From 46719830310672f4459d24e36d38766b39e570f8 Mon Sep 17 00:00:00 2001 From: "matt.cover" Date: Fri, 30 Oct 2015 11:32:45 -0700 Subject: [PATCH] Add security table for iptables. --- lib/puppet/provider/firewallchain/iptables_chain.rb | 2 +- lib/puppet/type/firewallchain.rb | 6 +++++- spec/unit/puppet/provider/iptables_chain_spec.rb | 6 ++++++ spec/unit/puppet/type/firewallchain_spec.rb | 3 ++- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/firewallchain/iptables_chain.rb b/lib/puppet/provider/firewallchain/iptables_chain.rb index df166f6..ec10ecc 100644 --- a/lib/puppet/provider/firewallchain/iptables_chain.rb +++ b/lib/puppet/provider/firewallchain/iptables_chain.rb @@ -38,7 +38,7 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do } } InternalChains = /^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$/ - Tables = 'nat|mangle|filter|raw|rawpost|broute' + Tables = 'nat|mangle|filter|raw|rawpost|broute|security' Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/ def create diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb index cb2c614..9bdc20f 100644 --- a/lib/puppet/type/firewallchain.rb +++ b/lib/puppet/type/firewallchain.rb @@ -41,7 +41,7 @@ Puppet::Type.newtype(:firewallchain) do validate do |value| if value !~ Nameformat then - raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'" + raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE, SECURITY or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'" else chain = $1 table = $2 @@ -73,6 +73,10 @@ Puppet::Type.newtype(:firewallchain) do if chain =~ /^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$/ raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'broute\'' end + when 'security' + if chain =~ /^(PREROUTING|POSTROUTING|BROUTING)$/ + raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'security'" + end end if chain == 'BROUTING' && ( protocol != 'ethernet' || table!='broute') raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'BROUTE\' with protocol \'ethernet\' i.e. \'broute:BROUTING:enternet\'' diff --git a/spec/unit/puppet/provider/iptables_chain_spec.rb b/spec/unit/puppet/provider/iptables_chain_spec.rb index e2c0fd3..d8eade2 100755 --- a/spec/unit/puppet/provider/iptables_chain_spec.rb +++ b/spec/unit/puppet/provider/iptables_chain_spec.rb @@ -138,6 +138,9 @@ describe 'iptables chain resource parsing' do 'NAT:mangle:IPv4', 'NAT:mangle:IPv4', 'NAT:mangle:IPv4', + 'security:INPUT:IPv4', + 'security:FORWARD:IPv4', + 'security:OUTPUT:IPv4', ':$5()*&%\'"^$): :IPv4', ] allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return(' @@ -184,6 +187,9 @@ COMMIT 'mangle:OUTPUT:IPv6', 'mangle:POSTROUTING:IPv6', 'mangle:ff:IPv6', + 'security:INPUT:IPv6', + 'security:FORWARD:IPv6', + 'security:OUTPUT:IPv6', ':INPUT:IPv6', ':FORWARD:IPv6', ':OUTPUT:IPv6', diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb index e627603..0658d63 100755 --- a/spec/unit/puppet/type/firewallchain_spec.rb +++ b/spec/unit/puppet/type/firewallchain_spec.rb @@ -30,7 +30,8 @@ describe firewallchain do 'mangle' => [ 'PREROUTING', 'POSTROUTING', 'INPUT', 'FORWARD', 'OUTPUT' ], 'filter' => ['INPUT','OUTPUT','FORWARD'], 'raw' => [ 'PREROUTING', 'OUTPUT'], - 'broute' => ['BROUTING'] + 'broute' => ['BROUTING'], + 'security' => ['INPUT','OUTPUT','FORWARD'] }.each_pair do |table, allowedinternalchains| ['IPv4', 'IPv6', 'ethernet'].each do |protocol| [ 'test', '$5()*&%\'"^$09):' ].each do |chainname| -- 2.45.2