From e3da2ce3255f1833dcd194370cb99b4d5c9448c9 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 30 May 2019 18:24:06 +0200 Subject: enhance unit tests --- spec/defines/rule_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index 0926432..0473970 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -19,7 +19,7 @@ describe 'ferm::rule', type: :define do context 'default params create simple rule' do it { is_expected.to compile.with_all_deps } - # it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("proto tcp dport ssh saddr @ipfilter(127.0.0.1) ACCEPT;") } + it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } it { is_expected.to contain_concat__fragment('INPUT-filter-ssh') } end end -- cgit v1.2.3 From 4f7b544f57fede1dd046c25d2c8f9270c5dbd8ba Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 30 May 2019 18:45:51 +0200 Subject: add support for interface specific rules --- README.md | 4 ++++ manifests/chain.pp | 2 +- manifests/rule.pp | 32 +++++++++++++++++++++++++++++--- spec/defines/rule_spec.rb | 42 ++++++++++++++++++++++++++++++------------ 4 files changed, 64 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index e05cba5..324134f 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,10 @@ Same as above, just for the destination IP address Add or remove it from the ruleset +#### `interface` + +If set, this rule only applies to this specific interface + ### chain defined resource The module defines the three default chains for you, INPUT, FORWARD and OUTPUT. diff --git a/manifests/chain.pp b/manifests/chain.pp index 6a01607..0a0071a 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -31,7 +31,7 @@ define ferm::chain ( concat::fragment{"${chain}-footer": target => "/etc/ferm.d/chains/${chain}.conf", content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), - order => '99', + order => 'zzzzzzzzzzzzzzzzzzzzz', } } } diff --git a/manifests/rule.pp b/manifests/rule.pp index c87ef7f..b8ae29a 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -8,6 +8,7 @@ # @param saddr The source address we want to match # @param daddr The destination address we want to match # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param interface an Optional interface where this rule should be applied # @param ensure Set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, @@ -19,6 +20,7 @@ define ferm::rule ( Optional[String[1]] $saddr = undef, Optional[String[1]] $daddr = undef, Optional[String[1]] $proto_options = undef, + Optional[String[1]] $interface = undef, Enum['absent','present'] $ensure = 'present', ){ $proto_real = "proto ${proto}" @@ -47,9 +49,33 @@ define ferm::rule ( $rule = squeeze("${comment_real} ${proto_real} ${proto_options_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ') if $ensure == 'present' { - concat::fragment{"${chain}-${name}": - target => "/etc/ferm.d/chains/${chain}.conf", - content => "${rule}\n", + if $interface { + unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) { + concat::fragment{"${chain}-${interface}-aaa": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "interface ${interface} {\n", + order => $interface, + } + } + + concat::fragment{"${chain}-${interface}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => " ${rule}\n", + order => $interface, + } + + unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) { + concat::fragment{"${chain}-${interface}-zzz": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "}\n", + order => $interface, + } + } + } else { + concat::fragment{"${chain}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "${rule}\n", + } } } } diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb index 0473970..bd4ed73 100644 --- a/spec/defines/rule_spec.rb +++ b/spec/defines/rule_spec.rb @@ -6,21 +6,39 @@ describe 'ferm::rule', type: :define do let :facts do facts end - let(:title) { 'filter-ssh' } - let :params do - { - chain: 'INPUT', - policy: 'ACCEPT', - proto: 'tcp', - dport: '22', - saddr: '127.0.0.1' - } - end - context 'default params create simple rule' do + context 'without a specific interface' do + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + saddr: '127.0.0.1' + } + end + it { is_expected.to compile.with_all_deps } it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } - it { is_expected.to contain_concat__fragment('INPUT-filter-ssh') } + end + context 'with a specific interface' do + let(:title) { 'filter-ssh' } + let :params do + { + chain: 'INPUT', + policy: 'ACCEPT', + proto: 'tcp', + dport: '22', + saddr: '127.0.0.1', + interface: 'eth0' + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content(" mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") } + it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") } end end end -- cgit v1.2.3 From b1496c1bfce754519ed63b95be46e01f1d0043de Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 11 Jul 2019 15:04:10 +0200 Subject: generate REFERENCE.md --- REFERENCE.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index 0de43bc..bd608cb 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -258,6 +258,14 @@ Optional parameters that will be passed to the protocol (for example to match sp Default value: `undef` +##### `interface` + +Data type: `Optional[String[1]]` + +an Optional interface where this rule should be applied + +Default value: `undef` + ##### `ensure` Data type: `Enum['absent','present']` -- cgit v1.2.3 From 885c4b2ec6774d52cee6107dca61566283e3694f Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 11 Jul 2019 15:04:30 +0200 Subject: Fix markdown linter warnings --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 324134f..2f8fcf8 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,7 @@ the protocol we would like to filter. Allowed values are Enum['icmp', 'tcp', 'ud The protocol options we would like to add. The following example will suppress the hostname in programs like `traceroute`: + ```yaml --- ferm::rules: @@ -155,7 +156,8 @@ A comment that will be written into the file and into ip(6)tables #### `dport` -The destination port we want to filter for. Can be any string from /etc/services or an integer +The destination port we want to filter for. Can be any string from +/etc/services or an integer #### `sport` -- cgit v1.2.3