From 750675333fdbe6c40b63c75b53e360151780fa24 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 19 Dec 2018 09:48:29 +0100 Subject: Implement logging to kernel log --- data/common.yaml | 3 +++ manifests/chain.pp | 10 ++++++++++ manifests/config.pp | 15 +++++++++------ manifests/init.pp | 12 ++++++++++++ spec/defines/chain_spec.rb | 14 ++++++++++++-- templates/ferm_chain_footer.conf.epp | 3 +++ 6 files changed, 49 insertions(+), 8 deletions(-) create mode 100644 templates/ferm_chain_footer.conf.epp diff --git a/data/common.yaml b/data/common.yaml index 57509c5..938fbef 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -7,3 +7,6 @@ ferm::input_policy: DROP ferm::forward_policy: DROP ferm::output_policy: ACCEPT ferm::rules: {} +ferm::input_log_dropped_packets: false +ferm::forward_log_dropped_packets: false +ferm::output_log_dropped_packets: false diff --git a/manifests/chain.pp b/manifests/chain.pp index 5b21912..f9722cf 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -2,9 +2,11 @@ # @param policy [Ferm::Policies] Set the default policy for a CHAIN # @param disable_conntrack [Boolean] disable/enable usage of conntrack # @param chain [Ferm::Chains] name of the chain that should be managed +# @param log_dropped_packets [Boolean] boolean to enable/disable logging of packets to the kernel log, if no explicit chain matched define ferm::chain ( Ferm::Policies $policy, Boolean $disable_conntrack, + Boolean $log_dropped_packets, Ferm::Chains $chain = $name, ) { @@ -24,4 +26,12 @@ define ferm::chain ( ), order => '01', } + + if $log_dropped_packets { + concat::fragment{"${chain}-footer": + target => "/etc/ferm.d/chains/${chain}.conf", + content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), + order => '99', + } + } } diff --git a/manifests/config.pp b/manifests/config.pp index ff69c06..1736fa6 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -35,15 +35,18 @@ class ferm::config { } ferm::chain{'INPUT': - policy => $ferm::input_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::input_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::input_log_dropped_packets, } ferm::chain{'FORWARD': - policy => $ferm::forward_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::forward_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::forward_log_dropped_packets, } ferm::chain{'OUTPUT': - policy => $ferm::output_policy, - disable_conntrack => $ferm::disable_conntrack, + policy => $ferm::output_policy, + disable_conntrack => $ferm::disable_conntrack, + log_dropped_packets => $ferm::output_log_dropped_packets, } } diff --git a/manifests/init.pp b/manifests/init.pp index 0096c3a..c9f2a48 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -31,6 +31,15 @@ # @param rules a hash that holds all data for ferm::rule # Default value: Empty Hash # Allowed value: Any Hash +# @param forward_log_dropped_packets boolean to enable/disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) +# @param output_log_dropped_packets boolean to enable/disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) +# @param input_log_dropped_packets boolean to enable/disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched +# Default value: false +# Allowed values: (true|false) class ferm ( Boolean $manage_service, Boolean $manage_configfile, @@ -39,6 +48,9 @@ class ferm ( Ferm::Policies $forward_policy, Ferm::Policies $output_policy, Ferm::Policies $input_policy, + Boolean $forward_log_dropped_packets, + Boolean $output_log_dropped_packets, + Boolean $input_log_dropped_packets, Hash $rules, ) { contain ferm::install diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb index 7c4e80b..d3ab857 100644 --- a/spec/defines/chain_spec.rb +++ b/spec/defines/chain_spec.rb @@ -12,7 +12,8 @@ describe 'ferm::chain', type: :define do let :params do { policy: 'DROP', - disable_conntrack: false + disable_conntrack: false, + log_dropped_packets: true } end @@ -21,6 +22,10 @@ describe 'ferm::chain', type: :define do is_expected.to contain_concat__fragment('INPUT-policy'). \ with_content(%r{ESTABLISHED RELATED}) end + it do + is_expected.to contain_concat__fragment('INPUT-footer'). \ + with_content(%r{LOG log-prefix 'INPUT: ';}) + end it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') } it { is_expected.to contain_ferm__chain('INPUT') } end @@ -29,7 +34,8 @@ describe 'ferm::chain', type: :define do let :params do { policy: 'DROP', - disable_conntrack: true + disable_conntrack: true, + log_dropped_packets: false } end @@ -39,6 +45,10 @@ describe 'ferm::chain', type: :define do is_expected.not_to contain_concat__fragment('INPUT-policy'). \ with_content(%r{ESTABLISHED RELATED}) end + it do + is_expected.not_to contain_concat__fragment('INPUT-footer'). \ + with_content(%r{LOG log-prefix 'INPUT: ';}) + end end end end diff --git a/templates/ferm_chain_footer.conf.epp b/templates/ferm_chain_footer.conf.epp new file mode 100644 index 0000000..39d8684 --- /dev/null +++ b/templates/ferm_chain_footer.conf.epp @@ -0,0 +1,3 @@ +<%- | String[1] $chain, +| -%> +LOG log-prefix '<%= $chain %>: '; -- cgit v1.2.3 From 37a1f54510341219818eafb6411488ebcab63e9b Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 19 Dec 2018 10:38:09 +0100 Subject: Add puppet-strings docs for ferm::rule --- manifests/rule.pp | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/manifests/rule.pp b/manifests/rule.pp index 7b94210..c9c363f 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,3 +1,14 @@ +# defined resource which creates a single rule in a specific chain +# @param chain [Ferm::Chains] configure the chain where we want to add the rule +# @param policy [Ferm::Policies] configure what we want to do with the packet (drop, accept, log...) +# @param proto [Ferm::Protocols] which protocol do we want to match, typically UDP or TCP +# @param comment a comment that will be added to the ferm config and to ip{,6}tables +# @param dport the destination port, can be a range as string or a single port number as integer +# @param sport the source port, can be a range as string or a single port number as integer +# @param saddr the source address we want to match +# @param daddr the destination address we want to match +# @param proto_options optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param ensure set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, Ferm::Policies $policy, -- cgit v1.2.3 From f3136278ebd816c58e305e937254e5ca0e2c0a91 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Wed, 19 Dec 2018 12:57:20 +0100 Subject: Simplify puppet-strings documentation --- REFERENCE.md | 252 +++++++++++++++++++++++++++++++++++++++++++++++++++++ manifests/chain.pp | 8 +- manifests/init.pp | 22 ++--- manifests/rule.pp | 20 ++--- 4 files changed, 277 insertions(+), 25 deletions(-) create mode 100644 REFERENCE.md diff --git a/REFERENCE.md b/REFERENCE.md new file mode 100644 index 0000000..9425b52 --- /dev/null +++ b/REFERENCE.md @@ -0,0 +1,252 @@ +# Reference + + +## Table of Contents + +**Classes** + +_Public Classes_ + +* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, } + +_Private Classes_ + +* `ferm::config`: This class handles the configuration file. Avoid modifying private classes. +* `ferm::install`: This class handles the configuration file. Avoid modifying private classes. +* `ferm::service`: This class handles the configuration file. Avoid modifying private classes. + +**Defined types** + +* [`ferm::chain`](#fermchain): defined resource which creates all rules for one chain +* [`ferm::rule`](#fermrule): defined resource which creates a single rule in a specific chain + +## Classes + +### ferm + +Class: ferm + +This class manages ferm installation and rule generation on modern linux systems + +class{'ferm': + manage_service => true, +} + +#### Examples + +##### deploy ferm and start it + +```puppet + +``` + +#### Parameters + +The following parameters are available in the `ferm` class. + +##### `manage_service` + +Data type: `Boolean` + +Disable/Enable the management of the ferm daemon +Default value: false +Allowed values: (true|false) + +##### `manage_configfile` + +Data type: `Boolean` + +Disable/Enable the management of the ferm default config +Default value: false +Allowed values: (true|false) + +##### `configfile` + +Data type: `Stdlib::Absolutepath` + +Path to the config file +Default value: /etc/ferm.conf +Allowed values: Stdlib::Absolutepath + +##### `disable_conntrack` + +Data type: `Boolean` + +Disable/Enable the generation of conntrack rules +Default