Mercurial > repos > other > Puppet
view modules/firewall/lib/puppet/type/firewall.rb @ 398:66c406eec60d
Update and fix firewall for Ubuntu
* Use later version of module (not latest because our Puppet
isn't supported)
* Change how we define "ensure" because Ubuntu doesn't use
IPv6 methods
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Wed, 20 Apr 2022 19:04:13 +0100 |
| parents | 3717200274ce |
| children |
line wrap: on
line source
# frozen_string_literal: true # See: #10295 for more details. # # This is a workaround for bug: #4248 whereby ruby files outside of the normal # provider/type path do not load until pluginsync has occured on the puppet server # # In this case I'm trying the relative path first, then falling back to normal # mechanisms. This should be fixed in future versions of puppet but it looks # like we'll need to maintain this for some time perhaps. $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', '..')) require 'puppet/util/firewall' Puppet::Type.newtype(:firewall) do include Puppet::Util::Firewall @doc = <<-PUPPETCODE @summary This type provides the capability to manage firewall rules within puppet. **Autorequires:** If Puppet is managing the iptables or ip6tables chains specified in the `chain` or `jump` parameters, the firewall resource will autorequire those firewallchain resources. If Puppet is managing the iptables, iptables-persistent, or iptables-services packages, and the provider is iptables or ip6tables, the firewall resource will autorequire those packages to ensure that any required binaries are installed. #### Providers Note: Not all features are available with all providers. * ip6tables: Ip6tables type provider * Required binaries: ip6tables-save, ip6tables. * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf. * iptables: Iptables type provider * Required binaries: iptables-save, iptables. * Default for kernel == linux. * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. #### Features * address_type: The ability to match on source or destination address type. * clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them. * condition: Match if a specific condition variable is (un)set (requires xtables-addons) * connection_limiting: Connection limiting features. * conntrack: Connection tracking features. * dnat: Destination NATing. * hop_limiting: Hop limiting features. * icmp_match: The ability to match ICMP types. * interface_match: Interface matching. * iprange: The ability to match on source or destination IP range. * ipsec_dir: The ability to match IPsec policy direction. * ipsec_policy: The ability to match IPsec policy. * iptables: The provider provides iptables features. * isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet. * isfragment: The ability to match fragments. * ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet. * islastfrag: The ability to match the last fragment of an ipv6 packet. * length: The ability to match the length of the layer-3 payload. * log_level: The ability to control the log level. * log_prefix: The ability to add prefixes to log messages. * log_uid: The ability to log the userid of the process which generated the packet. * log_tcp_sequence: The ability to log TCP sequence numbers. * log_tcp_options: The ability to log TCP packet header. * log_ip_options: The ability to log IP/IPv6 packet header. * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. * nflog_group: The ability to set the group number for NFLOG. * nflog_prefix: The ability to set a prefix for nflog messages. * nflog_range: The ability to set nflog_range. * nflog_threshold: The ability to set nflog_threshold. * owner: The ability to match owners. * pkttype: The ability to match a packet type. * rate_limiting: Rate limiting features. * recent_limiting: The netfilter recent module. * reject_type: The ability to control reject messages. * set_mss: Set the TCP MSS of a packet. * snat: Source NATing. * socket: The ability to match open sockets. * state_match: The ability to match stateful firewall states. * string_matching: The ability to match a given string by using some pattern matching strategy. * tcp_flags: The ability to match on particular TCP flag settings. * netmap: The ability to map entire subnets via source or destination nat rules. * hashlimit: The ability to use the hashlimit-module. * bpf: The ability to use Berkeley Paket Filter rules. * ipvs: The ability to match IP Virtual Server packets. * ct_target: The ability to set connection tracking parameters for a packet or its associated connection. * random_fully: The ability to use --random-fully flag. PUPPETCODE feature :connection_limiting, 'Connection limiting features.' feature :condition, 'Match if a specific condition variable is (un)set.' feature :conntrack, 'Connection tracking features.' feature :hop_limiting, 'Hop limiting features.' feature :rate_limiting, 'Rate limiting features.' feature :recent_limiting, 'The netfilter recent module' feature :snat, 'Source NATing' feature :dnat, 'Destination NATing' feature :netmap, 'NET MAPping' feature :interface_match, 'Interface matching' feature :icmp_match, 'Matching ICMP types' feature :owner, 'Matching owners' feature :state_match, 'Matching stateful firewall states' feature :reject_type, 'The ability to control reject messages' feature :log_level, 'The ability to control the log level' feature :log_prefix, 'The ability to add prefixes to log messages' feature :log_uid, 'Add UIDs to log messages' feature :log_tcp_sequence, 'Add TCP sequence numbers to log messages' feature :log_tcp_options, 'Add TCP packet header to log messages' feature :log_ip_options, 'Add IP/IPv6 packet header to log messages' feature :mark, 'Match or Set the netfilter mark value associated with the packet' feature :mss, 'Match a given TCP MSS value or range.' feature :tcp_flags, 'The ability to match on particular TCP flag settings' feature :pkttype, 'Match a packet type' feature :socket, 'Match open sockets' feature :isfragment, 'Match fragments' feature :address_type, 'The ability match on source or destination address type' feature :iprange, 'The ability match on source or destination IP range ' feature :ishasmorefrags, 'Match a non-last fragment of a fragmented ipv6 packet - might be first' feature :islastfrag, 'Match the last fragment of an ipv6 packet' feature :isfirstfrag, 'Match the first fragment of a fragmented ipv6 packet' feature :ipsec_policy, 'Match IPsec policy' feature :ipsec_dir, 'Match IPsec policy direction' feature :mask, 'Ability to match recent rules based on the ipv4 mask' feature :nflog_group, 'netlink group to subscribe to for logging' feature :nflog_prefix, '' feature :nflog_range, '' feature :nflog_threshold, '' feature :ipset, 'Match against specified ipset list' feature :clusterip, 'Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.' feature :length, 'Match the length of layer-3 payload' feature :string_matching, 'String matching features' feature :queue_num, 'Which NFQUEUE to send packets to' feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue' feature :hashlimit, 'Hashlimit features' feature :bpf, 'Berkeley Paket Filter feature' feature :ipvs, 'Packet belongs to an IP Virtual Server connection' feature :ct_target, 'The ability to set connection tracking parameters for a packet or its associated connection' feature :random_fully, 'The ability to use --random-fully flag' # provider specific features feature :iptables, 'The provider provides iptables features.' ensurable do desc <<-PUPPETCODE Manage the state of this rule. PUPPETCODE newvalue(:present) do provider.insert end newvalue(:absent) do provider.delete end defaultto :present end newparam(:name) do desc <<-PUPPETCODE The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number: 000 this runs first 999 this runs last Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. PUPPETCODE isnamevar # Keep rule names simple - they must start with a number newvalues(%r{^\d+[[:graph:][:space:]]+$}) end newproperty(:action) do desc <<-PUPPETCODE This is the action to perform on a match. Can be one of: * accept - the packet is accepted * reject - the packet is rejected with a suitable ICMP response * drop - the packet is dropped If you specify no value it will simply match the rule but perform no action unless you provide a provider specific parameter (such as *jump*). PUPPETCODE newvalues(:accept, :reject, :drop) end # Generic matching properties newproperty(:source) do desc <<-PUPPETCODE The source address. For example: source => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: source => '! 192.168.2.0/24' The source can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end # Source IP range newproperty(:src_range, required_features: :iprange) do desc <<-PUPPETCODE The source IP range. For example: src_range => '192.168.1.1-192.168.1.10' The source IP range must be in 'IP1-IP2' format. PUPPETCODE validate do |value| matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value) raise(ArgumentError, "The source IP range must be in 'IP1-IP2' format.") unless matches start_addr = matches[1] end_addr = matches[2] [start_addr, end_addr].each do |addr| begin @resource.host_to_ip(addr) rescue StandardError raise("Invalid IP address \"#{addr}\" in range \"#{value}\"") end end end end newproperty(:destination) do desc <<-PUPPETCODE The destination address to match. For example: destination => '192.168.1.0/24' You can also negate a mask by putting ! in front. For example: destination => '! 192.168.2.0/24' The destination can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end # Destination IP range newproperty(:dst_range, required_features: :iprange) do desc <<-PUPPETCODE The destination IP range. For example: dst_range => '192.168.1.1-192.168.1.10' The destination IP range must be in 'IP1-IP2' format. PUPPETCODE validate do |value| matches = %r{^([^\-\/]+)-([^\-\/]+)$}.match(value) raise(ArgumentError, "The destination IP range must be in 'IP1-IP2' format.") unless matches start_addr = matches[1] end_addr = matches[2] [start_addr, end_addr].each do |addr| begin @resource.host_to_ip(addr) rescue StandardError raise("Invalid IP address \"#{addr}\" in range \"#{value}\"") end end end end newproperty(:sport, array_matching: :all) do desc <<-PUPPETCODE The source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: <start_number>-<ending_number> For example: 1-1024 This would cover ports 1 to 1024. PUPPETCODE munge do |value| @resource.string_to_port(value, :proto) end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:dport, array_matching: :all) do desc <<-PUPPETCODE The destination port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: <start_number>-<ending_number> For example: 1-1024 This would cover ports 1 to 1024. PUPPETCODE munge do |value| @resource.string_to_port(value, :proto) end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:port, array_matching: :all) do desc <<-PUPPETCODE *note* This property has been DEPRECATED The destination or source port to match for this filter (if the protocol supports ports). Will accept a single element or an array. For some firewall providers you can pass a range of ports in the format: <start_number>-<ending_number> For example: 1-1024 This would cover ports 1 to 1024. PUPPETCODE validate do |_value| Puppet.warning('Passing port to firewall is deprecated and will be removed. Use dport and/or sport instead.') end munge do |value| @resource.string_to_port(value, :proto) end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:dst_type, required_features: :address_type, array_matching: :all) do desc <<-PUPPETCODE The destination address type. For example: dst_type => ['LOCAL'] Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: dst_type => ['LOCAL --limit-iface-in'] It can also be negated using '!': dst_type => ['! LOCAL'] Will accept a single element or an array. PUPPETCODE newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten) end newproperty(:src_type, required_features: :address_type, array_matching: :all) do desc <<-PUPPETCODE The source address type. For example: src_type => ['LOCAL'] Can be one of: * UNSPEC - an unspecified address * UNICAST - a unicast address * LOCAL - a local address * BROADCAST - a broadcast address * ANYCAST - an anycast packet * MULTICAST - a multicast address * BLACKHOLE - a blackhole address * UNREACHABLE - an unreachable address * PROHIBIT - a prohibited address * THROW - undocumented * NAT - undocumented * XRESOLVE - undocumented In addition, it accepts '--limit-iface-in' and '--limit-iface-out' flags, specified as: src_type => ['LOCAL --limit-iface-in'] It can also be negated using '!': src_type => ['! LOCAL'] Will accept a single element or an array. PUPPETCODE newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].map { |address_type| [ address_type, "! #{address_type}".to_sym, "#{address_type} --limit-iface-in".to_sym, "#{address_type} --limit-iface-out".to_sym, "! #{address_type} --limit-iface-in".to_sym, "! #{address_type} --limit-iface-out".to_sym, ] }.flatten) end newproperty(:proto) do desc <<-PUPPETCODE The specific protocol to match for this rule. PUPPETCODE newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto| [proto, "! #{proto}".to_sym] }.flatten) defaultto 'tcp' end # tcp-specific newproperty(:mss) do desc <<-PUPPETCODE Match a given TCP MSS value or range. PUPPETCODE end # tcp-specific newproperty(:tcp_flags, required_features: :tcp_flags) do desc <<-PUPPETCODE Match when the TCP flags are as specified. Is a string with a list of comma-separated flag names for the mask, then a space, then a comma-separated list of flags that should be set. The flags are: SYN ACK FIN RST URG PSH ALL NONE Note that you specify them in the order that iptables --list-rules would list them to avoid having puppet think you changed the flags. Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation. PUPPETCODE end # Iptables specific newproperty(:chain, required_features: :iptables) do desc <<-PUPPETCODE Name of the chain to use. Can be one of the built-ins: * INPUT * FORWARD * OUTPUT * PREROUTING * POSTROUTING Or you can provide a user-based chain. PUPPETCODE defaultto 'INPUT' newvalue(%r{^[a-zA-Z0-9\-_]+$}) end newproperty(:table, required_features: :iptables) do desc <<-PUPPETCODE Table to use. Can be one of: * nat * mangle * filter * raw * rawpost PUPPETCODE newvalues(:nat, :mangle, :filter, :raw, :rawpost) defaultto 'filter' end newproperty(:jump, required_features: :iptables) do desc <<-PUPPETCODE The value for the iptables --jump parameter. Normal values are: * QUEUE * RETURN * DNAT * SNAT * LOG * NFLOG * MASQUERADE * REDIRECT * MARK * CT But any valid chain name is allowed. For the values ACCEPT, DROP, and REJECT, you must use the generic 'action' parameter. This is to enfore the use of generic parameters where possible for maximum cross-platform modelling. If you set both 'accept' and 'jump' parameters, you will get an error as only one of the options should be set. PUPPETCODE validate do |value| unless %r{^[a-zA-Z0-9\-_]+$}.match?