diff options
-rw-r--r-- | .github/SECURITY.md | 3 | ||||
-rw-r--r-- | .msync.yml | 2 | ||||
-rw-r--r-- | .rubocop.yml | 3 | ||||
-rw-r--r-- | Gemfile | 6 | ||||
-rw-r--r-- | manifests/config.pp | 29 | ||||
-rw-r--r-- | manifests/init.pp | 4 | ||||
-rw-r--r-- | manifests/install.pp | 9 | ||||
-rw-r--r-- | manifests/ipset.pp | 3 | ||||
-rw-r--r-- | manifests/rule.pp | 26 | ||||
-rw-r--r-- | manifests/service.pp | 7 |
10 files changed, 45 insertions, 47 deletions
diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..cacadf2 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,3 @@ +# Vox Pupuli Security Policy + +Our vulnerabilities reporting process is at https://voxpupuli.org/security/ @@ -1 +1 @@ -modulesync_config_version: '2.12.0' +modulesync_config_version: '3.0.0' diff --git a/.rubocop.yml b/.rubocop.yml index c2ebc88..316e4ec 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -528,6 +528,9 @@ RSpec/RepeatedDescription: RSpec/NestedGroups: Enabled: False +RSpec/MultipleExpectations: + Enabled: false + # this is broken on ruby1.9 Layout/IndentHeredoc: Enabled: False @@ -11,9 +11,9 @@ def location_for(place, fake_version = nil) end group :test do - gem 'voxpupuli-test', '>= 1.4.0', :require => false - gem 'coveralls', :require => false - gem 'simplecov-console', :require => false + gem 'voxpupuli-test', '~> 2.0', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false end group :development do diff --git a/manifests/config.pp b/manifests/config.pp index 8ed0f57..3016c60 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -4,7 +4,6 @@ # @summary This class handles the configuration file. Avoid modifying private classes. # class ferm::config { - # this is a private class assert_private("You're not supposed to do that!") @@ -22,51 +21,51 @@ class ferm::config { # copy static files to ferm # on a long term point of view, we want to package this - file{$ferm::configdirectory: + file { $ferm::configdirectory: ensure => 'directory', } - -> file{"${ferm::configdirectory}/definitions": + -> file { "${ferm::configdirectory}/definitions": ensure => 'directory', } - -> file{"${ferm::configdirectory}/chains": + -> file { "${ferm::configdirectory}/chains": ensure => 'directory', } if $ferm::manage_configfile { - concat{$ferm::configfile: + concat { $ferm::configfile: ensure => 'present', } - concat::fragment{'ferm_header.conf': + concat::fragment { 'ferm_header.conf': target => $ferm::configfile, - content => epp("${module_name}/ferm_header.conf.epp", {'configdirectory' => $ferm::configdirectory}), + content => epp("${module_name}/ferm_header.conf.epp", { 'configdirectory' => $ferm::configdirectory }), order => '01', } - concat::fragment{'ferm.conf': + concat::fragment { 'ferm.conf': target => $ferm::configfile, content => epp( "${module_name}/ferm.conf.epp", { 'ip' => $_ip, 'configdirectory' => $ferm::configdirectory, 'preserve_chains_in_tables' => $ferm::preserve_chains_in_tables, - } + } ), order => '50', } } - ferm::chain{'INPUT': + ferm::chain { 'INPUT': policy => $ferm::input_policy, disable_conntrack => $ferm::input_disable_conntrack, log_dropped_packets => $ferm::input_log_dropped_packets, drop_invalid_packets_with_conntrack => $ferm::input_drop_invalid_packets_with_conntrack, } - ferm::chain{'FORWARD': + ferm::chain { 'FORWARD': policy => $ferm::forward_policy, disable_conntrack => $ferm::forward_disable_conntrack, log_dropped_packets => $ferm::forward_log_dropped_packets, } - ferm::chain{'OUTPUT': + ferm::chain { 'OUTPUT': policy => $ferm::output_policy, disable_conntrack => $ferm::output_disable_conntrack, log_dropped_packets => $ferm::output_log_dropped_packets, @@ -77,7 +76,7 @@ class ferm::config { # initialize default tables and chains ['PREROUTING', 'OUTPUT'].each |$raw_chain| { - ferm::chain{"raw-${raw_chain}": + ferm::chain { "raw-${raw_chain}": chain => $raw_chain, policy => 'ACCEPT', disable_conntrack => true, @@ -101,7 +100,7 @@ class ferm::config { $domains = ['ip'] } } - ferm::chain{"nat-${nat_chain}": + ferm::chain { "nat-${nat_chain}": chain => $nat_chain, policy => 'ACCEPT', disable_conntrack => true, @@ -111,7 +110,7 @@ class ferm::config { } } ['PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING'].each |$mangle_chain| { - ferm::chain{"mangle-${mangle_chain}": + ferm::chain { "mangle-${mangle_chain}": chain => $mangle_chain, policy => 'ACCEPT', disable_conntrack => true, diff --git a/manifests/init.pp b/manifests/init.pp index 251effe..0484995 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -86,13 +86,13 @@ class ferm ( ~> Class['ferm::service'] $chains.each |$chainname, $attributes| { - ferm::chain{$chainname: + ferm::chain { $chainname: * => $attributes, } } $rules.each |$rulename, $attributes| { - ferm::rule{$rulename: + ferm::rule { $rulename: * => $attributes, } } diff --git a/manifests/install.pp b/manifests/install.pp index 5755ead..c61a194 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -4,13 +4,12 @@ # @summary This class handles the configuration file. Avoid modifying private classes. # class ferm::install { - # this is a private class assert_private("You're not supposed to do that!") case $ferm::install_method { 'package': { - package{'ferm': + package { 'ferm': ensure => 