diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/chain.pp | 54 | ||||
| -rw-r--r-- | manifests/config.pp | 10 | ||||
| -rw-r--r-- | manifests/init.pp | 8 | ||||
| -rw-r--r-- | manifests/install.pp | 36 | ||||
| -rw-r--r-- | manifests/service.pp | 2 |
5 files changed, 85 insertions, 25 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp index ed58126..91cd930 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -25,7 +25,8 @@ define ferm::chain ( String[1] $chain = $name, Optional[Ferm::Policies] $policy = undef, Ferm::Tables $table = 'filter', - Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions, + Array[Enum['ip', 'ip6']] $ip_versions = $ferm::ip_versions, + Optional[String[1]] $content = undef, ) { # prevent unmanaged files due to new naming schema # keep the default "filter" chains in the original location @@ -43,32 +44,43 @@ define ferm::chain ( 'filter' => ['INPUT', 'FORWARD', 'OUTPUT'], } - if $policy and ! ($chain in $builtin_chains[$table]) { + if $policy and !($chain in $builtin_chains[$table]) { fail("Can only set a default policy for builtin chains. '${chain}' is not a builtin chain.") } # concat resource for the chain - concat{$filename: - ensure => 'present', + concat { $filename: + ensure => 'present', } - concat::fragment{"${table}-${chain}-policy": - target => $filename, - content => epp( - "${module_name}/ferm_chain_header.conf.epp", { - 'policy' => $policy, - 'disable_conntrack' => $disable_conntrack, - 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack, - } - ), - order => '01', - } - - if $log_dropped_packets { - concat::fragment{"${table}-${chain}-footer": + if $content { + concat::fragment { "${table}-${chain}-custom-content": target => $filename, - content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), - order => 'zzzzzzzzzzzzzzzzzzzzz', + content => epp( + "${module_name}/ferm_chain_custom.conf.epp", { + 'content' => $content, + }, + ), + } + } else { + concat::fragment { "${table}-${chain}-policy": + target => $filename, + content => epp( + "${module_name}/ferm_chain_header.conf.epp", { + 'policy' => $policy, + 'disable_conntrack' => $disable_conntrack, + 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack, + } + ), + order => '01', + } + + if $log_dropped_packets { + concat::fragment { "${table}-${chain}-footer": + target => $filename, + content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), + order => 'zzzzzzzzzzzzzzzzzzzzz', + } } } @@ -77,7 +89,7 @@ define ferm::chain ( # This happens if we add ipset matches. We suffix this ordering with `bbb`. This allows us to # insert ipset matches before other rules by adding `-aaa` or # insert them at the end by ordering them with `-ccc`. - concat::fragment{"${table}-${chain}-config-include": + concat::fragment { "${table}-${chain}-config-include": target => $ferm::configfile, content => epp( "${module_name}/ferm-table-chain-config-include.epp", { diff --git a/manifests/config.pp b/manifests/config.pp index 5876bd7..8ed0f57 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -10,6 +10,16 @@ class ferm::config { $_ip = join($ferm::ip_versions, ' ') + if $facts['systemd'] { #fact provided by systemd module + if $ferm::install_method == 'vcsrepo' and $ferm::manage_service { + systemd::dropin_file { 'ferm.conf': + unit => 'ferm.service', + content => epp("${module_name}/dropin_ferm.conf.epp"), + before => Service['ferm'], + } + } + } + # copy static files to ferm # on a long term point of view, we want to package this file{$ferm::configdirectory: diff --git a/manifests/init.pp b/manifests/init.pp index b1d051e..251effe 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -45,8 +45,11 @@ # @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched # @param ip_versions Set list of versions of ip we want ot use. -# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for +# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for (since ferm v2.4) # Example: {'nat' => ['PREROUTING', 'POSTROUTING']} +# @param install_method method used to install ferm +# @param vcsrepo git repository where ferm sources are hosted +# @param vcstag git tag used when install_method is vcsrepo class ferm ( Stdlib::Absolutepath $configfile, Stdlib::Absolutepath $configdirectory, @@ -67,6 +70,9 @@ class ferm ( Hash $chains = {}, Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'], Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {}, + Enum['package','vcsrepo'] $install_method = 'package', + Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git', + String[1] $vcstag = 'v2.5.1', ) { contain ferm::install contain ferm::config diff --git a/manifests/install.pp b/manifests/install.pp index 4337a99..5755ead 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -8,8 +8,40 @@ class ferm::install { # this is a private class assert_private("You're not supposed to do that!") - package{'ferm': - ensure => 'latest', + case $ferm::install_method { + 'package': { + package{'ferm': + ensure => 'latest', + } + } + 'vcsrepo': { + $_source_path = '/opt/ferm' + ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present }) + + package{'ferm': + ensure => absent, + } + -> vcsrepo { $_source_path : + ensure => present, + provider => git, + source => $ferm::vcsrepo, + revision => $ferm::vcstag, + } + -> exec { 'make install': + cwd => $_source_path, + path => '/usr/sbin:/usr/bin:/sbin:/bin', + creates => '/usr/sbin/ferm', + } + -> file { '/etc/ferm': + ensure => directory, + owner => 0, + group => 0, + mode => '0700', + } + } + default: { + fail("unexpected install_method ${ferm::install_method}") + } } if $ferm::manage_initfile { diff --git a/manifests/service.pp b/manifests/service.pp index e9eb369..9fb1737 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -15,7 +15,7 @@ class ferm::service { } # on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm... - if ($facts['os']['name'] in ['Ubuntu', 'Debian']) { + if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') { file_line{'enable_ferm': path => '/etc/default/ferm', line => 'ENABLED="yes"', |