value: false +Allowed values: (true|false) + +##### `forward_policy` + +Data type: `Ferm::Policies` + +Default policy for the FORWARD chain +Default value: DROP +Allowed values: (ACCEPT|DROP|REJECT) + +##### `output_policy` + +Data type: `Ferm::Policies` + +Default policy for the OUTPUT chain +Default value: ACCEPT +Allowed values: (ACCEPT|DROP|REJECT) + +##### `input_policy` + +Data type: `Ferm::Policies` + +Default policy for the INPUT chain +Default value: DROP +Allowed values: (ACCEPT|DROP|REJECT) + +##### `rules` + +Data type: `Hash` + +A hash that holds all data for ferm::rule +Default value: Empty Hash +Allowed value: Any Hash + +##### `forward_log_dropped_packets` + +Data type: `Boolean` + +Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched +Default value: false +Allowed values: (true|false) + +##### `output_log_dropped_packets` + +Data type: `Boolean` + +Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched +Default value: false +Allowed values: (true|false) + +##### `input_log_dropped_packets` + +Data type: `Boolean` + +Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched +Default value: false +Allowed values: (true|false) + +## Defined types + +### ferm::chain + +defined resource which creates all rules for one chain + +#### Parameters + +The following parameters are available in the `ferm::chain` defined type. + +##### `policy` + +Data type: `Ferm::Policies` + +Set the default policy for a CHAIN + +##### `disable_conntrack` + +Data type: `Boolean` + +Disable/Enable usage of conntrack + +##### `chain` + +Data type: `Ferm::Chains` + +Name of the chain that should be managed + +Default value: $name + +##### `log_dropped_packets` + +Data type: `Boolean` + +Enable/Disable logging of packets to the kernel log, if no explicit chain matched + +### ferm::rule + +defined resource which creates a single rule in a specific chain + +#### Parameters + +The following parameters are available in the `ferm::rule` defined type. + +##### `chain` + +Data type: `Ferm::Chains` + +Configure the chain where we want to add the rule + +##### `policy` + +Data type: `Ferm::Policies` + +Configure what we want to do with the packet (drop, accept, log...) + +##### `proto` + +Data type: `Ferm::Protocols` + +Which protocol do we want to match, typically UDP or TCP + +##### `comment` + +Data type: `String` + +A comment that will be added to the ferm config and to ip{,6}tables + +Default value: $name + +##### `dport` + +Data type: `Optional[Variant[Integer,String]]` + +The destination port, can be a range as string or a single port number as integer + +Default value: `undef` + +##### `sport` + +Data type: `Optional[Variant[Integer,String]]` + +The source port, can be a range as string or a single port number as integer + +Default value: `undef` + +##### `saddr` + +Data type: `Optional[String]` + +The source address we want to match + +Default value: `undef` + +##### `daddr` + +Data type: `Optional[String]` + +The destination address we want to match + +Default value: `undef` + +##### `proto_options` + +Data type: `Optional[String[1]]` + +Optional parameters that will be passed to the protocol (for example to match specific ICMP types) + +Default value: `undef` + +##### `ensure` + +Data type: `Enum['absent','present']` + +Set the rule to present or absent + +Default value: 'present' + diff --git a/manifests/chain.pp b/manifests/chain.pp index f9722cf..6a01607 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -1,8 +1,8 @@ # defined resource which creates all rules for one chain -# @param policy [Ferm::Policies] Set the default policy for a CHAIN -# @param disable_conntrack [Boolean] disable/enable usage of conntrack -# @param chain [Ferm::Chains] name of the chain that should be managed -# @param log_dropped_packets [Boolean] boolean to enable/disable logging of packets to the kernel log, if no explicit chain matched +# @param policy Set the default policy for a CHAIN +# @param disable_conntrack Disable/Enable usage of conntrack +# @param chain Name of the chain that should be managed +# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched define ferm::chain ( Ferm::Policies $policy, Boolean $disable_conntrack, diff --git a/manifests/init.pp b/manifests/init.pp