aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--REFERENCE.md19
-rw-r--r--data/Debian-10.yaml3
-rw-r--r--data/common.yaml1
-rw-r--r--manifests/chain.pp8
-rw-r--r--manifests/config.pp11
-rw-r--r--manifests/init.pp4
-rw-r--r--manifests/rule.pp10
-rw-r--r--metadata.json3
-rw-r--r--spec/classes/ferm_spec.rb27
-rw-r--r--spec/defines/chain_spec.rb30
-rw-r--r--spec/defines/rule_spec.rb4
-rw-r--r--templates/ferm.conf.epp10
-rw-r--r--templates/ferm_header.conf.epp3
-rw-r--r--types/chains.pp2
14 files changed, 86 insertions, 49 deletions
diff --git a/REFERENCE.md b/REFERENCE.md
index daf137d..44d7034 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -22,7 +22,6 @@ _Private Classes_
**Data types**
-* [`Ferm::Chains`](#fermchains): a type that allows the default iptables chains
* [`Ferm::Policies`](#fermpolicies): a list of allowed default policies for a chain
* [`Ferm::Protocols`](#fermprotocols): a list of allowed protocolls to match
@@ -83,6 +82,14 @@ Path to the config file
Default value: /etc/ferm.conf
Allowed values: Stdlib::Absolutepath
+##### `configdirectory`
+
+Data type: `Stdlib::Absolutepath`
+
+Path to the directory where the module stores ferm configuration files
+Default value: /etc/ferm.d or /etc/ferm/ferm.d
+Allowed values: Stdlib::Absolutepath
+
##### `disable_conntrack`
Data type: `Boolean`
@@ -178,7 +185,7 @@ Disable/Enable usage of conntrack
##### `chain`
-Data type: `Ferm::Chains`
+Data type: `String[1]`
Name of the chain that should be managed
@@ -200,7 +207,7 @@ The following parameters are available in the `ferm::rule` defined type.
##### `chain`
-Data type: `Ferm::Chains`
+Data type: `String[1]`
Configure the chain where we want to add the rule
@@ -282,12 +289,6 @@ Default value: 'present'
## Data types
-### Ferm::Chains
-
-a type that allows the default iptables chains
-
-Alias of `Enum['INPUT', 'FORWARD', 'OUTPUT']`
-
### Ferm::Policies
a list of allowed default policies for a chain
diff --git a/data/Debian-10.yaml b/data/Debian-10.yaml
new file mode 100644
index 0000000..1bc29fc
--- /dev/null
+++ b/data/Debian-10.yaml
@@ -0,0 +1,3 @@
+---
+ferm::configfile: /etc/ferm/ferm.conf
+ferm::configdirectory: /etc/ferm/ferm.d
diff --git a/data/common.yaml b/data/common.yaml
index 5ab9171..e68d41a 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -4,6 +4,7 @@ ferm::manage_configfile: false
ferm::manage_initfile: false
ferm::disable_conntrack: false
ferm::configfile: /etc/ferm.conf
+ferm::configdirectory: /etc/ferm.d
ferm::input_policy: DROP
ferm::forward_policy: DROP
ferm::output_policy: ACCEPT
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 0a0071a..1198f62 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -7,17 +7,17 @@ define ferm::chain (
Ferm::Policies $policy,
Boolean $disable_conntrack,
Boolean $log_dropped_packets,
- Ferm::Chains $chain = $name,
+ String[1] $chain = $name,
) {
# concat resource for the chain
$filename = downcase($chain)
- concat{"/etc/ferm.d/chains/${chain}.conf":
+ concat{"${ferm::configdirectory}/chains/${chain}.conf":
ensure => 'present',
}
concat::fragment{"${chain}-policy":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => epp(
"${module_name}/ferm_chain_header.conf.epp", {
'policy' => $policy,
@@ -29,7 +29,7 @@ define ferm::chain (
if $log_dropped_packets {
concat::fragment{"${chain}-footer":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
order => 'zzzzzzzzzzzzzzzzzzzzz',
}
diff --git a/manifests/config.pp b/manifests/config.pp
index 23ed390..88fff15 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -9,13 +9,13 @@ class ferm::config {
# copy static files to ferm
# on a long term point of view, we want to package this
- file{'/etc/ferm.d':
+ file{$ferm::configdirectory:
ensure => 'directory',
}
- -> file{'/etc/ferm.d/definitions':
+ -> file{"${ferm::configdirectory}/definitions":
ensure => 'directory',
}
- -> file{'/etc/ferm.d/chains':
+ -> file{"${ferm::configdirectory}/chains":
ensure => 'directory',
}
@@ -25,7 +25,7 @@ class ferm::config {
}
concat::fragment{'ferm_header.conf':
target => $ferm::configfile,
- content => epp("${module_name}/ferm_header.conf.epp"),