(value) raise ArgumentError, <<-PUPPETCODE Jump destination must consist of alphanumeric characters, an underscore or a hyphen. PUPPETCODE end if ['accept', 'reject', 'drop'].include?(value.downcase) raise ArgumentError, <<-PUPPETCODE Jump destination should not be one of ACCEPT, REJECT or DROP. Use the action property instead. PUPPETCODE end end end newproperty(:goto, required_features: :iptables) do desc <<-PUPPETCODE The value for the iptables --goto parameter. Normal values are: * QUEUE * RETURN * DNAT * SNAT * LOG * MASQUERADE * REDIRECT * MARK But any valid chain name is allowed. PUPPETCODE validate do |value| unless %r{^[a-zA-Z0-9\-_]+$}.match?(value) raise ArgumentError, <<-PUPPETCODE Goto destination must consist of alphanumeric characters, an underscore or a hyphen. PUPPETCODE end if ['accept', 'reject', 'drop'].include?(value.downcase) raise ArgumentError, <<-PUPPETCODE Goto destination should not be one of ACCEPT, REJECT or DROP. Use the action property instead. PUPPETCODE end end end # Interface specific matching properties newproperty(:iniface, required_features: :interface_match) do desc <<-PUPPETCODE Input interface to filter on. Supports interface alias like eth0:0. To negate the match try this: iniface => '! lo', PUPPETCODE newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}) end newproperty(:outiface, required_features: :interface_match) do desc <<-PUPPETCODE Output interface to filter on. Supports interface alias like eth0:0. To negate the match try this: outiface => '! lo', PUPPETCODE newvalues(%r{^!?\s?[a-zA-Z0-9\-\._\+\:@]+$}) end # NAT specific properties newproperty(:tosource, required_features: :snat) do desc <<-PUPPETCODE When using jump => "SNAT" you can specify the new source address using this parameter. PUPPETCODE end newproperty(:todest, required_features: :dnat) do desc <<-PUPPETCODE When using jump => "DNAT" you can specify the new destination address using this paramter. PUPPETCODE end newproperty(:toports, required_features: :dnat) do desc <<-PUPPETCODE For DNAT this is the port that will replace the destination port. PUPPETCODE end newproperty(:to, required_features: :netmap) do desc <<-PUPPETCODE For NETMAP this will replace the destination IP PUPPETCODE end newproperty(:random_fully, required_features: :random_fully) do desc <<-PUPPETCODE When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable fully randomized port mapping. **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 PUPPETCODE newvalues(:true, :false) end newproperty(:random, required_features: :dnat) do desc <<-PUPPETCODE When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" this boolean will enable randomized port mapping. PUPPETCODE newvalues(:true, :false) end # Reject ICMP type newproperty(:reject, required_features: :reject_type) do desc <<-PUPPETCODE When combined with action => "REJECT" you can specify a different icmp response to be sent back to the packet sender. PUPPETCODE end # Logging properties newproperty(:log_level, required_features: :log_level) do desc <<-PUPPETCODE When combined with jump => "LOG" specifies the system log level to log to. PUPPETCODE munge do |value| if value.is_a?(String) value = @resource.log_level_name_to_number(value) else value end if value.nil? && value != '' raise('Unable to determine log level') end value end end newproperty(:log_prefix, required_features: :log_prefix) do desc <<-PUPPETCODE When combined with jump => "LOG" specifies the log prefix to use when logging. PUPPETCODE munge do |value| if value == '' raise('log_prefix should not be an empty string') end value end end newproperty(:log_uid, required_features: :log_uid) do desc <<-PUPPETCODE When combined with jump => "LOG" specifies the uid of the process making the connection. PUPPETCODE newvalues(:true, :false) end newproperty(:log_tcp_sequence, required_features: :log_tcp_sequence) do desc <<-PUPPETCODE When combined with jump => "LOG" enables logging of the TCP sequence numbers. PUPPETCODE newvalues(:true, :false) end newproperty(:log_tcp_options, required_features: :log_tcp_options) do desc <<-PUPPETCODE When combined with jump => "LOG" logging of the TCP packet header. PUPPETCODE newvalues(:true, :false) end newproperty(:log_ip_options, required_features: :log_ip_options) do desc <<-PUPPETCODE When combined with jump => "LOG" logging of the TCP IP/IPv6 packet header. PUPPETCODE newvalues(:true, :false) end newproperty(:nflog_group, required_features: :nflog_group) do desc <<-PUPPETCODE Used with the jump target NFLOG. The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). Defaults to 0. PUPPETCODE validate do |value| if value.to_i > (2**16) - 1 || value.to_i < 0 raise ArgumentError, 'nflog_group must be between 0 and 2^16-1' end end munge do |value| if value.is_a?(String) && value =~ %r{^[-0-9]+$} Integer(value) else value end end end newproperty(:nflog_prefix, required_features: :nflog_prefix) do desc <<-PUPPETCODE Used with the jump target NFLOG. A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. PUPPETCODE validate do |value| if value.length > 64 raise ArgumentError, 'nflog_prefix must be less than 64 characters.' end end end newproperty(:nflog_range, required_features: :nflog_range) do desc <<-PUPPETCODE Used with the jump target NFLOG. The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it. PUPPETCODE end newproperty(:nflog_threshold, required_features: :nflog_threshold) do desc <<-PUPPETCODE Used with the jump target NFLOG. Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. Defaults to 1. PUPPETCODE munge do |value| if value.is_a?(String) && value =~ %r{^[-0-9]+$} Integer(value) else value end end end # ICMP matching property newproperty(:icmp, required_features: :icmp_match) do desc <<-PUPPETCODE When matching ICMP packets, this is the type of ICMP packet to match. A value of "any" is not supported. To achieve this behaviour the parameter should simply be omitted or undefined. An array of values is also not supported. To match against multiple ICMP types, please use separate rules for each ICMP type. PUPPETCODE validate do |value| if value == 'any' raise ArgumentError, "Value 'any' is not valid. This behaviour should be achieved " \ 'by omitting or undefining the ICMP parameter.' end if value.is_a?(Array) raise ArgumentError, 'Argument must not be an array of values. To match multiple ' \ 'ICMP types, please use separate rules for each ICMP type.' end end munge do |value| if value.is_a?