index c9f2a48..82f163c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -7,37 +7,37 @@ # manage_service => true, # } # -# @param manage_service [Boolean] disable/enable the management of the ferm daemon +# @param manage_service Disable/Enable the management of the ferm daemon # Default value: false # Allowed values: (true|false) -# @param manage_configfile [Boolean] disable/enable the management of the ferm default config +# @param manage_configfile Disable/Enable the management of the ferm default config # Default value: false # Allowed values: (true|false) -# @param configfile [Stdlib::Absolutepath] path to the config file +# @param configfile Path to the config file # Default value: /etc/ferm.conf # Allowed values: Stdlib::Absolutepath -# @param disable_conntrack [Boolean] disable/enable the generation of conntrack rules +# @param disable_conntrack Disable/Enable the generation of conntrack rules # Default value: false # Allowed values: (true|false) -# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain +# @param forward_policy Default policy for the FORWARD chain # Default value: DROP # Allowed values: (ACCEPT|DROP|REJECT) -# @param output_policy [Ferm::Policies] default policy for the OUTPUT chain +# @param output_policy Default policy for the OUTPUT chain # Default value: ACCEPT # Allowed values: (ACCEPT|DROP|REJECT) -# @param input_policy [Ferm::Policies] default policy for the INPUT chain +# @param input_policy Default policy for the INPUT chain # Default value: DROP # Allowed values: (ACCEPT|DROP|REJECT) -# @param rules a hash that holds all data for ferm::rule +# @param rules A hash that holds all data for ferm::rule # Default value: Empty Hash # Allowed value: Any Hash -# @param forward_log_dropped_packets boolean to enable/disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched +# @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched # Default value: false # Allowed values: (true|false) -# @param output_log_dropped_packets boolean to enable/disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched +# @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched # Default value: false # Allowed values: (true|false) -# @param input_log_dropped_packets boolean to enable/disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched +# @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched # Default value: false # Allowed values: (true|false) class ferm ( diff --git a/manifests/rule.pp b/manifests/rule.pp index c9c363f..6f448f9 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -1,14 +1,14 @@ # defined resource which creates a single rule in a specific chain -# @param chain [Ferm::Chains] configure the chain where we want to add the rule -# @param policy [Ferm::Policies] configure what we want to do with the packet (drop, accept, log...) -# @param proto [Ferm::Protocols] which protocol do we want to match, typically UDP or TCP -# @param comment a comment that will be added to the ferm config and to ip{,6}tables -# @param dport the destination port, can be a range as string or a single port number as integer -# @param sport the source port, can be a range as string or a single port number as integer -# @param saddr the source address we want to match -# @param daddr the destination address we want to match -# @param proto_options optional parameters that will be passed to the protocol (for example to match specific ICMP types) -# @param ensure set the rule to present or absent +# @param chain Configure the chain where we want to add the rule +# @param policy Configure what we want to do with the packet (drop, accept, log...) +# @param proto Which protocol do we want to match, typically UDP or TCP +# @param comment A comment that will be added to the ferm config and to ip{,6}tables +# @param dport The destination port, can be a range as string or a single port number as integer +# @param sport The source port, can be a range as string or a single port number as integer +# @param saddr The source address we want to match +# @param daddr The destination address we want to match +# @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param ensure Set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, Ferm::Policies $policy, -- cgit v1.2.3