Jonathan Boyett [Thu, 17 Nov 2011 17:43:19 +0000 (09:43 -0800)]
(#10723) Munge hostnames and IPs to IPs with CIDR
Previously when hostnames were used in the source and destination properties
they were being converted to IP address by iptables. This meant that later
comparisons were failing because the property in code (a hostname) and the
'real' property returned by introspection (an ip address) were not matching.
This code using the munge facility will automatically detect and convert
hostnames to IP addresses in the type so the comparison works as expected.
The side-effect is that puppet does the hostname to IP conversion, not
iptables.
Jonathan Boyett [Thu, 1 Dec 2011 02:52:35 +0000 (18:52 -0800)]
(#11093) Improve log_level property so it converts names to numbers
Previously the log_level property was constantly reloading due to the fact
that iptables was converting names to numbers. So unless you were using
numbers in your log_level setting, it was constantly telling you it needed
to be changed.
Now we convert the names to numbers in the munge so when comparing it will
always hopefully match.
Also, the default value when the jump value is 'LOG' is now set to 4 (warn)
based on iptables own defaults.
Chris Boulton [Mon, 24 Oct 2011 06:27:31 +0000 (17:27 +1100)]
(#9082) Sort iptables --state option values internally to keep it consistent across runs
Previously we were getting multiple re-runs due to the fact that iptables
returns a different order with iptables-save then what was used when creating
the rule.
This patch fixes that by sorting states with should=.
Added unit tests to ensure states are correctly sorted. Also added comments in
code to ensure people understand why
Ken Barber [Wed, 26 Oct 2011 10:24:33 +0000 (12:24 +0200)]
(#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
This patch suggested by Dan Carley will work-around the puppet/util error
specified in bug #4248 by loading relative paths instead.
This also fixes the load errors related to running the resource in a standalone
puppet case as well.
If the load fails for some reason, we fall back to the normal load behaviour.
This order is important as we want to load libraries before sync in case the
user has disabled pluginsync in the meantime. This will ensure we attempt to
get the latest copy, but have a fall back just in case.
I believe this fix will need to be applied for some time to support older Puppet
versions.
I've updated the documentation to provide more thorough instructions for
cases where people are using environments, and to tell people to pluginsync
on the master and potentially restart their puppetmaster first just in case.
Ken Barber [Tue, 11 Oct 2011 17:29:17 +0000 (18:29 +0100)]
(#10002) Change to dport and sport to handle ranges, and fix handling of name to port.
We hadn't been allowing ranges of the kind 22:1000 for ranges. This patch
fixes that. Thanks to Jason Hancock for finding this issue and providing a sample
patch.
Instead of using colon though, it was decided we would use a hyphen to specify a range
as its more agnostic. This patch does the filtering for both writing the rule and
reading the rule.
Also - the way we were doing name to port conversion had been broken. I found
this out while fixing the ranges, and have now fixed it and added tests.
Ken Barber [Tue, 25 Oct 2011 09:10:42 +0000 (10:10 +0100)]
(#10263) Fix tests on Puppet 2.6.x
Due to the lack of Puppet::Test::LogCollector class, tests fail on puppet
2.6.x. Instead of just using the class, I'm testing its existance first
and only using it if it exists. Otherwise, I'm going to fall back to 2.6.x
methodology.
This seems to make tests work on 2.6.7 (and up) and 2.7.1 (and up) which is
sufficient for now.
Ken Barber [Wed, 19 Oct 2011 07:57:48 +0000 (08:57 +0100)]
(#10163) Cleanup some of the inline documentation and README file to align with general forge usage.
* The README.markdown file had a lot of property information that was
duplicated in the type itself. The README.markdown file has more info in
some cases, I have moved this into the type.
* The README.markdown lacked documentation on how to install the module using
the forge which meant users accessing it via github would be inclined to
download the development version from github instead.
* Cleaned up doc string alignments and made it consistent with all types.
