Mercurial > repos > other > Puppet

comparison modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb @ 275:d9352a684e62

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Mass update of modules to remove deprecation warnings
author IBBoard <dev@ibboard.co.uk>
date Sun, 26 Jan 2020 11:36:07 +0000
parents d6f2a0ee45c0
children 66c406eec60d
comparison
equal deleted inserted replaced
274:b2571c28fc27 275:d9352a684e62
1 Puppet::Type.type(:firewallchain).provide :iptables_chain do 1 Puppet::Type.type(:firewallchain).provide :iptables_chain do
2 include Puppet::Util::Firewall 2 include Puppet::Util::Firewall
3 3
4 @doc = "Iptables chain provider" 4 @doc = 'Iptables chain provider'
5 5
6 has_feature :iptables_chain 6 has_feature :iptables_chain
7 has_feature :policy 7 has_feature :policy
8 8
9 optional_commands({ 9 optional_commands(iptables: 'iptables',
10 :iptables => 'iptables', 10 iptables_save: 'iptables-save',
11 :iptables_save => 'iptables-save', 11 ip6tables: 'ip6tables',
12 :ip6tables => 'ip6tables', 12 ip6tables_save: 'ip6tables-save',
13 :ip6tables_save => 'ip6tables-save', 13 ebtables: 'ebtables',
14 :ebtables => 'ebtables', 14 ebtables_save: 'ebtables-save')
15 :ebtables_save => 'ebtables-save',
16 })
17 15
18 defaultfor :kernel => :linux 16 defaultfor kernel: :linux
19 confine :kernel => :linux 17 confine kernel: :linux
20 18
21 # chain name is greedy so we anchor from the end. 19 # chain name is greedy so we anchor from the end.
22 # [\d+:\d+] doesn't exist on ebtables 20 # [\d+:\d+] doesn't exist on ebtables
23 Mapping = { 21 MAPPING = {
24 :IPv4 => { 22 IPv4: {
25 :tables => method(:iptables), 23 tables: method(:iptables),
26 :save => method(:iptables_save), 24 save: method(:iptables_save),
27 :re => /^:(.+)\s(\S+)\s\[\d+:\d+\]$/, 25 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$},
28 }, 26 },
29 :IPv6 => { 27 IPv6: {
30 :tables => method(:ip6tables), 28 tables: method(:ip6tables),
31 :save => method(:ip6tables_save), 29 save: method(:ip6tables_save),
32 :re => /^:(.+)\s(\S+)\s\[\d+:\d+\]$/, 30 re: %r{^:(.+)\s(\S+)\s\[\d+:\d+\]$},
33 }, 31 },
34 :ethernet => { 32 ethernet: {
35 :tables => method(:ebtables), 33 tables: method(:ebtables),
36 :save => method(:ebtables_save), 34 save: method(:ebtables_save),
37 :re => /^:(.+)\s(\S+)$/, 35 re: %r{^:(.+)\s(\S+)$},
38 } 36 },
39 } 37 }.freeze
40 InternalChains = /^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$/ 38 INTERNAL_CHAINS = %r{^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$}
41 Tables = 'nat|mangle|filter|raw|rawpost|broute' 39 TABLES = 'nat|mangle|filter|raw|rawpost|broute|security'.freeze
42 Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/ 40 NAME_FORMAT = %r{^(.+):(#{TABLES}):(IP(v[46])?|ethernet)$}
43 41
44 def create 42 def create
45 allvalidchains do |t, chain, table, protocol| 43 allvalidchains do |t, chain, table, protocol|
46 if chain =~ InternalChains 44 if chain =~ INTERNAL_CHAINS
47 # can't create internal chains 45 # can't create internal chains
48 warning "Attempting to create internal chain #{@resource[:name]}" 46 warning "Attempting to create internal chain #{@resource[:name]}"
49 end 47 end
50 if properties[:ensure] == protocol 48 if properties[:ensure] == protocol
51 debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists" 49 debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists"
52 else 50 else
53 debug "Inserting chain #{chain} on table #{table} (#{protocol}) using #{t}" 51 debug "Inserting chain #{chain} on table #{table} (#{protocol}) using #{t}"
54 t.call ['-t',table,'-N',chain] 52 t.call ['-t', table, '-N', chain]
55 unless @resource[:policy].nil? 53 unless @resource[:policy].nil?
56 t.call ['-t',table,'-P',chain,@resource[:policy].to_s.upcase] 54 t.call ['-t', table, '-P', chain, @resource[:policy].to_s.upcase]
57 end 55 end
58 end 56 end
59 end 57 end
60 end 58 end
61 59
62 def destroy 60 def destroy
63 allvalidchains do |t, chain, table| 61 allvalidchains do |t, chain, table|
64 if chain =~ InternalChains 62 if chain =~ INTERNAL_CHAINS
65 # can't delete internal chains 63 # can't delete internal chains
66 warning "Attempting to destroy internal chain #{@resource[:name]}" 64 warning "Attempting to destroy internal chain #{@resource[:name]}"
65 else
66 debug "Deleting chain #{chain} on table #{table}"
67 t.call ['-t', table, '-X', chain]
67 end 68 end
68 debug "Deleting chain #{chain} on table #{table}"
69 t.call ['-t',table,'-X',chain]
70 end 69 end
71 end 70 end
72 71
73 def exists? 72 def exists?
74 allvalidchains do |t, chain| 73 allvalidchains do |_t, chain|
75 if chain =~ InternalChains 74 if chain =~ INTERNAL_CHAINS
76 # If the chain isn't present, it's likely because the module isn't loaded. 75 # If the chain isn't present, it's likely because the module isn't loaded.
