diff options
author | Tim Meusel <tim@bastelfreak.de> | 2019-09-02 12:40:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-02 12:40:55 +0200 |
commit | c6540af81cdf3b1bea85bbf3d8f8aa07eef10bcd (patch) | |
tree | df30502ab574dd029636662f8bf4b06bbe182b07 | |
parent | ba10de286c634715931103031ad3bf20ce56ca14 (diff) | |
parent | 859f8ba5cb553d66c9dcdbc232d17a0b641624df (diff) | |
download | puppet-ferm-c6540af81cdf3b1bea85bbf3d8f8aa07eef10bcd.tar.gz puppet-ferm-c6540af81cdf3b1bea85bbf3d8f8aa07eef10bcd.tar.bz2 |
Merge pull request #55 from bastelfreak/chains
allow preserving of chains in tables
-rw-r--r-- | REFERENCE.md | 44 | ||||
-rw-r--r-- | data/common.yaml | 1 | ||||
-rw-r--r-- | manifests/config.pp | 5 | ||||
-rw-r--r-- | manifests/init.pp | 34 | ||||
-rw-r--r-- | spec/classes/ferm_spec.rb | 28 | ||||
-rw-r--r-- | templates/ferm.conf.epp | 9 |
6 files changed, 105 insertions, 16 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 44d7034..39ba310 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -7,7 +7,7 @@ _Public Classes_ -* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, ip_v +* [`ferm`](#ferm): This class manages ferm installation and rule generation on modern linux systems _Private Classes_ @@ -31,19 +31,38 @@ _Private Classes_ Class: ferm -This class manages ferm installation and rule generation on modern linux systems +#### Examples -class{'ferm': - manage_service => true, - ip_versions => ['ip6'], -} +##### deploy ferm without any configured rules, but also don't start the service or modify existing config files -#### Examples +```puppet +include ferm +``` -##### deploy ferm and start it, on node with only ipv6 enabled +##### deploy ferm and start it, on nodes with only ipv6 enabled ```puppet +class{'ferm': + manage_service => true, + ip_versions => ['ip6'], +} +``` +##### deploy ferm and don't touch chains from other software, like fail2ban and docker + +```puppet +class{'ferm': + manage_service => true, + preserve_chains_in_tables => { + 'filter' => [ + 'f2b-sshd', + 'DOCKER', + 'DOCKER-ISOLATION-STAGE-1', + 'DOCKER-ISOLATION-STAGE-2', + 'DOCKER-USER', + ] + } +} ``` #### Parameters @@ -161,6 +180,15 @@ Data type: `Array[Enum['ip','ip6']]` Set list of versions of ip we want ot use. Default value: ['ip', 'ip6'] +##### `preserve_chains_in_tables` + +Data type: `Hash[String[1],Array[String[1]]]` + +Hash with table:chains[] to use ferm @preserve for +Default value: Empty Hash +Allowed values: Hash with a list of tables and chains in it to preserve +Example: {'nat' => ['PREROUTING', 'POSTROUTING']} + ## Defined types ### ferm::chain diff --git a/data/common.yaml b/data/common.yaml index e68d41a..d40c155 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -8,6 +8,7 @@ ferm::configdirectory: /etc/ferm.d ferm::input_policy: DROP ferm::forward_policy: DROP ferm::output_policy: ACCEPT +ferm::preserve_chains_in_tables: {} ferm::rules: {} ferm::input_log_dropped_packets: false ferm::forward_log_dropped_packets: false diff --git a/manifests/config.pp b/manifests/config.pp index 88fff15..25607ad 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -33,8 +33,9 @@ class ferm::config { target => $ferm::configfile, content => epp( "${module_name}/ferm.conf.epp", { - 'ip' => $_ip, - 'configdirectory' => $ferm::configdirectory, + 'ip' => $_ip, + 'configdirectory' => $ferm::configdirectory, + 'preserve_chains_in_tables' => $ferm::preserve_chains_in_tables, } ), order => '50', diff --git a/manifests/init.pp b/manifests/init.pp index f1f9aa9..221e148 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,29 @@ # Class: ferm # -# This class manages ferm installation and rule generation on modern linux systems +# @summary This class manages ferm installation and rule generation on modern linux systems # -# @example deploy ferm and start it, on node with only ipv6 enabled -# class{'ferm': -# manage_service => true, -# ip_versions => ['ip6'], -# } +# @example deploy ferm without any configured rules, but also don't start the service or modify existing config files +# include ferm +# +# @example deploy ferm and start it, on nodes with only ipv6 enabled +# class{'ferm': +# manage_service => true, +# ip_versions => ['ip6'], +# } +# +# @example deploy ferm and don't touch chains from other software, like fail2ban and docker +# class{'ferm': +# manage_service => true, +# preserve_chains_in_tables => { +# 'filter' => [ +# 'f2b-sshd', +# 'DOCKER', +# 'DOCKER-ISOLATION-STAGE-1', +# 'DOCKER-ISOLATION-STAGE-2', +# 'DOCKER-USER', +# ] +# } +# } # # @param manage_service Disable/Enable the management of the ferm daemon # Default value: false @@ -49,6 +66,10 @@ # Allowed values: (true|false) # @param ip_versions Set list of versions of ip we want ot use. # Default value: ['ip', 'ip6'] +# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for +# Default value: Empty Hash +# Allowed values: Hash with a list of tables and chains in it to preserve +# Example: {'nat' => ['PREROUTING', 'POSTROUTING']} class ferm ( Boolean $manage_service, Boolean $manage_configfile, @@ -64,6 +85,7 @@ class ferm ( Boolean $input_log_dropped_packets, Hash $rules, Array[Enum['ip','ip6']] $ip_versions, + Hash[String[1],Array[String[1]]] $preserve_chains_in_tables, ) { contain ferm::install contain ferm::config diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb index 55e6739..e5669b8 100644 --- a/spec/classes/ferm_spec.rb +++ b/spec/classes/ferm_spec.rb @@ -59,6 +59,11 @@ describe 'ferm' do it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('ferm_header.conf') } it { is_expected.to contain_concat__fragment('ferm.conf') } + # the following string exists only if we preserve chains + it do + is_expected.to contain_concat__fragment('ferm.conf'). \ + without_content(%r{@preserve;}) + end end context 'with managed initfile' do let :params do @@ -88,6 +93,29 @@ describe 'ferm' do it { is_expected.to contain_ferm__chain('OUTPUT') } it { is_expected.to contain_ferm__chain('INPUT') } end + + context 'it preserves chains' do + let :params do + { + manage_configfile: true, + preserve_chains_in_tables: { 'nat' => %w[PREROUTING POSTROUTING] } + } + end + + it { is_expected.to compile.with_all_deps } + it do + is_expected.to contain_concat__fragment('ferm.conf'). \ + with_content(%r{domain \(ip ip6\) table nat \{}) + end + it do + is_expected.to contain_concat__fragment('ferm.conf'). \ + with_content(%r{chain PREROUTING @preserve;}) + end + it do + is_expected.to contain_concat__fragment('ferm.conf'). \ + with_content(%r{chain POSTROUTING @preserve;}) + end + end end end end diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp index b3aa0ce..0245a70 100644 --- a/templates/ferm.conf.epp +++ b/templates/ferm.conf.epp @@ -1,8 +1,17 @@ <%- | String[1] $ip, Stdlib::Absolutepath $configdirectory, +Hash[String[1], Array[String[1]]] $preserve_chains_in_tables, | -%> # End custom section +<%- $preserve_chains_in_tables.each |$table, $chains| { -%> +domain (<%= $ip %>) table <%= $table %> { + <%- $chains.each |$chain| { -%> + chain <%= $chain %> @preserve; + <%- } -%> +} +<%- } -%> + domain (<%= $ip %>) table filter { chain INPUT { interface lo ACCEPT; |