Ken Barber [Mon, 10 Oct 2011 07:11:27 +0000 (08:11 +0100)]
(#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter.
This commit introduces the new 'action' parameter which is designed to designate
the action to take when a match succeeds. This is a cross-platform parameter and
for the values 'accept','drop','reject' it will take the place of the existing
jump parameter.
The jump parameter is deemed as an iptables specific parameter so by splitting
out this parameter for common actions it allows us to extend the firewall
resource to include other providers much more easily in the future. By having
such a common parameter we will be able to compare resources between boxes that
may have different firewall implementations.
The new behaviour is to force the usage for action parameter, and using
'accept', 'drop' or 'reject' for jump will now no longer work.
Also - the default of 'accept' for jump has been removed which means you MUST
specify an action if you want your rule to do something. Without an action the
rule will match, but do nothing (so only useful for keeping counters generally).
To aid in the testing of this new property I've added new ways to test converting
iptables rules to hashes and hashes to general_args. This should simplify the
testing of new bugs as well.
Ken Barber [Fri, 14 Oct 2011 10:13:10 +0000 (12:13 +0200)]
(#10088) Provide a customised version of CONTRIBUTING.md
The goal here is to provide some clear documentation to point contributors
at when they want to submit code. This document is a copy of the facter one,
slight modified for puppetlabs-firewall.
Ken Barber [Tue, 11 Oct 2011 19:21:54 +0000 (20:21 +0100)]
(#10026) Re-arrange provider and type spec files to align with Puppet.
If moved the spec files now under 'puppet' to align with how Puppet does it. This
also makes more sense as this lines up with the module/class names now.
The iptables_type_spec.rb is now just firewall_type.rb to designate it is for
the generic firewall type.
iptables_prov_spec.rb is now iptables_spec.rb. The provider part is implicit
in the path.
Jonathan Boyett [Wed, 28 Sep 2011 20:55:02 +0000 (13:55 -0700)]
(#9439) fix parsing and deleting existing rules
Previously we hadn't been able to parse existing rules that were missing
a comment field. This patch fixes that by using an MD5 hash of the iptables
raw line as the name of the property.
We have also cleaned up the way we delete arguments by adding a new
delete_args function to return valid delete_args. Instead of having to work
out the rule order we now just delete the rule based on the specification.
Ken Barber [Sun, 18 Sep 2011 21:28:11 +0000 (22:28 +0100)]
(#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider.
Previously we had fairly specific confine settings for named distributions
of linux for the iptables provider. This was silly, since the commands
defined in the provider should be enough to confine the provider to Linux
only systems.
I've removed the confine, and replaced the defaultfor to be:
:kernel => :linux
Which should avoid the need to keep adding extra Linux distributions.
I've also added some spec tests for provider detection which should help
catch any failures around the command based detection in the future.
Ken Barber [Sat, 17 Sep 2011 22:46:35 +0000 (23:46 +0100)]
(#9576) Stub iptables type so it will execute on platforms other then linux.
This change will help us target other platforms for this type. I've also
removed old helpers to align with Puppet core spec_helper. While this might
seem more invconvenient it provides more consistency with core Puppet type
testing.
Ken Barber [Sat, 17 Sep 2011 22:40:53 +0000 (23:40 +0100)]
(#9576) Align spec framework with Puppet core.
The point of this change is to align the spec testing behaviour with Puppet core
so we can get similar behaviour and less problems if we ever want to move this
type into core.
Ken Barber [Sat, 16 Jul 2011 19:19:49 +0000 (21:19 +0200)]
Removed iptables stuff, introduced features and cleaned up docs & validation.
I've removed a lot of iptables specific stuff from the type, also
allowed any chain to be defined in :chain or :jump so we can support
user chains.
A lot of the documentation for the type has been cleaned up a little
and validation has been simplified where applicable.
This commit brings in the usage of features so we can start to introduce
more backend providers. The work is just a start for now and will
probably radically change once we have other working providers in
place.
Code Review / puppet-modules / puppetlabs-firewall.git / log