Mercurial > repos > other > Puppet
annotate modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb @ 275:d9352a684e62
Mass update of modules to remove deprecation warnings
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 26 Jan 2020 11:36:07 +0000 |
| parents | d6f2a0ee45c0 |
| children | 66c406eec60d |
| rev | line source |
|---|---|
| 39 | 1 Puppet::Type.type(:firewallchain).provide :iptables_chain do |
| 2 include Puppet::Util::Firewall | |
| 3 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
4 @doc = 'Iptables chain provider' |
| 39 | 5 |
| 6 has_feature :iptables_chain | |
| 7 has_feature :policy | |
| 8 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
9 optional_commands(iptables: 'iptables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
10 iptables_save: 'iptables-save', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
11 ip6tables: 'ip6tables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
12 ip6tables_save: 'ip6tables-save', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
13 ebtables: 'ebtables', |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
14 ebtables_save: 'ebtables-save') |
| 39 | 15 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
16 defaultfor kernel: :linux |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
17 confine kernel: :linux |
| 39 | 18 |
| 19 # chain name is greedy so we anchor from the end. | |
| 20 # [\d+:\d+] doesn't exist on ebtables | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
21 MAPPING = { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
22 IPv4: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
23 tables: method(:iptables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
24 save: method(:iptables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
25 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$}, |
| 39 | 26 }, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
27 IPv6: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
28 tables: method(:ip6tables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
29 save: method(:ip6tables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
30 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$}, |
| 39 | 31 }, |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
32 ethernet: { |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
33 tables: method(:ebtables), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
34 save: method(:ebtables_save), |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
35 re: %r{^:(.+)\s(\S+)$}, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
36 }, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
37 }.freeze |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
38 INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$} |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
39 TABLES = 'nat|mangle|filter|raw|rawpost|broute|security'.freeze |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
40 NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$} |
| 39 | 41 |
| 42 def create | |
| 43 allvalidchains do |t, chain, table, protocol| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
44 if chain =~ INTERNAL_CHAINS |
| 39 | 45 # can't create internal chains |
| 46 warning "Attempting to create internal chain #{@resource[:name]}" | |
| 47 end | |
| 48 if properties[:ensure] == protocol | |
| 49 debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists" | |
| 50 else | |
| 51 debug "Inserting chain #{chain} on table #{table} (#{protocol}) using #{t}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
52 t.call ['-t', table, '-N', chain] |
| 39 | 53 unless @resource[:policy].nil? |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
54 t.call ['-t', table, '-P', chain, @resource[:policy].to_s.upcase] |
| 39 | 55 end |
| 56 end | |
| 57 end | |
| 58 end | |
| 59 | |
| 60 def destroy | |
| 61 allvalidchains do |t, chain, table| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
62 if chain =~ INTERNAL_CHAINS |
| 39 | 63 # can't delete internal chains |
| 64 warning "Attempting to destroy internal chain #{@resource[:name]}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
65 else |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
66 debug "Deleting chain #{chain} on table #{table}" |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
67 t.call ['-t', table, '-X', chain] |
| 39 | 68 end |
| 69 end | |
| 70 end | |
| 71 | |
| 72 def exists? | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
73 allvalidchains do |_t, chain| |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
74 if chain =~ INTERNAL_CHAINS |
| 39 | 75 # If the chain isn't present, it's likely because the module isn't loaded. |
| 76 # If this is true, then we fall into 2 cases | |
| 77 # 1) It'll be loaded on demand | |
| 78 # 2) It won't be loaded on demand, and we throw an error | |
| 79 # This is the intended behavior as it's not the provider's job to load kernel modules | |
| 80 # So we pretend it exists... | |
| 81 return true | |
| 82 end | |
| 83 end | |
| 84 properties[:ensure] == :present | |
| 85 end | |
| 86 | |
| 87 def policy=(value) | |
| 88 return if value == :empty | |
| 89 allvalidchains do |t, chain, table| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
90 p = ['-t', table, '-P', chain, value.to_s.upcase] |
| 39 | 91 debug "[set policy] #{t} #{p}" |
| 92 t.call p | |
| 93 end | |
| 94 end | |
| 95 | |
| 96 def policy | |
| 97 debug "[get policy] #{@resource[:name]} =#{@property_hash[:policy].to_s.downcase}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
98 @property_hash[:policy].to_s.downcase |
| 39 | 99 end |
| 100 | |
| 101 def self.prefetch(resources) | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
102 debug('[prefetch(resources)]') |
| 39 | 103 instances.each do |prov| |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
104 resource = resources[prov.name] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
105 if resource |
| 39 | 106 resource.provider = prov |
| 107 end | |
| 108 end | |
| 109 end | |
| 110 | |
| 111 def flush | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
112 debug('[flush]') |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
113 persist_iptables(@resource[:name].match(NAME_FORMAT)[3]) |
| 39 | 114 # Clear the property hash so we re-initialize with updated values |
| 115 @property_hash.clear | |
| 116 end | |
| 117 | |
| 118 # Look up the current status. This allows us to conventiently look up | |
| 119 # existing status with properties[:foo]. | |
| 120 def properties | |
| 121 if @property_hash.empty? | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
122 @property_hash = query || { ensure: :absent } |
| 39 | 123 end |
| 124 @property_hash.dup | |
| 125 end | |
| 126 | |
| 127 # Pull the current state of the list from the full list. | |
| 128 def query | |
| 129 self.class.instances.each do |instance| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
130 if instance.name == name |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
131 debug "query found #{name}" % instance.properties.inspect |
| 39 | 132 return instance.properties |
| 133 end | |
| 134 end | |
| 135 nil | |
| 136 end | |
| 137 | |
| 138 def self.instances | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
139 debug '[instances]' |
| 39 | 140 table = nil |
| 141 chains = [] | |
| 142 | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
143 MAPPING.each do |p, c| |
| 39 | 144 begin |
| 145 c[:save].call.each_line do |line| | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
146 if line =~ c[:re] |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
147 name = Regexp.last_match(1) + ':' + ((table == 'filter') ? 'filter' : table) + ':' + p.to_s |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
148 policy = (Regexp.last_match(2) == '-') ? nil : Regexp.last_match(2).downcase.to_sym |
| 39 | 149 |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
150 chains << new(name: name, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
151 policy: policy, |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
152 ensure: :present) |
| 39 | 153 |
| 154 debug "[instance] '#{name}' #{policy}" | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
155 elsif line =~ %r{^\*(\S+)} |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
156 table = Regexp.last_match(1) |
| 39 | 157 else |
| 158 next | |
| 159 end | |
| 160 end | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
161 rescue Puppet::Error # rubocop:disable Lint/HandleExceptions |
| 39 | 162 # ignore command not found for ebtables or anything that doesn't exist |
| 163 end | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
164 end |
| 39 | 165 |
| 166 chains | |
| 167 end | |
| 168 | |
| 169 def allvalidchains | |
|
275
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
170 @resource[:name].match(NAME_FORMAT) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
171 chain = Regexp.last_match(1) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
172 table = Regexp.last_match(2) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
173 protocol = Regexp.last_match(3) |
|
d9352a684e62
Mass update of modules to remove deprecation warnings
IBBoard <dev@ibboard.co.uk>
parents:
39
diff
changeset
|
174 yield MAPPING[protocol.to_sym][:tables], chain, table, protocol.to_sym |
| 39 | 175 end |
| 176 end |