(String) # ICMP codes differ between IPv4 and IPv6. case @resource[:provider] when :iptables protocol = 'inet' when :ip6tables protocol = 'inet6' else raise('cannot work out protocol family') end value = @resource.icmp_name_to_number(value, protocol) else value end if value.nil? && value != '' raise('cannot work out icmp type') end value end end newproperty(:state, array_matching: :all, required_features: :state_match) do desc <<-PUPPETCODE Matches a packet based on its state in the firewall stateful inspection table. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED PUPPETCODE newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED) # States should always be sorted. This normalizes the resource states to # keep it consistent with the sorted result from iptables-save. def should=(values) @should = super(values).sort_by { |sym| sym.to_s } end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:ctstate, array_matching: :all, required_features: :conntrack) do desc <<-PUPPETCODE Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Values can be: * INVALID * ESTABLISHED * NEW * RELATED * UNTRACKED * SNAT * DNAT PUPPETCODE newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED, :UNTRACKED, :SNAT, :DNAT) # States should always be sorted. This normalizes the resource states to # keep it consistent with the sorted result from iptables-save. def should=(values) @should = super(values).sort_by { |sym| sym.to_s } end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:ctproto, required_features: :conntrack) do desc <<-PUPPETCODE The specific layer-4 protocol number to match for this rule using the conntrack module. PUPPETCODE newvalue(%r{^!?\s?\d+$}) end newproperty(:ctorigsrc, required_features: :conntrack) do desc <<-PUPPETCODE The original source address using the conntrack module. For example: ctorigsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigsrc => '! 192.168.2.0/24' The ctorigsrc can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) if protocol == :IPv4 value.chomp('/32') elsif protocol == :IPv6 value.chomp('/128') end rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end newproperty(:ctorigdst, required_features: :conntrack) do desc <<-PUPPETCODE The original destination address using the conntrack module. For example: ctorigdst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctorigdst => '! 192.168.2.0/24' The ctorigdst can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) if protocol == :IPv4 value.chomp('/32') elsif protocol == :IPv6 value.chomp('/128') end rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end newproperty(:ctreplsrc, required_features: :conntrack) do desc <<-PUPPETCODE The reply source address using the conntrack module. For example: ctreplsrc => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctreplsrc => '! 192.168.2.0/24' The ctreplsrc can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) if protocol == :IPv4 value.chomp('/32') elsif protocol == :IPv6 value.chomp('/128') end rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end newproperty(:ctrepldst, required_features: :conntrack) do desc <<-PUPPETCODE The reply destination address using the conntrack module. For example: ctrepldst => '192.168.2.0/24' You can also negate a mask by putting ! in front. For example: ctrepldst => '! 192.168.2.0/24' The ctrepldst can also be an IPv6 address if your provider supports it. PUPPETCODE munge do |value| case @resource[:provider] when :iptables protocol = :IPv4 when :ip6tables protocol = :IPv6 else raise('cannot work out protocol family') end begin @resource.host_to_mask(value, protocol) if protocol == :IPv4 value.chomp('/32') elsif protocol == :IPv6 value.chomp('/128') end rescue StandardError => e raise("host_to_ip failed for #{value}, exception #{e}") end end end newproperty(:ctorigsrcport, required_features: :conntrack) do desc <<-PUPPETCODE The original source port to match for this filter using the conntrack module. For example: ctorigsrcport => '80' You can also specify a port range: For example: ctorigsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctorigsrcport => '! 80' PUPPETCODE newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) end newproperty(:ctorigdstport, required_features: :conntrack) do desc <<-PUPPETCODE The original destination port to match for this filter using the conntrack module. For example: ctorigdstport => '80' You can also specify a port range: For example: ctorigdstport => '80:81' You can also negate a port by putting ! in front. For example: ctorigdstport => '! 80' PUPPETCODE newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) end newproperty(:ctreplsrcport, required_features: :conntrack) do desc <<-PUPPETCODE The reply source port to match for this filter using the conntrack module. For example: ctreplsrcport => '80' You can also specify a port range: For example: ctreplsrcport => '80:81' You can also negate a port by putting ! in front. For example: ctreplsrcport => '! 80' PUPPETCODE newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) end newproperty(:ctrepldstport, required_features: :conntrack) do desc <<-PUPPETCODE The reply destination port to match for this filter using the conntrack module. For example: ctrepldstport => '80' You can also specify a port range: For example: ctrepldstport => '80:81' You can also negate a port by putting ! in front. For example: ctrepldstport => '! 80' PUPPETCODE newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) end newproperty(:ctstatus, array_matching: :all, required_features: :conntrack) do desc <<-PUPPETCODE Matches a packet based on its status using the conntrack module. Values can be: * EXPECTED * SEEN_REPLY * ASSURED * CONFIRMED PUPPETCODE newvalues(:NONE, :EXPECTED, :SEEN_REPLY, :ASSURED, :CONFIRMED) # Statuses should always be sorted. This normalizes the resource status to # keep it consistent with the sorted result from iptables-save. def should=(values) @should = super(values).sort_by { |sym| sym.to_s } end def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(',') end end newproperty(:ctexpire, required_features: :conntrack) do desc <<-PUPPETCODE Matches a packet based on lifetime remaining in seconds or range of values using the conntrack module. For example: ctexpire => '100:150' PUPPETCODE newvalue(%r{^!?\s?\d+$|^!?\s?\d+\:\d+$}) end newproperty(:ctdir, required_features: :conntrack) do desc <<-PUPPETCODE Matches a packet that is flowing in the specified direction using the conntrack module. If this flag is not specified at all, matches packets in both directions. Values can be: * REPLY * ORIGINAL PUPPETCODE newvalues(:REPLY, :ORIGINAL) end # Connection mark newproperty(:connmark, required_features: :mark) do desc <<-PUPPETCODE Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. PUPPETCODE munge do |value| int_or_hex = '[a-fA-F0-9x]' match = value.to_s.match("(#{int_or_hex}+)(/)?