Dan Carley [Thu, 24 May 2012 17:57:46 +0000 (18:57 +0100)]
(#9364 #10085) Convert an existing test to CIDR
Modify an existing test which has a source IP address without CIDR notation.
This will break after normalisation because [:params][:source] is expected
to be CIDR. Updating -s within [:line] too, since we aren't explcitly testing
that behaviour with this fixture.
Dan Carley [Fri, 25 May 2012 06:41:36 +0000 (07:41 +0100)]
(#10274) Nullify addresses with zero prefixlen
Modify the behaviour of Util::Firewall.host_to_ip, as used by the type to
parse source and destination addresses, to return nil if the resulting CIDR
represented address has a prefix length of zero. Includes type and provider
tests for IPv4 and IPv6.
IPtables silently omits rules with source and destination addresses that
have a prefix length of zero (eg. 0.0.0.0/0) because they are functionally
equivialent to not specifying any address. This was causing rules to be
unecessarily reloaded.
The behaviour of Util::IPcidr remains the same. Now includes some additional
tests for it's identification of zero prefixlen IPv4 and IPv6 addresses.
Sharif Nassar [Sat, 21 Jan 2012 01:22:16 +0000 (17:22 -0800)]
(#14590) Fix for when iptables-save spews out "FATAL" errors.
On some broken Virtuozzo containers, /lib/modules/$(uname -r)/modules.dep is
absent. This causes iptables-save to give some "FATAL" errors. This patch
fixes the parser to ignore them instead of generating garbage rules that make
for errors in the puppet agent run.
Ken Barber [Sun, 13 May 2012 21:52:58 +0000 (22:52 +0100)]
Merge branch 'ticket/master/14455'
* ticket/master/14455:
(#14455) Add tests for interface names containing a "+". Add a few missing tests for VLAN support.
(#14455) Support interface names containing "+"
Dan Carley [Mon, 26 Mar 2012 08:44:38 +0000 (01:44 -0700)]
Merge pull request #69 from kbarber/ticket/10619-Unable_to_purge_rules
* (#10619) Add the table when deleting rules
* (#10619) Fix tests since we are now prefixing -t <table> during delete
* Fix extraneous trailing whitespace
Ken Barber [Mon, 19 Mar 2012 17:44:48 +0000 (17:44 +0000)]
(#13216) Fix README so setup instructions actually work
The old setup instructions were vague, and incorrect. This fixes those
instructions so they actually work, and breaks them out into their own
section.(#13216) Fix README so setup instructions actually work
Dan Carley [Sat, 17 Mar 2012 11:00:56 +0000 (11:00 +0000)]
(#13201) Firewall autorequire Firewallchains
Autorequire Firewallchain resources for Firewall resources that have jump or
chain parameters. Remove require params from README examples now that
they're not essential.
Only deals with iptables and ip6tables providers, which have support for
chains. Doesn't attempt to weed out chains that might be builtin. Just let
Puppet determine which of the resources are really managed.
Ken Barber [Mon, 12 Mar 2012 04:16:33 +0000 (21:16 -0700)]
(#10162) Various fixes for firewallchain resource
* Convert commands to optional_commands to avoid iptables installation chicken
& egg scenarios.
* Downcase tables to match the table names in xtables
* Force fully qualifying the name as <table>:<chain>:<protocol>, we can add
meaningful defaults later.
* puppet resource <name> command wasn't working as expected, but stripping out
some of the meaningful defaults I was able to get this to work.
* Reformat some of the code to avoid overrunning 80 chars where possible
* Remove trailing whitespace
* Add flush to provider so that resource modifications immediately update the
resource in reports and when using puppet resource.
* Removed any commented out code
* Improved documentation
* Change policy so its undefined when not set, instead of being :empty
* Fix test mocking so they will run on a Mac
Daniel Black [Thu, 1 Mar 2012 01:46:02 +0000 (12:46 +1100)]
(#10162) add firewallchain type and iptables_chain provider
Add firewallchain type and iptables_chain provider. This is required
to support the firewall class and it is envisaged that an autorequire
will be used to automatically require the user chain. This type can also set
policies on inbuilt chains.
Dan Carley [Fri, 9 Mar 2012 09:13:33 +0000 (09:13 +0000)]
(#10164) Reject and document icmp => "any"
iptables accepts the string "any" as an ICMP type and stores it behind the
scenes as the fake (IANA reserved) numeric 255. This is functionally
equivalent to not specifying an `--icmp-type` argument.
ip6tables didn't carry this "feature" over. Like many other providers, the
matching of any ICMP packet type is only achieved by omitting the
`--icmpv6-type` arugment.
