implement ipset support

2 files changed, 67 insertions, 1 deletions

diff --git a/manifests/chain.pp b/manifests/chain.pp
index 10cc9c1..1be7e83 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -73,6 +73,10 @@ define ferm::chain (
   }
 
   # make sure the generated snippet is actually included
+  # the ordering here is hacked. We might end up with multiple blocks for the same filter+chain.
+  # This happens if we add ipset matches. We suffix this ordering with `bbb`. This allows us to
+  # insert ipset matches before other rules by adding `-aaa` or
+  # insert them at the end by ordering them with `-ccc`.
   concat::fragment{"${table}-${chain}-config-include":
     target  => $ferm::configfile,
     content => epp(
@@ -83,7 +87,7 @@ define ferm::chain (
         'filename' => $filename,
       }
     ),
-    order   => "${table}-${chain}",
+    order   => "${table}-${chain}-bbb",
     require => Concat[$filename],
   }
 }
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
new file mode 100644
index 0000000..fab7894
--- /dev/null
+++ b/manifests/ipset.pp
@@ -0,0 +1,62 @@
+#
+# @summary a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets.
+#
+# @see http://ferm.foo-projects.org/download/2.1/ferm.html#set
+#
+# @example
+#   ferm::ipset { 'CONSUL':
+#     sets => {
+#       'internet' => 'ACCEPT'
+#     },
+#   }
+#
+# @example create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
+#   ferm::ipset { 'INPUT':
+#     prepend_to_chain => false,
+#     table            => 'filter',
+#     ip_version       => 'ip6',
+#     sets             => {
+#       'testset01'      => 'ACCEPT',
+#       'anothertestset' => 'DROP'
+#     },
+#   }
+#
+# @param chain
+#   name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this.
+#
+# @param table
+#   name of the table where we want to apply  this. Defaults to `filter` because that's the most common usecase.
+#
+# @param ip_version
+#   sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version.
+#
+# @param sets
+#   A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
+#
+define ferm::ipset (
+  Hash[String[1], Ferm::Actions] $sets,
+  String[1]                      $chain            = $name,
+  Ferm::Tables                   $table            = 'filter',
+  Enum['ip','ip6']               $ip_version       = 'ip',
+  Boolean                        $prepend_to_chain = true,
+) {
+
+  $suffix = $prepend_to_chain ? {
+    true  => 'aaa',
+    false => 'ccc',
+  }
+
+  # make sure the generated snippet is actually included
+  concat::fragment{"${table}-${chain}-ipset":
+    target  => $ferm::configfile,
+    content => epp(
+      "${module_name}/ferm-chain-ipset.epp", {
+        'ip'    => $ip_version,
+        'table' => $table,
+        'chain' => $chain,
+        'sets'  => $sets,
+      }
+    ),
+    order   => "${table}-${chain}-${suffix}",
+  }
+}