diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2019-07-12 09:47:23 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-12 09:47:23 +0200 |
| commit | d856acb9f857c80c65285ec3e09a4f9f37475d41 (patch) | |
| tree | 29effc4945a9831ce53c18526265c69ee426344b | |
| parent | 92bfbfed2e47ef3ff857623c5c5accda42dbf195 (diff) | |
| parent | 885c4b2ec6774d52cee6107dca61566283e3694f (diff) | |
| download | puppet-ferm-d856acb9f857c80c65285ec3e09a4f9f37475d41.tar.gz puppet-ferm-d856acb9f857c80c65285ec3e09a4f9f37475d41.tar.bz2 | |
Merge pull request #48 from bastelfreak/interface
add support for interface specific rules
| -rw-r--r-- | README.md | 8 | ||||
| -rw-r--r-- | REFERENCE.md | 8 | ||||
| -rw-r--r-- | manifests/chain.pp | 2 | ||||
| -rw-r--r-- | manifests/rule.pp | 32 | ||||
| -rw-r--r-- | spec/defines/rule_spec.rb | 42 |
5 files changed, 75 insertions, 17 deletions
@@ -139,6 +139,7 @@ the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'ud The protocol options we would like to add. The following example will suppress the hostname in programs like `traceroute`: + ```yaml --- ferm::rules: @@ -155,7 +156,8 @@ A comment that will be written into the file and into ip(6)tables #### `dport` -The destination port we want to filter for. Can be any string from /etc/services or an integer +The destination port we want to filter for. Can be any string from +/etc/services or an integer #### `sport` @@ -178,6 +180,10 @@ Same as above, just for the destination IP address Add or remove it from the ruleset +#### `interface` + +If set, this rule only applies to this specific interface + ### chain defined resource The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. diff --git a/REFERENCE.md b/REFERENCE.md index 0de43bc..bd608cb 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -258,6 +258,14 @@ Optional parameters that will be passed to the protocol (for example to match sp Default value: `undef` +##### `interface` + +Data type: `Optional[String[1]]` + +an Optional interface where this rule should be applied + +Default value: `undef` + ##### `ensure` Data type: `Enum['absent','present']` diff --git a/manifests/chain.pp b/manifests/chain.pp index 6a01607..0a0071a 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -31,7 +31,7 @@ define ferm::chain ( concat::fragment{"${chain}-footer": target => "/etc/ferm.d/chains/${chain}.conf", content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), - order => '99', + order => 'zzzzzzzzzzzzzzzzzzzzz', } } } diff --git a/manifests/rule.pp b/manifests/rule.pp index c87ef7f..b8ae29a 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -8,6 +8,7 @@ # @param saddr The source address we want to match # @param daddr The destination address we want to match # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param interface an Optional interface where this rule should be applied # @param ensure Set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, @@ -19,6 +20,7 @@ define ferm::rule ( Optional[String[1]] $saddr = undef, Optional[String[1]] $daddr = undef, Optional[String[1]] $proto_options = undef, + Optional[String[1]] $interface = undef, Enum['absent','present'] $ensure = 'present', ){ $proto_real = "proto ${proto}" @@ -47,9 +49,33 @@ define ferm::rule ( $rule = squeeze("${comment_real} ${proto_real} ${proto_options_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ') if $ensure == 'present' { - concat::fragment{"${chain}-${name}": - target => "/etc/ferm.d/chains/${chain}.conf", - content => "${rule}\n", + if $interface { + unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) { + concat::fragment{"${chain}-${interface}-aaa": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "interface ${interface} {\n", + order => $interface, + } + } + + concat::fragment{"${chain}-${interface}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => " ${rule}\n", + order => $interface, + } + + unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) { + concat::fragment{"${chain}-${interface}-zzz": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "}\n", + order => $interface, + } + } + } else { + concat::fragment{"${chain}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "${rule}\n", + } } } } diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index 0926432..bd4ed73 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -6,21 +6,39 @@ describe 'ferm::rule', type: :define do let :facts do facts end - let(:title) { 'filter-ssh' } - let :params do - { - chain: 'INPUT', - policy: 'ACCEPT', - proto: 'tcp', - dport: '22', - saddr: '127.0.0.1' - } + + context 'without a specific interface' do + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + saddr: '127.0.0.1' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } end + context 'with a specific interface' do + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + saddr: '127.0.0.1', + interface: 'eth0' + } + end - context 'default params create simple rule' do it { is_expected.to compile.with_all_deps } - # it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("proto tcp dport ssh saddr @ipfilter(127.0.0.1) ACCEPT;") } - it { is_expected.to contain_concat__fragment('INPUT-filter-ssh') } + it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } end end end |