Mercurial > repos > other > Puppet
annotate modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb @ 398:66c406eec60d
Update and fix firewall for Ubuntu
* Use later version of module (not latest because our Puppet
isn't supported)
* Change how we define "ensure" because Ubuntu doesn't use
IPv6 methods
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Wed, 20 Apr 2022 19:04:13 +0100 |
| parents | d9352a684e62 |
| children |
| rev | line source |
|---|---|
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
1 # frozen_string_literal: true |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
2 |
| 39 | 3 Puppet::Type.type(:firewallchain).provide :iptables_chain do |
| 4 include Puppet::Util::Firewall | |
| 5 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
6 @doc = 'Iptables chain provider' |
| 39 | 7 |
| 8 has_feature :iptables_chain | |
| 9 has_feature :policy | |
| 10 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
11 optional_commands(iptables: 'iptables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
12 iptables_save: 'iptables-save', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
13 ip6tables: 'ip6tables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
14 ip6tables_save: 'ip6tables-save', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
15 ebtables: 'ebtables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
16 ebtables_save: 'ebtables-save') |
| 39 | 17 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
18 defaultfor kernel: :linux |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
19 confine kernel: :linux |
| 39 | 20 |
| 21 # chain name is greedy so we anchor from the end. | |
| 22 # [\d+:\d+] doesn't exist on ebtables | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
23 MAPPING = { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
24 IPv4: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
25 tables: method(:iptables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
26 save: method(:iptables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
27 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$}, |
| 39 | 28 }, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
29 IPv6: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
30 tables: method(:ip6tables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
31 save: method(:ip6tables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
32 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$}, |
| 39 | 33 }, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
34 ethernet: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
35 tables: method(:ebtables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
36 save: method(:ebtables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
37 re: %r{^:(.+)\s(\S+)$}, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
38 }, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
39 }.freeze |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
40 INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$}.freeze |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
41 TABLES = 'nat|mangle|filter|raw|rawpost|broute|security' |
|
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
42 NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$}.freeze |
| 39 | 43 |
| 44 def create | |
| 45 allvalidchains do |t, chain, table, protocol| | |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
46 if INTERNAL_CHAINS.match?(chain) |
| 39 | 47 # can't create internal chains |
| 48 warning "Attempting to create internal chain #{@resource[:name]}" | |
| 49 end | |
| 50 if properties[:ensure] == protocol | |
| 51 debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists" | |
| 52 else | |
| 53 debug "Inserting chain #{chain} on table #{table} (#{protocol}) using #{t}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
54 t.call ['-t', table, '-N', chain] |
| 39 | 55 unless @resource[:policy].nil? |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
56 t.call ['-t', table, '-P', chain, @resource[:policy].to_s.upcase] |
| 39 | 57 end |
| 58 end | |
| 59 end | |
| 60 end | |
| 61 | |
| 62 def destroy | |
| 63 allvalidchains do |t, chain, table| | |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
64 if INTERNAL_CHAINS.match?(chain) |
| 39 | 65 # can't delete internal chains |
| 66 warning "Attempting to destroy internal chain #{@resource[:name]}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
67 else |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
68 debug "Deleting chain #{chain} on table #{table}" |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
69 t.call ['-t', table, '-X', chain] |
| 39 | 70 end |
| 71 end | |
| 72 end | |
| 73 | |
| 74 def exists? | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
75 allvalidchains do |_t, chain| |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
76 if INTERNAL_CHAINS.match?(chain) |
| 39 | 77 # If the chain isn't present, it's likely because the module isn't loaded. |
| 78 # If this is true, then we fall into 2 cases | |
| 79 # 1) It'll be loaded on demand | |
| 80 # 2) It won't be loaded on demand, and we throw an error | |
| 81 # This is the intended behavior as it's not the provider's job to load kernel modules | |
| 82 # So we pretend it exists... | |
| 83 return true | |
| 84 end | |
| 85 end | |
| 86 properties[:ensure] == :present | |
| 87 end | |
| 88 | |
| 89 def policy=(value) | |
| 90 return if value == :empty | |
| 91 allvalidchains do |t, chain, table| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
92 p = ['-t', table, '-P', chain, value.to_s.upcase] |
| 39 | 93 debug "[set policy] #{t} #{p}" |
| 94 t.call p | |
| 95 end | |
| 96 end | |
| 97 | |
| 98 def policy | |
| 99 debug "[get policy] #{@resource[:name]} =#{@property_hash[:policy].to_s.downcase}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
100 @property_hash[:policy].to_s.downcase |
| 39 | 101 end |
| 102 | |
| 103 def self.prefetch(resources) | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
104 debug('[prefetch(resources)]') |
| 39 | 105 instances.each do |prov| |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
106 resource = resources[prov.name] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
107 if resource |
| 39 | 108 resource.provider = prov |
| 109 end | |
| 110 end | |
| 111 end | |
| 112 | |
| 113 def flush | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
114 debug('[flush]') |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
115 persist_iptables(@resource[:name].match(NAME_FORMAT)[3]) |
| 39 | 116 # Clear the property hash so we re-initialize with updated values |
| 117 @property_hash.clear | |
| 118 end | |
| 119 | |
| 120 # Look up the current status. This allows us to conventiently look up | |
| 121 # existing status with properties[:foo]. | |
| 122 def properties | |
| 123 if @property_hash.empty? | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
124 @property_hash = query || { ensure: :absent } |
| 39 | 125 end |
| 126 @property_hash.dup | |
| 127 end | |
| 128 | |
| 129 # Pull the current state of the list from the full list. | |
| 130 def query | |
| 131 self.class.instances.each do |instance| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
132 if instance.name == name |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
133 debug "query found #{name}" % instance.properties.inspect |
| 39 | 134 return instance.properties |
| 135 end | |
| 136 end | |
| 137 nil | |
| 138 end | |
| 139 | |
| 140 def self.instances | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
141 debug '[instances]' |
| 39 | 142 table = nil |
| 143 chains = [] | |
| 144 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
145 MAPPING.each do |p, c| |
| 39 | 146 begin |
| 147 c[:save].call.each_line do |line| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
148 if line =~ c[:re] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
149 name = Regexp.last_match(1) + ':' + ((table == 'filter') ? 'filter' : table) + ':' + p.to_s |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
150 policy = (Regexp.last_match(2) == '-') ? nil : Regexp.last_match(2).downcase.to_sym |
| 39 | 151 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
152 chains << new(name: name, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
153 policy: policy, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
154 ensure: :present) |
| 39 | 155 |
| 156 debug "[instance] '#{name}' #{policy}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
157 elsif line =~ %r{^\*(\S+)} |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
158 table = Regexp.last_match(1) |
| 39 | 159 else |
| 160 next | |
| 161 end | |
| 162 end | |
|
398
66c406eec60d
Update and fix firewall for Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
275
diff
changeset
|
163 rescue Puppet::Error |
| 39 | 164 # ignore command not found for ebtables or anything that doesn't exist |
| 165 end | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
166 end |
| 39 | 167 |
| 168 chains | |
| 169 end | |
| 170 | |
| 171 def allvalidchains | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
172 @resource[:name].match(NAME_FORMAT) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
173 chain = Regexp.last_match(1) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
174 table = Regexp.last_match(2) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
175 protocol = Regexp.last_match(3) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
176 yield MAPPING[protocol.to_sym][:tables], chain, table, protocol.to_sym |
| 39 | 177 end |
| 178 end |