From 9303892000eab6f5c38dc80a002945f8a57e4af6 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Mon, 28 Jun 2021 14:31:43 +0200 Subject: Enable users to the package ensure --- REFERENCE.md | 212 +++++++++++++++++++++++++++++++--------------- manifests/init.pp | 2 + manifests/install.pp | 2 +- spec/classes/ferm_spec.rb | 13 ++- 4 files changed, 161 insertions(+), 68 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 5b91153..11c343a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -32,7 +32,7 @@ ## Classes -### `ferm` +### `ferm` This class manages ferm installation and rule generation on modern linux systems @@ -76,9 +76,32 @@ class{'ferm': #### Parameters -The following parameters are available in the `ferm` class. - -##### `manage_service` +The following parameters are available in the `ferm` class: + +* [`manage_service`](#manage_service) +* [`manage_configfile`](#manage_configfile) +* [`configfile`](#configfile) +* [`configdirectory`](#configdirectory) +* [`forward_disable_conntrack`](#forward_disable_conntrack) +* [`output_disable_conntrack`](#output_disable_conntrack) +* [`input_disable_conntrack`](#input_disable_conntrack) +* [`forward_policy`](#forward_policy) +* [`output_policy`](#output_policy) +* [`input_policy`](#input_policy) +* [`input_drop_invalid_packets_with_conntrack`](#input_drop_invalid_packets_with_conntrack) +* [`rules`](#rules) +* [`chains`](#chains) +* [`forward_log_dropped_packets`](#forward_log_dropped_packets) +* [`output_log_dropped_packets`](#output_log_dropped_packets) +* [`input_log_dropped_packets`](#input_log_dropped_packets) +* [`ip_versions`](#ip_versions) +* [`preserve_chains_in_tables`](#preserve_chains_in_tables) +* [`install_method`](#install_method) +* [`package_ensure`](#package_ensure) +* [`vcsrepo`](#vcsrepo) +* [`vcstag`](#vcstag) + +##### `manage_service` Data type: `Boolean` @@ -86,7 +109,7 @@ Disable/Enable the management of the ferm daemon Default value: ``false`` -##### `manage_configfile` +##### `manage_configfile` Data type: `Boolean` @@ -94,19 +117,19 @@ Disable/Enable the management of the ferm default config Default value: ``false`` -##### `configfile` +##### `configfile` Data type: `Stdlib::Absolutepath` Path to the config file -##### `configdirectory` +##### `configdirectory` Data type: `Stdlib::Absolutepath` Path to the directory where the module stores ferm configuration files -##### `forward_disable_conntrack` +##### `forward_disable_conntrack` Data type: `Boolean` @@ -114,7 +137,7 @@ Enable/Disable the generation of conntrack rules for the FORWARD chain Default value: ``true`` -##### `output_disable_conntrack` +##### `output_disable_conntrack` Data type: `Boolean` @@ -122,7 +145,7 @@ Enable/Disable the generation of conntrack rules for the OUTPUT chain Default value: ``true`` -##### `input_disable_conntrack` +##### `input_disable_conntrack` Data type: `Boolean` @@ -130,7 +153,7 @@ Enable/Disable the generation of conntrack rules for the INPUT chain Default value: ``false`` -##### `forward_policy` +##### `forward_policy` Data type: `Ferm::Policies` @@ -138,7 +161,7 @@ Default policy for the FORWARD chain Default value: `'DROP'` -##### `output_policy` +##### `output_policy` Data type: `Ferm::Policies` @@ -146,7 +169,7 @@ Default policy for the OUTPUT chain Default value: `'ACCEPT'` -##### `input_policy` +##### `input_policy` Data type: `Ferm::Policies` @@ -154,7 +177,7 @@ Default policy for the INPUT chain Default value: `'DROP'` -##### `input_drop_invalid_packets_with_conntrack` +##### `input_drop_invalid_packets_with_conntrack` Data type: `Boolean` @@ -162,7 +185,7 @@ Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if Default value: ``false`` -##### `rules` +##### `rules` Data type: `Hash` @@ -170,7 +193,7 @@ A hash that holds all data for ferm::rule