() ever change.
Johan Huysmans [Mon, 12 Dec 2011 09:34:43 +0000 (10:34 +0100)]
(#11334) Add support for MARK target and set-mark property.
This commit adds support for the set-mark iptables property and will validate
its use against the MARK jump target. This will also support handling decimal
or hexadecimal conversion where necessary.
Sharif Nassar [Sat, 12 Nov 2011 13:31:11 +0000 (05:31 -0800)]
(#10984) Initial creation of class firewall
* Add Exec[firewall-persist] to save rules. This allows the host to
have iptables rules on reboot, before puppet runs.
* Debian hates you. Add iptables init scripts for loading iptables at
boot on releases of Debian that do not have them already.
* Add brains to the iptables/ip6tables providers to ensure kernel modules
are loaded.
Jonathan Boyett [Thu, 17 Nov 2011 17:43:19 +0000 (09:43 -0800)]
(#10723) Munge hostnames and IPs to IPs with CIDR
Previously when hostnames were used in the source and destination properties
they were being converted to IP address by iptables. This meant that later
comparisons were failing because the property in code (a hostname) and the
'real' property returned by introspection (an ip address) were not matching.
This code using the munge facility will automatically detect and convert
hostnames to IP addresses in the type so the comparison works as expected.
The side-effect is that puppet does the hostname to IP conversion, not
iptables.
Jonathan Boyett [Thu, 1 Dec 2011 02:52:35 +0000 (18:52 -0800)]
(#11093) Improve log_level property so it converts names to numbers
Previously the log_level property was constantly reloading due to the fact
that iptables was converting names to numbers. So unless you were using
numbers in your log_level setting, it was constantly telling you it needed
to be changed.
Now we convert the names to numbers in the munge so when comparing it will
always hopefully match.
Also, the default value when the jump value is 'LOG' is now set to 4 (warn)
based on iptables own defaults.
Chris Boulton [Mon, 24 Oct 2011 06:27:31 +0000 (17:27 +1100)]
(#9082) Sort iptables --state option values internally to keep it consistent across runs
Previously we were getting multiple re-runs due to the fact that iptables
returns a different order with iptables-save then what was used when creating
the rule.
This patch fixes that by sorting states with should=.
Added unit tests to ensure states are correctly sorted. Also added comments in
code to ensure people understand why
Code Review / puppet-modules / puppetlabs-firewall.git / log