For the purpose of simpler logic and future provider compatibility we
prevent people from using the value "any" and advise them to omit/undefine
the param instead.
Include a test that somewhat duplicates the prevention of invalid strings
but would preserve this behaviour should icmp_name_to_number() ever change.
Johan Huysmans [Mon, 12 Dec 2011 09:34:43 +0000 (10:34 +0100)]
(#11334) Add support for MARK target and set-mark property.
This commit adds support for the set-mark iptables property and will validate
its use against the MARK jump target. This will also support handling decimal
or hexadecimal conversion where necessary.
Sharif Nassar [Sat, 12 Nov 2011 13:31:11 +0000 (05:31 -0800)]
(#10984) Initial creation of class firewall
* Add Exec[firewall-persist] to save rules. This allows the host to
have iptables rules on reboot, before puppet runs.
* Debian hates you. Add iptables init scripts for loading iptables at
boot on releases of Debian that do not have them already.
* Add brains to the iptables/ip6tables providers to ensure kernel modules
are loaded.
Jonathan Boyett [Thu, 17 Nov 2011 17:43:19 +0000 (09:43 -0800)]
(#10723) Munge hostnames and IPs to IPs with CIDR
Previously when hostnames were used in the source and destination properties
they were being converted to IP address by iptables. This meant that later
comparisons were failing because the property in code (a hostname) and the
'real' property returned by introspection (an ip address) were not matching.
This code using the munge facility will automatically detect and convert
hostnames to IP addresses in the type so the comparison works as expected.
The side-effect is that puppet does the hostname to IP conversion, not
iptables.
Jonathan Boyett [Thu, 1 Dec 2011 02:52:35 +0000 (18:52 -0800)]
(#11093) Improve log_level property so it converts names to numbers
Previously the log_level property was constantly reloading due to the fact
that iptables was converting names to numbers. So unless you were using
numbers in your log_level setting, it was constantly telling you it needed
to be changed.
Now we convert the names to numbers in the munge so when comparing it will
always hopefully match.
Also, the default value when the jump value is 'LOG' is now set to 4 (warn)
based on iptables own defaults.
Chris Boulton [Mon, 24 Oct 2011 06:27:31 +0000 (17:27 +1100)]
(#9082) Sort iptables --state option values internally to keep it consistent across runs
Previously we were getting multiple re-runs due to the fact that iptables
returns a different order with iptables-save then what was used when creating
the rule.
This patch fixes that by sorting states with should=.
Added unit tests to ensure states are correctly sorted. Also added comments in
code to ensure people understand why
Ken Barber [Wed, 26 Oct 2011 10:24:33 +0000 (12:24 +0200)]
(#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
This patch suggested by Dan Carley will work-around the puppet/util error
specified in bug #4248 by loading relative paths instead.
This also fixes the load errors related to running the resource in a standalone
puppet case as well.
If the load fails for some reason, we fall back to the normal load behaviour.
This order is important as we want to load libraries before sync in case the
user has disabled pluginsync in the meantime. This will ensure we attempt to
get the latest copy, but have a fall back just in case.
I believe this fix will need to be applied for some time to support older Puppet
versions.
I've updated the documentation to provide more thorough instructions for
cases where people are using environments, and to tell people to pluginsync
on the master and potentially restart their puppetmaster first just in case.
Ken Barber [Tue, 11 Oct 2011 17:29:17 +0000 (18:29 +0100)]
(#10002) Change to dport and sport to handle ranges, and fix handling of name to port.
We hadn't been allowing ranges of the kind 22:1000 for ranges. This patch
fixes that. Thanks to Jason Hancock for finding this issue and providing a sample
patch.
Instead of using colon though, it was decided we would use a hyphen to specify a range
as its more agnostic. This patch does the filtering for both writing the rule and
reading the rule.
Also - the way we were doing name to port conversion had been broken. I found
this out while fixing the ranges, and have now fixed it and added tests.
Ken Barber [Tue, 25 Oct 2011 09:10:42 +0000 (10:10 +0100)]
(#10263) Fix tests on Puppet 2.6.x
Due to the lack of Puppet::Test::LogCollector class, tests fail on puppet
2.6.x. Instead of just using the class, I'm testing its existance first
and only using it if it exists. Otherwise, I'm going to fall back to 2.6.x
methodology.
This seems to make tests work on 2.6.7 (and up) and 2.7.1 (and up) which is
sufficient for now.
Code Review / puppet-modules / puppetlabs-firewall.git / log