(#{int_or_hex}+)?") mark = @resource.to_hex32(match[1]) # Values that can't be converted to hex. # Or contain a trailing slash with no mask. if mark.nil? || (mark && match[2] && match[3].nil?) raise ArgumentError, 'MARK value must be integer or hex between 0 and 0xffffffff' end # There should not be a mask on connmark unless match[3].nil? raise ArgumentError, 'iptables does not support masks on MARK match rules' end value = mark value end end # Connection limiting properties newproperty(:connlimit_above, required_features: :connection_limiting) do desc <<-PUPPETCODE Connection limiting value for matched connections above n. PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:connlimit_mask, required_features: :connection_limiting) do desc <<-PUPPETCODE Connection limiting by subnet mask for matched connections. IPv4: 0-32 IPv6: 0-128 PUPPETCODE newvalue(%r{^\d+$}) end # Hop limiting properties newproperty(:hop_limit, required_features: :hop_limiting) do desc <<-PUPPETCODE Hop limiting value for matched packets. PUPPETCODE newvalue(%r{^\d+$}) end # Rate limiting properties newproperty(:limit, required_features: :rate_limiting) do desc <<-PUPPETCODE Rate limiting value for matched packets. The format is: rate/[/second/|/minute|/hour|/day]. Example values are: '50/sec', '40/min', '30/hour', '10/day'." PUPPETCODE end newproperty(:burst, required_features: :rate_limiting) do desc <<-PUPPETCODE Rate limiting burst value (per second) before limit checks apply. PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:uid, required_features: :owner) do desc <<-PUPPETCODE UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. PUPPETCODE def insync?(is) require 'etc' # The following code allow us to take into consideration unix mappings # between string usernames and UIDs (integers). We also need to ignore # spaces as they are irrelevant with respect to rule sync. # Remove whitespace is = is.gsub(%r{\s+}, '') should = @should.first.to_s.gsub(%r{\s+}, '') # Keep track of negation, but remove the '!' is_negate = '' should_negate = '' if is.start_with?('!') is = is.gsub(%r{^!}, '') is_negate = '!' end if should.start_with?('!') should = should.gsub(%r{^!}, '') should_negate = '!' end # If 'should' contains anything other than digits, # we assume that we have to do a lookup to convert # to UID unless should[%r{[0-9]+}] == should should = Etc.getpwnam(should).uid end # If 'is' contains anything other than digits, # we assume that we have to do a lookup to convert # to UID unless is[%r{[0-9]+}] == is is = Etc.getpwnam(is).uid end "#{is_negate}#{is}" == "#{should_negate}#{should}" end end newproperty(:gid, required_features: :owner) do desc <<-PUPPETCODE GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. PUPPETCODE def insync?(is) require 'etc' # The following code allow us to take into consideration unix mappings # between string group names and GIDs (integers). We also need to ignore # spaces as they are irrelevant with respect to rule sync. # Remove whitespace is = is.gsub(%r{\s+}, '') should = @should.first.to_s.gsub(%r{\s+}, '') # Keep track of negation, but remove the '!' is_negate = '' should_negate = '' if is.start_with?('!') is = is.gsub(%r{^!}, '') is_negate = '!' end if should.start_with?('!') should = should.gsub(%r{^!}, '') should_negate = '!' end # If 'should' contains anything other than digits, # we assume that we have to do a lookup to convert # to UID unless should[%r{[0-9]+}] == should should = Etc.getgrnam(should).gid end # If 'is' contains anything other than digits, # we assume that we have to do a lookup to convert # to UID unless is[%r{[0-9]+}] == is is = Etc.getgrnam(is).gid end "#{is_negate}#{is}" == "#{should_negate}#{should}" end end # match mark newproperty(:match_mark, required_features: :mark) do desc <<-PUPPETCODE Match the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. PUPPETCODE munge do |value| mark_regex = %r{\A((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i match = value.to_s.match(mark_regex) if match.nil? raise ArgumentError, 'Match MARK value must be integer or hex between 0 and 0xffffffff' end mark = @resource.to_hex32(match[1]) # Values that can't be converted to hex. # Or contain a trailing slash with no mask. if mark.nil? || (mark && match[2] && match[3].nil?) raise ArgumentError, 'Match MARK value must be integer or hex between 0 and 0xffffffff' end # There should not be a mask on match_mark unless match[3].nil? raise ArgumentError, 'iptables does not support masks on MARK match rules' end value = mark value end end newproperty(:set_mark, required_features: :mark) do desc <<-PUPPETCODE Set the Netfilter mark value associated with the packet. Accepts either of: mark/mask or mark. These will be converted to hex if they are not already. PUPPETCODE munge do |value| int_or_hex = '[a-fA-F0-9x]' match = value.to_s.match("(#{int_or_hex}+)(/)?(#{int_or_hex}+)?") mark = @resource.to_hex32(match[1]) # Values that can't be converted to hex. # Or contain a trailing slash with no mask. if mark.nil? || (mark && match[2] && match[3].nil?) raise ArgumentError, 'MARK value must be integer or hex between 0 and 0xffffffff' end # Old iptables does not support a mask. New iptables will expect one. iptables_version = Facter.value('iptables_version') mask_required = (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.4.1') >= 0) if mask_required if match[3].nil? value = "#{mark}/0xffffffff" else mask = @resource.to_hex32(match[3]) if mask.nil? raise ArgumentError, 'MARK mask must be integer or hex between 0 and 0xffffffff' end value = "#{mark}/#{mask}" end else unless match[3].nil? raise ArgumentError, "iptables version #{iptables_version} does not support masks on MARK rules" end value = mark end value end end newproperty(:clamp_mss_to_pmtu, required_features: :iptables) do desc <<-PUPPETCODE Sets the clamp mss to pmtu flag. PUPPETCODE newvalues(:true, :false) end newproperty(:set_dscp, required_features: :iptables) do desc <<-PUPPETCODE Set DSCP Markings. PUPPETCODE end newproperty(:set_dscp_class, required_features: :iptables) do desc <<-PUPPETCODE This sets the DSCP field according to a predefined DiffServ class. PUPPETCODE # iptables uses the cisco DSCP classes as the basis for this flag. Values may be found here: # 'http://www.cisco.com/c/en/us/support/docs/quality-of-service-qos/qos-packet-marking/10103-dscpvalues.html' valid_codes = ['af11', 'af12', 'af13', 'af21', 'af22', 'af23', 'af31', 'af32', 'af33', 'af41', 'af42', 'af43', 'cs1', 'cs2', 'cs3', 'cs4', 'cs5', 'cs6', 'cs7', 'ef'] munge do |value| unless valid_codes.include? value.downcase raise ArgumentError, "#{value} is not a valid DSCP Class" end value.downcase end end newproperty(:set_mss, required_features: :iptables) do desc <<-PUPPETCODE Sets the TCP MSS value for packets. PUPPETCODE end newproperty(:pkttype, required_features: :pkttype) do desc <<-PUPPETCODE Sets the packet type to match. PUPPETCODE newvalues(:unicast, :broadcast, :multicast) end newproperty(:isfragment, required_features: :isfragment) do desc <<-PUPPETCODE Set to true to match tcp fragments (requires type to be set to tcp) PUPPETCODE newvalues(:true, :false) end newproperty(:recent, required_features: :recent_limiting) do desc <<-PUPPETCODE Enable the recent module. Takes as an argument one of set, update, rcheck or remove. For example: ``` # If anyone's appeared on the 'badguy' blacklist within # the last 60 seconds, drop their traffic, and update the timestamp. firewall { '100 Drop badguy traffic': recent => 'update', rseconds => 60, rsource => true, rname => 'badguy', action => 'DROP', chain => 'FORWARD', } ``` ``` # No-one should be sending us traffic on eth0 from the # localhost, Blacklist them firewall { '101 blacklist