+ content => epp("${module_name}/ferm_header.conf.epp", {'configdirectory' => $ferm::configdirectory}),
order => '01',
}
@@ -33,7 +33,8 @@ class ferm::config {
target => $ferm::configfile,
content => epp(
"${module_name}/ferm.conf.epp", {
- 'ip' => $_ip,
+ 'ip' => $_ip,
+ 'configdirectory' => $ferm::configdirectory,
}
),
order => '50',
diff --git a/manifests/init.pp b/manifests/init.pp
index b70d56d..f1f9aa9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -20,6 +20,9 @@
# @param configfile Path to the config file
# Default value: /etc/ferm.conf
# Allowed values: Stdlib::Absolutepath
+# @param configdirectory Path to the directory where the module stores ferm configuration files
+# Default value: /etc/ferm.d or /etc/ferm/ferm.d
+# Allowed values: Stdlib::Absolutepath
# @param disable_conntrack Disable/Enable the generation of conntrack rules
# Default value: false
# Allowed values: (true|false)
@@ -51,6 +54,7 @@ class ferm (
Boolean $manage_configfile,
Boolean $manage_initfile,
Stdlib::Absolutepath $configfile,
+ Stdlib::Absolutepath $configdirectory,
Boolean $disable_conntrack,
Ferm::Policies $forward_policy,
Ferm::Policies $output_policy,
diff --git a/manifests/rule.pp b/manifests/rule.pp
index bd17245..68e88a2 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -11,7 +11,7 @@
# @param interface an Optional interface where this rule should be applied
# @param ensure Set the rule to present or absent
define ferm::rule (
- Ferm::Chains $chain,
+ String[1] $chain,
Ferm::Policies $policy,
Ferm::Protocols $proto,
String $comment = $name,
@@ -68,28 +68,28 @@ define ferm::rule (
if $interface {
unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) {
concat::fragment{"${chain}-${interface}-aaa":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "interface ${interface} {\n",
order => $interface,
}
}
concat::fragment{"${chain}-${interface}-${name}":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => " ${rule}\n",
order => $interface,
}
unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) {
concat::fragment{"${chain}-${interface}-zzz":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "}\n",
order => $interface,
}
}
} else {
concat::fragment{"${chain}-${name}":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "${rule}\n",
}
}
diff --git a/metadata.json b/metadata.json
index 44f90c4..ec6d3cf 100644
--- a/metadata.json
+++ b/metadata.json
@@ -36,7 +36,8 @@
"operatingsystem": "Debian",
"operatingsystemrelease": [
"8",
- "9"
+ "9",
+ "10"
]
},
{
diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb
index aebcaae..55e6739 100644
--- a/spec/classes/ferm_spec.rb
+++ b/spec/classes/ferm_spec.rb
@@ -17,9 +17,16 @@ describe 'ferm' do
it { is_expected.to contain_class('ferm::service') }
it { is_expected.to contain_class('ferm::install') }
it { is_expected.to contain_package('ferm') }
- it { is_expected.to contain_file('/etc/ferm.d') }
- it { is_expected.to contain_file('/etc/ferm.d/definitions') }
- it { is_expected.to contain_file('/etc/ferm.d/chains') }
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_file('/etc/ferm/ferm.d') }
+ it { is_expected.to contain_file('/etc/ferm/ferm.d/definitions') }
+ it { is_expected.to contain_file('/etc/ferm/ferm.d/chains') }
+ else
+ it { is_expected.to contain_file('/etc/ferm.d') }
+ it { is_expected.to contain_file('/etc/ferm.d/definitions') }
+ it { is_expected.to contain_file('/etc/ferm.d/chains') }
+ end
+
it { is_expected.not_to contain_service('ferm') }
it { is_expected.not_to contain_file('/etc/ferm.conf') }
if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i <= 6
@@ -44,7 +51,7 @@ describe 'ferm' do
{ manage_configfile: true }
end
- if facts[:os]['name'] == 'Ubuntu'
+ if facts[:os]['name'] == 'Ubuntu' || facts[:os]['release']['major'].to_i == 10
it { is_expected.to contain_concat('/etc/ferm/ferm.conf') }
else
it { is_expected.to contain_concat('/etc/ferm.conf') }
@@ -68,9 +75,15 @@ describe 'ferm' do
it { is_expected.to contain_concat__fragment('FORWARD-policy') }
it { is_expected.to contain_concat__fragment('INPUT-policy') }
