From 703b63b08c2d93e0aa653da30d515ec9e3e0f684 Mon Sep 17 00:00:00 2001 From: Michael LoSapio Date: Wed, 18 Nov 2015 17:18:39 -0500 Subject: [PATCH] Adding in log_uid boolean for LOG --- README.markdown | 8 +++-- lib/puppet/provider/firewall/ip6tables.rb | 5 ++- lib/puppet/provider/firewall/iptables.rb | 5 ++- lib/puppet/type/firewall.rb | 14 ++++++-- spec/acceptance/firewall_spec.rb | 41 +++++++++++++++++++++++ 5 files changed, 67 insertions(+), 6 deletions(-) diff --git a/README.markdown b/README.markdown index 0a0807f..0b74b81 100644 --- a/README.markdown +++ b/README.markdown @@ -404,12 +404,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. **Autorequires:** @@ -453,6 +453,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `log_prefix`: The ability to add prefixes to log messages. +* `log_uid`: The ability to log the userid of the process which generated the packet. + * `mark`: The ability to match or set the netfilter mark value associated with the packet. * `mask`: The ability to match recent rules based on the ipv4 mask. @@ -590,6 +592,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `log_prefix`: When combined with `jump => 'LOG'` specifies the log prefix to use when logging. Requires the `log_prefix` feature. +* `log_uid`: The ability to log the userid of the process which generated the packet. + * `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature. * `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying '31' will not match on months that do not have a 31st day; the same goes for 28- or 29-day February. diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 51d0399..78ad24d 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -15,6 +15,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :reject_type has_feature :log_level has_feature :log_prefix + has_feature :log_uid has_feature :mark has_feature :mss has_feature :tcp_flags @@ -91,6 +92,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :limit => "-m limit --limit", :log_level => "--log-level", :log_prefix => "--log-prefix", + :log_uid => "--log-uid", :mask => "--mask", :match_mark => "-m mark --mark", :name => "-m comment --comment", @@ -150,6 +152,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :ishasmorefrags, :islastfrag, :isfirstfrag, + :log_uid, :rsource, :rdest, :reap, @@ -220,7 +223,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 27c0b36..791c587 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -20,6 +20,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :reject_type has_feature :log_level has_feature :log_prefix + has_feature :log_uid has_feature :mark has_feature :mss has_feature :tcp_flags @@ -75,6 +76,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :limit => "-m limit --limit", :log_level => "--log-level", :log_prefix => "--log-prefix", + :log_uid => "--log-uid", :mac_source => ["-m mac --mac-source", "--mac-source"], :mask => '--mask', :match_mark => "-m mark --mark", @@ -140,6 +142,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :checksum_fill, :clamp_mss_to_pmtu, :isfragment, + :log_uid, :random, :rdest, :reap, @@ -255,7 +258,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, - :log_level, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 72a67f9..fa3cbab 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -42,6 +42,7 @@ Puppet::Type.newtype(:firewall) do feature :reject_type, "The ability to control reject messages" feature :log_level, "The ability to control the log level" feature :log_prefix, "The ability to add prefixes to log messages" + feature :log_uid, "Add UIDs to log messages" feature :mark, "Match or Set the netfilter mark value associated with the packet" feature :mss, "Match a given TCP MSS value or range." feature :tcp_flags, "The ability to match on particular TCP flag settings" @@ -570,6 +571,15 @@ Puppet::Type.newtype(:firewall) do EOS end + newproperty(:log_uid, :required_features => :log_uid) do + desc <<-EOS + When combined with jump => "LOG" specifies the uid of the process making + the connection. + EOS + + newvalues(:true, :false) + end + # ICMP matching property newproperty(:icmp, :required_features => :icmp_match) do desc <<-EOS @@ -1488,9 +1498,9 @@ Puppet::Type.newtype(:firewall) do end end - if value(:log_prefix) || value(:log_level) + if value(:log_prefix) || value(:log_level) || value(:log_uid) unless value(:jump).to_s == "LOG" - self.fail "Parameter log_prefix and log_level require jump => LOG" + self.fail "Parameter log_prefix, log_level and log_uid require jump => LOG" end end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 4b3a438..9c5fe64 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -2330,6 +2330,47 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end + context 'log_uid is true' do + it 'adds the rule' do + pp = <<-EOS + class { '::firewall': } + firewall { '700 - test log_uid': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => true, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j LOG --log_uid "/) + end + end + + if 'removes the rule' do + pp = <<-EOS + class { '::firewall': } + firewall { '700 - test log_uid': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => false' + ensure => absent, + } + EOS + + appy_manifest(pp, :catch_failures => true) + end + + it 'should not contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to_not match('/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j --log-uid "/) + end + end + end + context 'comment containing "-A "' do it 'adds the rule' do pp = <<-EOS -- 2.45.2