strange traffic': recent => 'set', rsource => true, rname => 'badguy', destination => '127.0.0.0/8', iniface => 'eth0', action => 'DROP', chain => 'FORWARD', } ``` PUPPETCODE newvalues(:set, :update, :rcheck, :remove) munge do |value| _value = '--' + value end end newproperty(:rdest, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; add the destination IP address to the list. Must be boolean true. PUPPETCODE newvalues(:true, :false) end newproperty(:rsource, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; add the source IP address to the list. Must be boolean true. PUPPETCODE newvalues(:true, :false) end newproperty(:rname, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; The name of the list. Takes a string argument. PUPPETCODE end newproperty(:rseconds, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds. PUPPETCODE end newproperty(:reap, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; can only be used in conjunction with the `rseconds` attribute. When used, this will cause entries older than 'seconds' to be purged. Must be boolean true. PUPPETCODE newvalues(:true, :false) end newproperty(:rhitcount, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; used in conjunction with `recent => 'update'` or `recent => 'rcheck'. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. PUPPETCODE end newproperty(:rttl, required_features: :recent_limiting) do desc <<-PUPPETCODE Recent module; may only be used in conjunction with one of `recent => 'rcheck'` or `recent => 'update'`. When used, this will narrow the match to only happen when the address is in the list and the TTL of the current packet matches that of the packet which hit the `recent => 'set'` rule. This may be useful if you have problems with people faking their source address in order to DoS you via this module by disallowing others access to your site by sending bogus packets to you. Must be boolean true. PUPPETCODE newvalues(:true, :false) end newproperty(:rpfilter, required_features: :rpfilter) do desc <<-PUPPETCODE Enable the rpfilter module. PUPPETCODE newvalues(:loose, :validmark, :'accept-local', :invert) munge do |value| _value = '--' + value end end newproperty(:socket, required_features: :socket) do desc <<-PUPPETCODE If true, matches if an open socket can be found by doing a coket lookup on the packet. PUPPETCODE newvalues(:true, :false) end newproperty(:ishasmorefrags, required_features: :ishasmorefrags) do desc <<-PUPPETCODE If true, matches if the packet has it's 'more fragments' bit set. ipv6. PUPPETCODE newvalues(:true, :false) end newproperty(:islastfrag, required_features: :islastfrag) do desc <<-PUPPETCODE If true, matches if the packet is the last fragment. ipv6. PUPPETCODE newvalues(:true, :false) end newproperty(:isfirstfrag, required_features: :isfirstfrag) do desc <<-PUPPETCODE If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6. PUPPETCODE newvalues(:true, :false) end newproperty(:ipsec_policy, required_features: :ipsec_policy) do desc <<-PUPPETCODE Sets the ipsec policy type. May take a combination of arguments for any flags that can be passed to `--pol ipsec` such as: `--strict`, `--reqid 100`, `--next`, `--proto esp`, etc. PUPPETCODE newvalues(:none, :ipsec) end newproperty(:ipsec_dir, required_features: :ipsec_dir) do desc <<-PUPPETCODE Sets the ipsec policy direction PUPPETCODE newvalues(:in, :out) end newproperty(:stat_mode) do desc <<-PUPPETCODE Set the matching mode for statistic matching. PUPPETCODE newvalues(:nth, :random) end newproperty(:stat_every) do desc <<-PUPPETCODE Match one packet every nth packet. Requires `stat_mode => 'nth'` PUPPETCODE validate do |value| unless %r{^\d+$}.match?(value) raise ArgumentError, <<-PUPPETCODE stat_every value must be a digit PUPPETCODE end unless value.to_i > 0 raise ArgumentError, <<-PUPPETCODE stat_every value must be larger than 0 PUPPETCODE end end end newproperty(:stat_packet) do desc <<-PUPPETCODE Set the initial counter value for the nth mode. Must be between 0 and the value of `stat_every`. Defaults to 0. Requires `stat_mode => 'nth'` PUPPETCODE newvalues(%r{^\d+$}) end newproperty(:stat_probability) do desc <<-PUPPETCODE Set the probability from 0 to 1 for a packet to be randomly matched. It works only with `stat_mode => 'random'`. PUPPETCODE validate do |value| unless value =~ %r{^([01])\.(\d+)$} raise ArgumentError, <<-PUPPETCODE stat_probability must be between 0.0 and 1.0 PUPPETCODE end if Regexp.last_match(1).to_i == 1 && Regexp.last_match(2).to_i != 0 raise ArgumentError, <<-PUPPETCODE start_probability must be between 0.0 and 1.0 PUPPETCODE end end end newproperty(:mask, required_features: :mask) do desc <<-PUPPETCODE Sets the mask to use when `recent` is enabled. PUPPETCODE end newproperty(:gateway, required_features: :iptables) do desc <<-PUPPETCODE The TEE target will clone a packet and redirect this clone to another machine on the local network segment. gateway is the target host's IP. PUPPETCODE end newproperty(:ipset, required_features: :ipset, array_matching: :all) do desc <<-PUPPETCODE Matches against the specified ipset list. Requires ipset kernel module. Will accept a single element or an array. The value is the name of the blacklist, followed by a space, and then 'src' and/or 'dst' separated by a comma. For example: 'blacklist src,dst' PUPPETCODE def to_s?(value) should_to_s(value) end def should_to_s(value) value = [value] unless value.is_a?(Array) value.join(', ') end end newproperty(:checksum_fill, required_features: :iptables) do desc <<-PUPPETCODE Compute and fill missing packet checksums. PUPPETCODE newvalues(:true, :false) end newparam(:line) do desc <<-PUPPETCODE Read-only property for caching the rule line. PUPPETCODE end newproperty(:mac_source) do desc <<-PUPPETCODE MAC Source PUPPETCODE newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i) end newproperty(:physdev_in, required_features: :iptables) do desc <<-PUPPETCODE Match if the packet is entering a bridge from the given interface. PUPPETCODE newvalues(%r{^[a-zA-Z0-9\-\._\+]+$}) end newproperty(:physdev_out, required_features: :iptables) do desc <<-PUPPETCODE Match if the packet is leaving a bridge via the given interface. PUPPETCODE newvalues(%r{^[a-zA-Z0-9\-\._\+]+$}) end newproperty(:physdev_is_bridged, required_features: :iptables) do desc <<-PUPPETCODE Match if the packet is transversing a bridge. PUPPETCODE newvalues(:true, :false) end newproperty(:physdev_is_in, required_features: :iptables) do desc <<-PUPPETCODE Matches if the packet has entered through a bridge interface. PUPPETCODE newvalues(:true, :false) end newproperty(:physdev_is_out, required_features: :iptables) do desc <<-PUPPETCODE Matches if the packet will leave through a bridge interface. PUPPETCODE newvalues(:true, :false) end newproperty(:date_start, required_features: :iptables) do desc <<-PUPPETCODE Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 PUPPETCODE end newproperty(:date_stop, required_features: :iptables) do desc <<-PUPPETCODE Only match during the given time, which must be in ISO 8601 "T" notation. The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07 PUPPETCODE end newproperty(:time_start, required_features: :iptables) do desc <<-PUPPETCODE Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. PUPPETCODE munge do |value| if %r{^([0-9]):}.match?