From e261831c5e40e8593a97dd085ee4a3b317fc3962 Mon Sep 17 00:00:00 2001 From: Sharif Nassar Date: Sun, 13 Nov 2011 19:10:08 -0800 Subject: [PATCH] (#10718) Add owner-match support --- lib/puppet/provider/firewall/ip6tables.rb | 9 ++- lib/puppet/provider/firewall/iptables.rb | 9 ++- lib/puppet/type/firewall.rb | 31 +++++++++ spec/fixtures/iptables/conversion_hash.rb | 80 +++++++++++++++++++++++ spec/unit/puppet/type/firewall_spec.rb | 18 +++++ 5 files changed, 145 insertions(+), 2 deletions(-) mode change 100644 => 100755 spec/unit/puppet/type/firewall_spec.rb diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 9b70e53..58c6874 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -7,6 +7,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :dnat has_feature :interface_match has_feature :icmp_match + has_feature :owner has_feature :state_match has_feature :reject_type has_feature :log_level @@ -19,6 +20,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :burst => "--limit-burst", :destination => "-d", :dport => "-m multiport --dports", + :gid => "-m owner --gid-owner", :icmp => "-m icmp6 --icmpv6-type", :iniface => "-i", :jump => "-j", @@ -37,10 +39,15 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :todest => "--to-destination", :toports => "--to-ports", :tosource => "--to-source", + :uid => "-m owner --uid-owner", } + # This is the order of resources as they appear in iptables-save output, + # we need it to properly parse and apply rules, if the order of resource + # changes between puppet runs, the changed rules will be re-applied again. + # This order can be determined by going through iptables source code or just tweaking and trying manually @resource_list = [:table, :source, :destination, :iniface, :outiface, - :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump, + :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 1179de8..4ecfea0 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -12,6 +12,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :dnat has_feature :interface_match has_feature :icmp_match + has_feature :owner has_feature :state_match has_feature :reject_type has_feature :log_level @@ -26,6 +27,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :burst => "--limit-burst", :destination => "-d", :dport => "-m multiport --dports", + :gid => "-m owner --gid-owner", :icmp => "-m icmp --icmp-type", :iniface => "-i", :jump => "-j", @@ -44,10 +46,15 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :todest => "--to-destination", :toports => "--to-ports", :tosource => "--to-source", + :uid => "-m owner --uid-owner", } + # This is the order of resources as they appear in iptables-save output, + # we need it to properly parse and apply rules, if the order of resource + # changes between puppet runs, the changed rules will be re-applied again. + # This order can be determined by going through iptables source code or just tweaking and trying manually @resource_list = [:table, :source, :destination, :iniface, :outiface, - :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, + :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index e63dd98..6d12fab 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -23,6 +23,7 @@ Puppet::Type.newtype(:firewall) do feature :dnat, "Destination NATing" feature :interface_match, "Interface matching" feature :icmp_match, "Matching ICMP types" + feature :owner, "Matching owners" feature :state_match, "Matching stateful firewall states" feature :reject_type, "The ability to control reject messages" feature :log_level, "The ability to control the log level" @@ -387,6 +388,22 @@ Puppet::Type.newtype(:firewall) do newvalue(/^\d+$/) end + newproperty(:uid, :array_matching =>:all, :required_features => :owner) do + desc <<-EOS + UID or Username owner matching rule. Accepts a string argument + only, as iptables does not accept multiple uid in a single + statement. + EOS + end + + newproperty(:gid, :array_matching =>:all, :required_features => :owner) do + desc <<-EOS + GID or Group owner matching rule. Accepts a string argument + only, as iptables does not accept multiple gid in a single + statement. + EOS + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line. @@ -437,6 +454,20 @@ Puppet::Type.newtype(:firewall) do end end + if value(:uid) + unless value(:chain).to_s =~ /OUTPUT|POSTROUTING/ + self.fail "Parameter uid only applies to chains " \ + "OUTPUT,POSTROUTING" + end + end + + if value(:gid) + unless value(:chain).to_s =~ /OUTPUT|POSTROUTING/ + self.fail "Parameter gid only applies to chains " \ + "OUTPUT,POSTROUTING" + end + end + if value(:dport) unless value(:proto).to_s =~ /tcp|udp|sctp/ self.fail "[%s] Parameter dport only applies to sctp, tcp and udp " \ diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 26e28d0..0645a39 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -113,6 +113,42 @@ ARGS_TO_HASH = { :table => 'filter', :params => { :proto => 'ipencap', + } + }, + 'load_uid_owner_filter_module' => { + :line => '-A OUTPUT -m owner --uid-owner root -m comment --comment "057 OUTPUT uid root only" -j ACCEPT', + :table => 'filter', + :params => { + :action => 'accept', + :uid => 'root', + :chain => 'OUTPUT', + }, + }, + 'load_uid_owner_postrouting_module' => { + :line => '-t mangle -A POSTROUTING -m owner --uid-owner root -m comment --comment "057 POSTROUTING uid root only" -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'POSTROUTING', + :uid => 'root', + }, + }, + 'load_gid_owner_filter_module' => { + :line => '-A OUTPUT -m owner --gid-owner root -m comment --comment "057 OUTPUT gid root only" -j ACCEPT', + :table => 'filter', + :params => { + :action => 'accept', + :chain => 'OUTPUT', + :gid => 'root', + }, + }, + 'load_gid_owner_postrouting_module' => { + :line => '-t mangle -A POSTROUTING -m owner --gid-owner root -m comment --comment "057 POSTROUTING gid root only" -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'POSTROUTING', + :gid => 'root', }, }, } @@ -231,4 +267,48 @@ HASH_TO_ARGS = { }, :args => ['-t', :filter, '-p', :ipencap, '-m', 'comment', '--comment', '0100 INPUT accept ipencap'], }, + 'load_uid_owner_filter_module' => { + :params => { + :name => '057 OUTPUT uid root only', + :table => 'filter', + :uid => 'root', + :action => 'accept', + :chain => 'OUTPUT', + :proto => 'all', + }, + :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT uid root only', '-j', 'ACCEPT'], + }, + 'load_uid_owner_postrouting_module' => { + :params => { + :name => '057 POSTROUTING uid root only', + :table => 'mangle', + :uid => 'root', + :action => 'accept', + :chain => 'POSTROUTING', + :proto => 'all', + }, + :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--uid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING uid root only', '-j', 'ACCEPT'], + }, + 'load_gid_owner_filter_module' => { + :params => { + :name => '057 OUTPUT gid root only', + :table => 'filter', + :chain => 'OUTPUT', + :gid => 'root', + :action => 'accept', + :proto => 'all', + }, + :args => ['-t', :filter, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 OUTPUT gid root only', '-j', 'ACCEPT'], + }, + 'load_gid_owner_postrouting_module' => { + :params => { + :name => '057 POSTROUTING gid root only', + :table => 'mangle', + :gid => 'root', + :action => 'accept', + :chain => 'POSTROUTING', + :proto => 'all', + }, + :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING gid root only', '-j', 'ACCEPT'], + }, } diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb old mode 100644 new mode 100755 index c08d6ab..38ad5d4 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -247,4 +247,22 @@ describe firewall do }.should raise_error(Puppet::Error, /^Only one of the parameters 'action' and 'jump' can be set$/) end end + describe ':gid and :uid' do + it 'should allow me to set uid' do + @resource[:uid] = 'root' + @resource[:uid].should == ['root'] + end + it 'should allow me to set uid as an array, breaking iptables' do + @resource[:uid] = ['root', 'bobby'] + @resource[:uid].should == ['root', 'bobby'] + end + it 'should allow me to set gid' do + @resource[:gid] = 'root' + @resource[:gid].should == ['root'] + end + it 'should allow me to set gid as an array, breaking iptables' do + @resource[:gid] = ['root', 'bobby'] + @resource[:gid].should == ['root', 'bobby'] + end + end end -- 2.45.2