'latest', } } @@ -18,7 +17,7 @@ class ferm::install { $_source_path = '/opt/ferm' ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present }) - package{'ferm': + package { 'ferm': ensure => absent, } -> vcsrepo { $_source_path : @@ -46,8 +45,8 @@ class ferm::install { if $ferm::manage_initfile { if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '6') <= 0 { - file{'/etc/init.d/ferm': - ensure => 'present', + file { '/etc/init.d/ferm': + ensure => 'file', mode => '0755', source => "puppet:///modules/${module_name}/ferm", } diff --git a/manifests/ipset.pp b/manifests/ipset.pp index 23c555a..7262cc3 100644 --- a/manifests/ipset.pp +++ b/manifests/ipset.pp @@ -42,14 +42,13 @@ define ferm::ipset ( Enum['ip','ip6'] $ip_version = 'ip', Boolean $prepend_to_chain = true, ) { - $suffix = $prepend_to_chain ? { true => 'aaa', false => 'ccc', } # make sure the generated snippet is actually included - concat::fragment{"${table}-${chain}-${name}": + concat::fragment { "${table}-${chain}-${name}": target => $ferm::configfile, content => epp( "${module_name}/ferm-chain-ipset.epp", { diff --git a/manifests/rule.pp b/manifests/rule.pp index f239402..611e604 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -67,8 +67,7 @@ define ferm::rule ( Optional[String[1]] $interface = undef, Enum['absent','present'] $ensure = 'present', Ferm::Tables $table = 'filter', -){ - +) { if $policy and $action { fail('Cannot specify both policy and action. Do not provide policy when using the new action param.') } elsif $policy and ! $action { @@ -80,8 +79,7 @@ define ferm::rule ( fail('Exactly one of "action" or the deprecated "policy" param is required.') } - if $action_temp in ['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', - 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'] { + if $action_temp in ['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'] { $action_real = $action_temp } else { # assume the action contains a target chain, so prefix it with the "jump" statement @@ -95,7 +93,6 @@ define ferm::rule ( String => "proto ${proto}", } - if $dport =~ Array { $dports = join($dport, ' ') $dport_real = "mod multiport destination-ports (${dports})" @@ -110,7 +107,7 @@ define ferm::rule ( $upper = Integer($portrange[1]) assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| { fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.") - '' + '' } if $lower > $upper { fail("Lower port number of the port range is larger than upper. ${lower}:${upper}") @@ -136,7 +133,7 @@ define ferm::rule ( $upper = Integer($portrange[1]) assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| { fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.") - '' + '' } if $lower > $upper { fail("Lower port number of the port range is larger than upper. ${lower}:${upper}") @@ -148,11 +145,10 @@ define ferm::rule ( fail("invalid source-port: ${sport}") } - if $saddr =~ Array { assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| { fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." ) - '' + '' } } $saddr_real = $saddr ? { @@ -164,7 +160,7 @@ define ferm::rule ( if $daddr =~ Array { assert_type(Array[Stdlib::IP::Address], flatten($daddr)) |$expected, $actual| { fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($daddr)}." ) - '' + '' } } $daddr_real = $daddr ? { @@ -174,7 +170,7 @@ define ferm::rule ( default => '', } $proto_options_real = $proto_options ? { - undef => '', + undef => '', default => $proto_options } $comment_real = "mod comment comment '${comment}'" @@ -192,28 +188,28 @@ define ferm::rule ( if $ensure == 'present' { if $interface { unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) { - concat::fragment{"${chain}-${interface}-aaa": + concat::fragment { "${chain}-${interface}-aaa": target => $filename, content => "interface ${interface} {\n", order => $interface, } } - concat::fragment{"${chain}-${interface}-${name}": + concat::fragment { "${chain}-${interface}-${name}": target => $filename, content => " ${rule}\n", order => $interface, } unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) { - concat::fragment{"${chain}-${interface}-zzz": + concat::fragment { "${chain}-${interface}-zzz": target => $filename, content => "}\n", order => $interface, } } } else { - concat::fragment{"${chain}-${name}": + concat::fragment { "${chain}-${name}": target => $filename, content => "${rule}\n", } diff --git a/manifests/service.pp b/manifests/service.pp index 9fb1737..013ad10 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -4,25 +4,24 @@ # @summary This class handles the configuration file. Avoid modifying private classes. # class ferm::service { - # this is a private class assert_private("You're not supposed to do that!") if $ferm::manage_service { - service{'ferm': + service { 'ferm': ensure => 'running', enable => true, } # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm... if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') { - file_line{'enable_ferm': + file_line { 'enable_ferm': path => '/etc/default/ferm', line => 'ENABLED="yes"', match => 'ENABLED=', notify => Service['ferm'], } - file_line{'disable_ferm_cache': + file_line { 'disable_ferm_cache': path => '/etc/default/ferm', line => 'CACHE="no"', match => 'CACHE=', |