it { is_expected.to contain_concat__fragment('OUTPUT-policy') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') }
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/OUTPUT.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') }
+ end
it { is_expected.to contain_ferm__chain('FORWARD') }
it { is_expected.to contain_ferm__chain('OUTPUT') }
it { is_expected.to contain_ferm__chain('INPUT') }
diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb
index d3ab857..9425821 100644
--- a/spec/defines/chain_spec.rb
+++ b/spec/defines/chain_spec.rb
@@ -6,9 +6,13 @@ describe 'ferm::chain', type: :define do
let :facts do
facts
end
- let(:title) { 'INPUT' }
+ let(:title) { 'INPUT2' }
- context 'default params creates INPUT chain' do
+ let :pre_condition do
+ 'include ferm'
+ end
+
+ context 'default params creates INPUT2 chain' do
let :params do
{
policy: 'DROP',
@@ -19,15 +23,19 @@ describe 'ferm::chain', type: :define do
it { is_expected.to compile.with_all_deps }
it do
- is_expected.to contain_concat__fragment('INPUT-policy'). \
+ is_expected.to contain_concat__fragment('INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.to contain_concat__fragment('INPUT-footer'). \
- with_content(%r{LOG log-prefix 'INPUT: ';})
+ is_expected.to contain_concat__fragment('INPUT2-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT2: ';})
+ end
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT2.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT2.conf') }
end
- it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
- it { is_expected.to contain_ferm__chain('INPUT') }
+ it { is_expected.to contain_ferm__chain('INPUT2') }
end
context 'without conntrack' do
@@ -41,13 +49,13 @@ describe 'ferm::chain', type: :define do
it { is_expected.to compile.with_all_deps }
it do
- is_expected.to contain_concat__fragment('INPUT-policy')
- is_expected.not_to contain_concat__fragment('INPUT-policy'). \
+ is_expected.to contain_concat__fragment('INPUT2-policy')
+ is_expected.not_to contain_concat__fragment('INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.not_to contain_concat__fragment('INPUT-footer'). \
- with_content(%r{LOG log-prefix 'INPUT: ';})
+ is_expected.not_to contain_concat__fragment('INPUT2-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT2: ';})
end
end
end
diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index 3ee5576..1bec758 100644
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -7,6 +7,10 @@ describe 'ferm::rule', type: :define do
facts
end
+ let :pre_condition do
+ 'include ferm'
+ end
+
context 'without a specific interface' do
let(:title) { 'filter-ssh' }
let :params do
diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp
index 37afca0..b3aa0ce 100644
--- a/templates/ferm.conf.epp
+++ b/templates/ferm.conf.epp
@@ -1,17 +1,19 @@
-<%- | String[1] $ip | -%>
+<%- | String[1] $ip,
+Stdlib::Absolutepath $configdirectory,
+| -%>
# End custom section
domain (<%= $ip %>) table filter {
chain INPUT {
interface lo ACCEPT;
- @include '/etc/ferm.d/chains/INPUT.conf';
+ @include '<%= $configdirectory %>/chains/INPUT.conf';
}
chain OUTPUT {
- @include '/etc/ferm.d/chains/OUTPUT.conf';
+ @include '<%= $configdirectory %>/chains/OUTPUT.conf';
}
chain FORWARD {
- @include '/etc/ferm.d/chains/FORWARD.conf';
+ @include '<%= $configdirectory %>/chains/FORWARD.conf';
}
}
diff --git a/templates/ferm_header.conf.epp b/templates/ferm_header.conf.epp
index 66922d7..e1a1f1a 100644
--- a/templates/ferm_header.conf.epp
+++ b/templates/ferm_header.conf.epp
@@ -1,8 +1,9 @@
+<%- | Stdlib::Absolutepath $configdirectory | -%>
# Currently managed by Puppet
# Author: Tim Meusel <tim@bastelfreak.de>
#
# get all ip definitions
-@include '/etc/ferm.d/definitions/';
+@include '<%= $configdirectory %>/definitions/';
# Begin custom section
diff --git a/types/chains.pp b/types/chains.pp
deleted file mode 100644
index e916359..0000000
--- a/types/chains.pp
+++ /dev/null
@@ -1,2 +0,0 @@
-# @summary a type that allows the default iptables chains
-type Ferm::Chains = Enum['INPUT', 'FORWARD', 'OUTPUT']
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-14 19:00:25 +0000