(value) value = "0#{value}" end if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(value) value = "#{value}:00" end value end end newproperty(:time_stop, required_features: :iptables) do desc <<-PUPPETCODE Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59. Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10. PUPPETCODE munge do |value| if %r{^([0-9]):}.match?(value) value = "0#{value}" end if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(value) value = "#{value}:00" end value end end newproperty(:month_days, required_features: :iptables) do desc <<-PUPPETCODE Only match on the given days of the month. Possible values are 1 to 31. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February. PUPPETCODE validate do |value| month = value.to_i if month >= 1 && month <= 31 value else raise ArgumentError, 'month_days must be in the range of 1-31' end end end newproperty(:week_days, required_features: :iptables) do desc <<-PUPPETCODE Only match on the given weekdays. PUPPETCODE newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun) end newproperty(:time_contiguous, required_features: :iptables) do desc <<-PUPPETCODE When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals. PUPPETCODE newvalues(:true, :false) end newproperty(:kernel_timezone, required_features: :iptables) do desc <<-PUPPETCODE Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations. PUPPETCODE newvalues(:true, :false) end newproperty(:clusterip_new, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. PUPPETCODE newvalues(:true, :false) end newproperty(:clusterip_hashmode, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the hashing mode. PUPPETCODE newvalues(:sourceip, :'sourceip-sourceport', :'sourceip-sourceport-destport') end newproperty(:clusterip_clustermac, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the ClusterIP MAC address. Has to be a link-layer multicast address. PUPPETCODE newvalues(%r{^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$}i) end newproperty(:clusterip_total_nodes, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Number of total nodes within this cluster. PUPPETCODE newvalues(%r{\d+}) end newproperty(:clusterip_local_node, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. PUPPETCODE newvalues(%r{\d+}) end newproperty(:clusterip_hash_init, required_features: :clusterip) do desc <<-PUPPETCODE Used with the CLUSTERIP jump target. Specify the random seed used for hash initialization. PUPPETCODE end newproperty(:length, required_features: :length) do desc <<-PUPPETCODE Sets the length of layer-3 payload to match. PUPPETCODE munge do |value| match = value.to_s.match('^([0-9]+)(-)?([0-9]+)?$') if match.nil? raise ArgumentError, 'Length value must either be an integer or a range' end low = match[1].to_i unless match[3].nil? high = match[3].to_i end if (low < 0 || low > 65_535) || \ (!high.nil? && (high < 0 || high > 65_535 || high < low)) raise ArgumentError, 'Length values must be between 0 and 65535' end value = low.to_s unless high.nil? value << ':' << high.to_s end value end end newproperty(:string, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature. Matches the packet against the pattern given as an argument. PUPPETCODE end newproperty(:string_hex) do desc <<-PUPPETCODE String matching feature. Matches the package against the hex pattern given as an argument. PUPPETCODE munge do |value| _value = if value.include?('!') value.split('|').map { |x| x.include?('!') ? x : "|#{x.delete(' ')}|" }.join else value.delete(' ') end end end newproperty(:string_algo, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature, pattern matching strategy. PUPPETCODE newvalues(:bm, :kmp) end newproperty(:string_from, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature, offset from which we start looking for any matching. PUPPETCODE end newproperty(:string_to, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature, offset up to which we should scan. PUPPETCODE end newproperty(:queue_num, required_features: :queue_num) do desc <<-PUPPETCODE Used with NFQUEUE jump target. What queue number to send packets to PUPPETCODE munge do |value| match = value.to_s.match('^([0-9])*$') if match.nil? raise ArgumentError, 'queue_num must be an integer' end if match[1].to_i > 65_535 || match[1].to_i < 0 raise ArgumentError, 'queue_num must be between 0 and 65535' end value end end newproperty(:queue_bypass, required_features: :queue_bypass) do desc <<-PUPPETCODE Used with NFQUEUE jump target Allow packets to bypass :queue_num if userspace process is not listening PUPPETCODE newvalues(:true, :false) end newproperty(:src_cc) do desc <<-PUPPETCODE src attribute for the module geoip PUPPETCODE newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$}) end newproperty(:dst_cc) do desc <<-PUPPETCODE dst attribute for the module geoip PUPPETCODE newvalues(%r{^[A-Z]{2}(,[A-Z]{2})*$}) end newproperty(:hashlimit_name) do desc <<-PUPPETCODE The name for the /proc/net/ipt_hashlimit/foo entry. This parameter is required. PUPPETCODE end newproperty(:hashlimit_upto) do desc <<-PUPPETCODE Match if the rate is below or equal to amount/quantum. It is specified either as a number, with an optional time quantum suffix (the default is 3/hour), or as amountb/second (number of bytes per second). This parameter or hashlimit_above is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'. PUPPETCODE end newproperty(:hashlimit_above) do desc <<-PUPPETCODE Match if the rate is above amount/quantum. This parameter or hashlimit_upto is required. Allowed forms are '40','40/second','40/minute','40/hour','40/day'. PUPPETCODE end newproperty(:hashlimit_burst) do desc <<-PUPPETCODE Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. When byte-based rate matching is requested, this option specifies the amount of bytes that can exceed the given rate. This option should be used with caution -- if the entry expires, the burst value is reset too. PUPPETCODE newvalue(%r{^\d+$}) end newproperty(:hashlimit_mode) do desc <<-PUPPETCODE A comma-separated list of objects to take into consideration. If no --hashlimit-mode option is given, hashlimit acts like limit, but at the expensive of doing the hash housekeeping. Allowed values are: srcip, srcport, dstip, dstport PUPPETCODE end newproperty(:hashlimit_srcmask) do desc <<-PUPPETCODE When --hashlimit-mode srcip is used, all source addresses encountered will be grouped according to the given prefix length and the so-created subnet will be subject to hashlimit. prefix must be between (inclusive) 0 and 32. Note that --hashlimit-srcmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive. PUPPETCODE end newproperty(:hashlimit_dstmask) do desc <<-PUPPETCODE Like --hashlimit-srcmask, but for destination addresses. PUPPETCODE end newproperty(:hashlimit_htable_size) do desc <<-PUPPETCODE The number of buckets of the hash table PUPPETCODE end newproperty(:hashlimit_htable_max) do desc <<-PUPPETCODE Maximum entries in the hash. PUPPETCODE end newproperty(:hashlimit_htable_expire) do desc <<-PUPPETCODE After how many milliseconds do hash entries expire. PUPPETCODE end