Default value: `{}` -##### `chains` +##### `chains` Data type: `Hash` @@ -178,7 +201,7 @@ A hash that holds all data for ferm::chain Default value: `{}` -##### `forward_log_dropped_packets` +##### `forward_log_dropped_packets` Data type: `Boolean` @@ -186,7 +209,7 @@ Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no Default value: ``false`` -##### `output_log_dropped_packets` +##### `output_log_dropped_packets` Data type: `Boolean` @@ -194,7 +217,7 @@ Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no e Default value: ``false`` -##### `input_log_dropped_packets` +##### `input_log_dropped_packets` Data type: `Boolean` @@ -202,7 +225,7 @@ Enable/Disable logging in the INPUT chain of packets to the kernel log, if no ex Default value: ``false`` -##### `ip_versions` +##### `ip_versions` Data type: `Array[Enum['ip','ip6']]` @@ -210,7 +233,7 @@ Set list of versions of ip we want ot use. Default value: `['ip','ip6']` -##### `preserve_chains_in_tables` +##### `preserve_chains_in_tables` Data type: `Hash[String[1],Array[String[1]]]` @@ -219,7 +242,7 @@ Example: {'nat' => ['PREROUTING', 'POSTROUTING']} Default value: `{}` -##### `install_method` +##### `install_method` Data type: `Enum['package','vcsrepo']` @@ -227,7 +250,15 @@ method used to install ferm Default value: `'package'` -##### `vcsrepo` +##### `package_ensure` + +Data type: `Enum['installed', 'latest', 'absent']` + +sets the ensure parameter for the package resource + +Default value: `'latest'` + +##### `vcsrepo` Data type: `Stdlib::HTTPSUrl` @@ -235,7 +266,7 @@ git repository where ferm sources are hosted Default value: `'https://github.com/MaxKellermann/ferm.git'` -##### `vcstag` +##### `vcstag` Data type: `String[1]` @@ -245,7 +276,7 @@ Default value: `'v2.5.1'` ## Defined types -### `ferm::chain` +### `ferm::chain` This defined resource manages ferm/iptables chains @@ -263,9 +294,18 @@ ferm::chain{'check-ssh': #### Parameters -The following parameters are available in the `ferm::chain` defined type. +The following parameters are available in the `ferm::chain` defined type: + +* [`disable_conntrack`](#disable_conntrack) +* [`drop_invalid_packets_with_conntrack`](#drop_invalid_packets_with_conntrack) +* [`log_dropped_packets`](#log_dropped_packets) +* [`policy`](#policy) +* [`chain`](#chain) +* [`table`](#table) +* [`ip_versions`](#ip_versions) +* [`content`](#content) -##### `disable_conntrack` +##### `disable_conntrack` Data type: `Boolean` @@ -273,7 +313,7 @@ Disable/Enable usage of conntrack. By default, we enable conntrack only for the Default value: ``true`` -##### `drop_invalid_packets_with_conntrack` +##### `drop_invalid_packets_with_conntrack` Data type: `Boolean` @@ -281,7 +321,7 @@ Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if Default value: ``false`` -##### `log_dropped_packets` +##### `log_dropped_packets` Data type: `Boolean` @@ -289,7 +329,7 @@ Enable/Disable logging of packets to the kernel log, if no explicit chain matche Default value: ``false`` -##### `policy` +##### `policy` Data type: `Optional[Ferm::Policies]` @@ -298,7 +338,7 @@ Allowed values: (ACCEPT|DROP) (see Ferm::Policies type) Default value: ``undef`` -##### `chain` +##### `chain` Data type: `String[1]` @@ -307,7 +347,7 @@ Allowed values: String[1] Default value: `$name` -##### `table` +##### `table` Data type: `Ferm::Tables` @@ -316,7 +356,7 @@ Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type) Default value: `'filter'` -##### `ip_versions` +##### `ip_versions` Data type: `Array[Enum['ip', 'ip6']]` @@ -324,7 +364,7 @@ Set list of versions of ip we want ot use. Default value: `$ferm::ip_versions` -##### `content` +##### `content` Data type: `Optional[String[1]]` @@ -332,7 +372,7 @@ custom string that will be written into th chain file Default value: ``undef`` -### `ferm::ipset` +### `ferm::ipset` a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. @@ -367,15 +407,21 @@ ferm::ipset { 'INPUT': #### Parameters -The following parameters are available in the `ferm::ipset` defined type. +The following parameters are available in the `ferm::ipset` defined type: -##### `sets` +* [`sets`](#sets) +* [`chain`](#chain) +* [`table`](#table) +* [`ip_version`](#ip_version) +* [`prepend_to_chain`](#prepend_to_chain) + +##### `sets` Data type: `Hash[String[1], Ferm::Actions]` A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. -##### `chain` +##### `chain` Data type: `String[1]` @@ -383,7 +429,7 @@ name of the chain we want to apply those rules to. The name of the defined resou Default value: `$name` -##### `table` +##### `table` Data type: `Ferm::Tables` @@ -391,7 +437,7 @@ name of the table where we want to apply this. Defaults to `filter` because tha Default value: `'filter'` -##### `ip_version` +##### `ip_version` Data type: `Enum['ip','ip6']` @@ -399,7 +445,7 @@ sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Bec Default value: `'ip'` -##### `prepend_to_chain` +##### `prepend_to_chain` Data type: `Boolean` @@ -407,7 +453,7 @@ By default, ipset rules are added to the top of the chain. Set this to false to Default value: ``true`` -### `ferm::rule` +### `ferm::rule` This defined resource manages a single rule in a specific chain @@ -460,21 +506,35 @@ ferm::rule{'allow_consul': #### Parameters -The following parameters are available in the `ferm::rule` defined type. +The following parameters are available in the `ferm::rule` defined type: + +* [`chain`](#chain) +* [`proto`](#proto) +* [`comment`](#comment) +* [`action`](#action) +* [`policy`](#policy) +* [`dport`](#dport) +* [`sport`](#sport) +* [`saddr`](#saddr) +* [`daddr`](#daddr) +* [`proto_options`](#proto_options) +* [`interface`](#interface) +* [`ensure`](#ensure) +* [`table`](#table) -##### `chain` +##### `chain` Data type: `String[1]` Configure the chain where we want to add the rule -##### `proto` +##### `proto` Data type: `Ferm::Protocols` Which protocol do we want to match, typically UDP or TCP -##### `comment` +##### `comment` Data type: `String` @@ -482,7 +542,7 @@ A comment that will be added to the ferm config and to ip{,6}tables Default value: `$name` -##### `action` +##### `action` Data type: `Optional[Ferm::Actions]` @@ -492,7 +552,7 @@ Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE Default value: ``undef`` -##### `policy` +##### `policy` Data type: `Optional[Ferm::Policies]` @@ -502,7 +562,7 @@ Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE Default value: ``undef`` -##### `dport` +##### `dport` Data type: `Optional[Ferm::Port]` @@ -510,7 +570,7 @@ The destination port, can be a single port number as integer or an Array of inte Default value: ``undef`` -##### `sport` +##### `sport` Data type: `Optional[Ferm::Port]` @@ -518,7 +578,7 @@ The source port, can be a single port number as integer or an Array of integers Default value: ``undef`` -##### `saddr` +##### `saddr` Data type: `Optional[Variant[Array, String[1]]]` @@ -526,7 +586,7 @@ The source address we want to match Default value: ``undef`` -##### `daddr` +##### `daddr` Data type: `Optional[Variant[Array, String[1]]]` @@ -534,7 +594,7 @@ The destination address we want to match Default value: ``undef`` -##### `proto_options` +##### `proto_options` Data type: `Optional[String[1]]` @@ -542,7 +602,7 @@ Optional parameters that will be passed to the protocol (for example to match sp Default value: ``undef`` -##### `interface` +##### `interface` Data type: `Optional[String[1]]` @@ -550,7 +610,7 @@ an Optional interface where this rule should be applied Default value: ``undef`` -##### `ensure` +##### `ensure` Data type: `Enum['absent','present']` @@ -558,7 +618,7 @@ Set the rule to present or absent Default value: `'present'` -##### `table` +##### `table` Data type: `Ferm::Tables` @@ -570,19 +630,27 @@ Default value: `'filter'` ## Data types -### `Ferm::Actions` +### `Ferm::Actions` As you can also *jump* to other chains, each chain-name is also a valid action/target -Alias of `Variant[Enum['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'], String[1]]` +Alias of + +```puppet +Variant[Enum['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'], String[1]] +``` -### `Ferm::Policies` +### `Ferm::Policies` a list of allowed policies for a chain -Alias of `Enum['ACCEPT', 'DROP']` +Alias of -### `Ferm::Port` +```puppet +Enum['ACCEPT', 'DROP'] +``` + +### `Ferm::Port` allowed variants: ----------------- @@ -590,17 +658,29 @@ allowed variants: + Array of Integers (creates a multiport matcher) + ferm range port-spec (pair of colon-separated integer, assumes 0 if first is omitted) -Alias of `Variant[Stdlib::Port, Array[Stdlib::Port], Pattern['^\d*:\d+$']]` +Alias of + +```puppet +Variant[Stdlib::Port, Array[Stdlib::Port], Pattern['^\d*:\d+$']] +``` -### `Ferm::Protocols` +### `Ferm::Protocols` a list of allowed protocolls to match -Alias of `Variant[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'], Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']]]` +Alias of -### `Ferm::Tables` +```puppet +Variant[Integer[0, 255], Array[Integer[0, 255]], Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'], Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']]] +``` + +### `Ferm::Tables` a list of available tables -Alias of `Enum['raw', 'mangle', 'nat', 'filter']` +Alias of + +```puppet +Enum['raw', 'mangle', 'nat', 'filter'] +``` diff --git a/manifests/init.pp b/manifests/init.pp index 9317fbf..312e441 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,6 +47,7 @@ # @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for (since ferm v2.4) # Example: {'nat' => ['PREROUTING', 'POSTROUTING']} # @param install_method method used to install ferm +# @param package_ensure sets the ensure parameter for the package resource # @param vcsrepo git repository where ferm sources are hosted # @param vcstag git tag used when install_method is vcsrepo class ferm ( @@ -69,6 +70,7 @@ class ferm ( Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'], Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {}, Enum['package','vcsrepo'] $install_method = 'package', + String[1] $package_ensure = 'installed', Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git', String[1] $vcstag = 'v2.5.1', ) { diff --git a/manifests/install.pp b/manifests/install.pp index c27cedf..6d0f8d1 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -10,7 +10,7 @@ class ferm::install { case $ferm::install_method { 'package': { package { 'ferm': - ensure => 'latest', + ensure => $ferm::package_ensure, } } 'vcsrepo': { diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb index e8afa73..f0966cb 100644 --- a/spec/classes/ferm_spec.rb +++ b/spec/classes/ferm_spec.rb @@ -29,7 +29,7 @@ describe 'ferm' do it { is_expected.to contain_package('ferm').with_ensure('absent') } it { is_expected.to contain_vcsrepo('/opt/ferm') } else - it { is_expected.to contain_package('ferm').with_ensure('latest') } + it { is_expected.to contain_package('ferm').with_ensure('installed') } it { is_expected.not_to contain_vcsrepo('/opt/ferm') } end @@ -203,6 +203,17 @@ describe 'ferm' do it { is_expected.to contain_file('/etc/ferm') } it { is_expected.to contain_vcsrepo('/opt/ferm') } end + context 'it works with ensure latest' do + let :params do + { + package_ensure: 'latest', + install_method: 'package', + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_package('ferm').with_ensure('latest') } + end end end end -- cgit v1.2.3