77 # If this is true, then we fall into 2 cases 76 # If this is true, then we fall into 2 cases
78 # 1) It'll be loaded on demand 77 # 1) It'll be loaded on demand
79 # 2) It won't be loaded on demand, and we throw an error 78 # 2) It won't be loaded on demand, and we throw an error
80 # This is the intended behavior as it's not the provider's job to load kernel modules 79 # This is the intended behavior as it's not the provider's job to load kernel modules
86 end 85 end
87 86
88 def policy=(value) 87 def policy=(value)
89 return if value == :empty 88 return if value == :empty
90 allvalidchains do |t, chain, table| 89 allvalidchains do |t, chain, table|
91 p = ['-t',table,'-P',chain,value.to_s.upcase] 90 p = ['-t', table, '-P', chain, value.to_s.upcase]
92 debug "[set policy] #{t} #{p}" 91 debug "[set policy] #{t} #{p}"
93 t.call p 92 t.call p
94 end 93 end
95 end 94 end
96 95
97 def policy 96 def policy
98 debug "[get policy] #{@resource[:name]} =#{@property_hash[:policy].to_s.downcase}" 97 debug "[get policy] #{@resource[:name]} =#{@property_hash[:policy].to_s.downcase}"
99 return @property_hash[:policy].to_s.downcase 98 @property_hash[:policy].to_s.downcase
100 end 99 end
101 100
102 def self.prefetch(resources) 101 def self.prefetch(resources)
103 debug("[prefetch(resources)]") 102 debug('[prefetch(resources)]')
104 instances.each do |prov| 103 instances.each do |prov|
105 if resource = resources[prov.name] 104 resource = resources[prov.name]
105 if resource
106 resource.provider = prov 106 resource.provider = prov
107 end 107 end
108 end 108 end
109 end 109 end
110 110
111 def flush 111 def flush
112 debug("[flush]") 112 debug('[flush]')
113 persist_iptables(@resource[:name].match(Nameformat)[3]) 113 persist_iptables(@resource[:name].match(NAME_FORMAT)[3])
114 # Clear the property hash so we re-initialize with updated values 114 # Clear the property hash so we re-initialize with updated values
115 @property_hash.clear 115 @property_hash.clear
116 end 116 end
117 117
118 # Look up the current status. This allows us to conventiently look up 118 # Look up the current status. This allows us to conventiently look up
119 # existing status with properties[:foo]. 119 # existing status with properties[:foo].
120 def properties 120 def properties
121 if @property_hash.empty? 121 if @property_hash.empty?
122 @property_hash = query || {:ensure => :absent} 122 @property_hash = query || { ensure: :absent }
123 end 123 end
124 @property_hash.dup 124 @property_hash.dup
125 end 125 end
126 126
127 # Pull the current state of the list from the full list. 127 # Pull the current state of the list from the full list.
128 def query 128 def query
129 self.class.instances.each do |instance| 129 self.class.instances.each do |instance|
130 if instance.name == self.name 130 if instance.name == name
131 debug "query found #{self.name}" % instance.properties.inspect 131 debug "query found #{name}" % instance.properties.inspect
132 return instance.properties 132 return instance.properties
133 end 133 end
134 end 134 end
135 nil 135 nil
136 end 136 end
137 137
138 def self.instances 138 def self.instances
139 debug "[instances]" 139 debug '[instances]'
140 table = nil 140 table = nil
141 chains = [] 141 chains = []
142 142
143 Mapping.each { |p, c| 143 MAPPING.each do |p, c|
144 begin 144 begin
145 c[:save].call.each_line do |line| 145 c[:save].call.each_line do |line|
146 if line =~ c[:re] then 146 if line =~ c[:re]
147 name = $1 + ':' + (table == 'filter' ? 'filter' : table) + ':' + p.to_s 147 name = Regexp.last_match(1) + ':' + ((table == 'filter') ? 'filter' : table) + ':' + p.to_s
148 policy = $2 == '-' ? nil : $2.downcase.to_sym 148 policy = (Regexp.last_match(2) == '-') ? nil : Regexp.last_match(2).downcase.to_sym
149 149
150 chains << new({ 150 chains << new(name: name,
151 :name => name, 151 policy: policy,
152 :policy => policy, 152 ensure: :present)
153 :ensure => :present,
154 })
155 153
156 debug "[instance] '#{name}' #{policy}" 154 debug "[instance] '#{name}' #{policy}"
157 elsif line =~ /^\*(\S+)/ 155 elsif line =~ %r{^\*(\S+)}
158 table = $1 156 table = Regexp.last_match(1)
159 else 157 else
160 next 158 next
161 end 159 end
162 end 160 end
163 rescue Puppet::Error 161 rescue Puppet::Error # rubocop:disable Lint/HandleExceptions
164 # ignore command not found for ebtables or anything that doesn't exist 162 # ignore command not found for ebtables or anything that doesn't exist
165 end 163 end
166 } 164 end
167 165
168 chains 166 chains
169 end 167 end
170 168
171 def allvalidchains 169 def allvalidchains
172 @resource[:name].match(Nameformat) 170 @resource[:name].match(NAME_FORMAT)
173 chain = $1 171 chain = Regexp.last_match(1)
174 table = $2 172 table = Regexp.last_match(2)
175 protocol = $3 173 protocol = Regexp.last_match(3)
176 yield Mapping[protocol.to_sym][:tables],chain,table,protocol.to_sym 174 yield MAPPING[protocol.to_sym][:tables], chain, table, protocol.to_sym
177 end 175 end
178
179 end 176 end