From a567a8fdcc6f933286a6ce3e497fc0cfb87ec971 Mon Sep 17 00:00:00 2001 From: Kilian Engelhardt Date: Mon, 29 Jul 2019 10:27:43 +0200 Subject: allow arrays for saddr and daddr check for data type IP address when using arrays add debug output when it's failing --- manifests/rule.pp | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/manifests/rule.pp b/manifests/rule.pp index b8ae29a..bd17245 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -17,8 +17,8 @@ define ferm::rule ( String $comment = $name, Optional[Variant[Stdlib::Port,String[1]]] $dport = undef, Optional[Variant[Stdlib::Port,String[1]]] $sport = undef, - Optional[String[1]] $saddr = undef, - Optional[String[1]] $daddr = undef, + Optional[Variant[Array, String[1]]] $saddr = undef, + Optional[Variant[Array, String[1]]] $daddr = undef, Optional[String[1]] $proto_options = undef, Optional[String[1]] $interface = undef, Enum['absent','present'] $ensure = 'present', @@ -33,13 +33,29 @@ define ferm::rule ( undef => '', default => "sport ${sport}", } + if $saddr =~ Array { + assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| { + fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." ) + '' + } + } $saddr_real = $saddr ? { undef => '', - default => "saddr @ipfilter(${saddr})", + Array => "saddr @ipfilter((${join(flatten($saddr).unique, ' ')}))", + String => "saddr @ipfilter((${saddr}))", + default => '', + } + if $daddr =~ Array { + assert_type(Array[Stdlib::IP::Address], flatten($daddr)) |$expected, $actual| { + fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($daddr)}." ) + '' + } } $daddr_real = $daddr ? { - undef => '', - default => "daddr @ipfilter(${daddr})" + undef => '', + Array => "daddr @ipfilter((${join(flatten($daddr).unique, ' ')}))", + String => "daddr @ipfilter((${daddr}))", + default => '', } $proto_options_real = $proto_options ? { undef => '', -- cgit v1.2.3 From 1f8fe9481d7f12215661d4a0982810cd683f1ba9 Mon Sep 17 00:00:00 2001 From: Kilian Engelhardt Date: Tue, 6 Aug 2019 10:48:02 +0200 Subject: add example using Hiera subnet variables to README.md --- README.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2f8fcf8..cd31e24 100644 --- a/README.md +++ b/README.md @@ -63,17 +63,29 @@ You can collect them like this: Ferm::Rule <<| tag == 'allow_kafka_server2server' |>> ``` -You can also define rules in hiera: +You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return string. ```yaml --- +subnet01: '123.123.123.0/24' +subnet02: '123.123.124.0/24' +subnet03: + - '123.123.125.0/24' + - '123.123.126.0/24' + +subnets: + - "%{alias('subnet01')}" + - "%{alias('subnet02')}" + - "%{alias('subnet03')}" + - 123.123.127.0/24 + ferm::rules: 'allow_http_https': chain: 'INPUT' policy: 'ACCEPT' proto: 'tcp' dport: '(80 443)' - saddr: "%{hiera('some_other_hiera_key')}" + saddr: "%{alias('subnets')}" ``` ferm::rules is a hash. configured for deep merge. Hiera will collect all -- cgit v1.2.3 From b1ba4a0ef369008996363c3cca15877cf8eb9fe5 Mon Sep 17 00:00:00 2001 From: Kilian Engelhardt Date: Tue, 6 Aug 2019 11:22:47 +0200 Subject: add test for array support --- spec/defines/rule_spec.rb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index bd4ed73..53a11a4 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -40,6 +40,24 @@ describe 'ferm::rule', type: :define do it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } end + context 'with a specific interface using array for daddr' do + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + daddr: ['127.0.0.1', '123.123.123.123', ['10.0.0.1', '10.0.0.2']], + interface: 'eth0' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 daddr @ipfilter(127.0.0.1 123.123.123.123 10.0.0.1 10.0.0.2) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } + end end end end -- cgit v1.2.3 From 7798de651ac2e155680fca978027d0fc6495831a Mon Sep 17 00:00:00 2001 From: Kilian Engelhardt Date: Thu, 8 Aug 2019 16:44:54 +0200 Subject: add second pair of parenthesis Previously this second pair of parenthesis was part of Hiera values; e.g.: subnet01 = '( ip01/32 ip02/32 )' Now it needs to be added by ferm::rule. --- spec/defines/rule_spec.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index 53a11a4..3ee5576 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -20,7 +20,7 @@ describe 'ferm::rule', type: :define do end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") } end context 'with a specific interface' do let(:title) { 'filter-ssh' } @@ -36,7 +36,7 @@ describe 'ferm::rule', type: :define do end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter((127.0.0.1)) ACCEPT;\n") } it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } end @@ -54,7 +54,7 @@ describe 'ferm::rule', type: :define do end it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 daddr @ipfilter(127.0.0.1 123.123.123.123 10.0.0.1 10.0.0.2) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 daddr @ipfilter((127.0.0.1 123.123.123.123 10.0.0.1 10.0.0.2)) ACCEPT;\n") } it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } end -- cgit v1.2.3 From a0d72d5947030fc2dc4332652e5868fa15b906e4 Mon Sep 17 00:00:00 2001 From: kBite Date: Fri, 9 Aug 2019 17:41:28 +0200 Subject: Update README.md add missing 'a' Co-Authored-By: Tim Meusel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cd31e24..2668e95 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ You can collect them like this: Ferm::Rule <<| tag == 'allow_kafka_server2server' |>> ``` -You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return string. +You can also define rules in Hiera. Make sure to use `alias()` as interpolation function, because `hiera()` will always return a string. ```yaml --- -- cgit v1.2.3