newproperty(:hashlimit_htable_gcinterval) do desc <<-PUPPETCODE How many milliseconds between garbage collection intervals. PUPPETCODE end newproperty(:bytecode, required_features: :iptables) do desc <<-PUPPETCODE Match using Linux Socket Filter. Expects a BPF program in decimal format. This is the format generated by the nfbpf_compile utility. PUPPETCODE end newproperty(:ipvs, required_features: :ipvs) do desc <<-PUPPETCODE Indicates that the current packet belongs to an IPVS connection. PUPPETCODE newvalues(:true, :false) end newproperty(:zone, required_features: :ct_target) do desc <<-PUPPETCODE Assign this packet to zone id and only have lookups done in that zone. PUPPETCODE end newproperty(:helper, required_features: :ct_target) do desc <<-PUPPETCODE Invoke the nf_conntrack_xxx helper module for this packet. PUPPETCODE end newproperty(:cgroup) do desc <<-PUPPETCODE Matches against the net_cls cgroup ID of the packet. PUPPETCODE end newproperty(:notrack, required_features: :ct_target) do # use this parameter with latest version of iptables desc <<-PUPPETCODE Invoke the disable connection tracking for this packet. This parameter can be used with iptables version >= 1.8.3 PUPPETCODE newvalues(:true, :false) end newproperty(:condition, required_features: :condition) do desc <<-PUPPETCODE Match on boolean value (0/1) stored in /proc/net/nf_condition/name. PUPPETCODE validate do |value| unless value.is_a?(String) raise ArgumentError, <<-PUPPETCODE Condition must be a string. PUPPETCODE end end end autorequire(:firewallchain) do reqs = [] protocol = nil case value(:provider) when :iptables protocol = 'IPv4' when :ip6tables protocol = 'IPv6' end unless protocol.nil? table = value(:table) main_chains = ['INPUT', 'OUTPUT', 'FORWARD'] [value(:chain), value(:jump)].each do |chain| reqs << "#{chain}:#{table}:#{protocol}" unless chain.nil? || (main_chains.include?(chain) && table == :filter) end end reqs end # Classes would be a better abstraction, pending: # http://projects.puppetlabs.com/issues/19001 autorequire(:package) do case value(:provider) when :iptables, :ip6tables ['iptables', 'iptables-persistent', 'iptables-services'] else [] end end autorequire(:service) do case value(:provider) when :iptables, :ip6tables ['firewalld', 'iptables', 'ip6tables', 'iptables-persistent', 'netfilter-persistent'] else [] end end # autobefore is only provided since puppet 4.0 if Puppet::Util::Package.versioncmp(Puppet.version, '4.0') >= 0 # On RHEL 7 this needs to be threaded correctly to manage SE Linux permissions after persisting the rules autobefore(:file) do ['/etc/sysconfig/iptables', '/etc/sysconfig/ip6tables'] end end validate do debug('[validate]') # TODO: this is put here to skip validation if ensure is not set. This # is because there is a revalidation stage called later where the values # are not set correctly. I tried tracing it - but have put in this # workaround instead to skip. Must get to the bottom of this. unless value(:ensure) return end # First we make sure the chains and tables are valid combinations if value(:table).to_s == 'filter' && value(:chain) =~ %r{PREROUTING|POSTROUTING} raise "PREROUTING and POSTROUTING cannot be used in table 'filter'" end if value(:table).to_s == 'nat' && value(:chain) =~ %r{INPUT|FORWARD} raise "INPUT and FORWARD cannot be used in table 'nat'" end if value(:table).to_s == 'raw' && value(:chain) =~ %r{INPUT|FORWARD|POSTROUTING} raise 'INPUT, FORWARD and POSTROUTING cannot be used in table raw' end # Now we analyse the individual properties to make sure they apply to # the correct combinations. if value(:uid) unless %r{OUTPUT|POSTROUTING}.match?(value(:chain).to_s) raise 'Parameter uid only applies to chains ' \ 'OUTPUT,POSTROUTING' end end if value(:gid) unless %r{OUTPUT|POSTROUTING}.match?(value(:chain).to_s) raise 'Parameter gid only applies to chains ' \ 'OUTPUT,POSTROUTING' end end if value(:set_mark) unless value(:jump).to_s.include?('MARK') && value(:table).to_s.include?('mangle') raise 'Parameter set_mark only applies to ' \ 'the mangle table and when jump => MARK' end end if value(:dport) unless %r{tcp|udp|sctp}.match?(value(:proto).to_s) raise '[%s] Parameter dport only applies to sctp, tcp and udp ' \ 'protocols. Current protocol is [%s] and dport is [%s]' % [value(:name), should(:proto), should(:dport)] end end if value(:jump).to_s == 'DSCP' unless value(:set_dscp) || value(:set_dscp_class) raise 'When using jump => DSCP, the set_dscp or set_dscp_class property is required' end end if value(:jump).to_s == 'TCPMSS' unless value(:set_mss) || value(:clamp_mss_to_pmtu) raise 'When using jump => TCPMSS, the set_mss or clamp_mss_to_pmtu property is required' end end if value(:jump).to_s == 'TEE' unless value(:gateway) raise 'When using jump => TEE, the gateway property is required' end end if value(:jump).to_s == 'DNAT' unless %r{nat}.match?(value(:table).to_s) raise 'Parameter jump => DNAT only applies to table => nat' end unless value(:todest) raise 'Parameter jump => DNAT must have todest parameter' end end if value(:jump).to_s == 'SNAT' unless %r{nat}.match?(value(:table).to_s) raise 'Parameter jump => SNAT only applies to table => nat' end unless value(:tosource) raise 'Parameter jump => SNAT must have tosource parameter' end end if value(:jump).to_s == 'MASQUERADE' unless %r{nat}.match?(value(:table).to_s) raise 'Parameter jump => MASQUERADE only applies to table => nat' end end if value(:log_prefix) || value(:log_level) || value(:log_uid) || value(:log_tcp_sequence) || value(:log_tcp_options) || value(:log_ip_options) == :true unless value(:jump).to_s == 'LOG' raise 'Parameter log_prefix, log_level, log_tcp_sequence, log_tcp_options, log_ip_options and log_uid require jump => LOG' end end if value(:burst) && !value(:limit) raise 'burst makes no sense without limit' end if value(:action) && value(:jump) raise "Only one of the parameters 'action' and 'jump' can be set" end if value(:connlimit_mask) && !value(:connlimit_above) raise "Parameter 'connlimit_mask' requires 'connlimit_above'" end if value(:mask) && !value(:recent) raise 'Mask can only be set if recent is enabled.' end [:stat_packet, :stat_every, :stat_probability].each do |param| if value(param) && !value(:stat_mode) raise "Parameter '#{param}' requires 'stat_mode' to be set" end end if value(:stat_packet) && value(:stat_mode) != :nth raise "Parameter 'stat_packet' requires 'stat_mode' to be set to 'nth'" end if value(:stat_every) && value(:stat_mode) != :nth raise "Parameter 'stat_every' requires 'stat_mode' to be set to 'nth'" end if value(:stat_probability) && value(:stat_mode) != :random raise "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'" end if value(:checksum_fill) == :true unless value(:jump).to_s == 'CHECKSUM' && value(:table).to_s == 'mangle' raise 'Parameter checksum_fill requires jump => CHECKSUM and table => mangle' end end if value(:queue_num) || value(:queue_bypass) == :true unless value(:jump).to_s == 'NFQUEUE' raise 'Paramter queue_number and queue_bypass require jump => NFQUEUE' end end if value(:hashlimit_name) unless value(:hashlimit_upto) || value(:hashlimit_above) raise 'Either hashlimit_upto or hashlimit_above are required' end end if value(:zone) unless value(:jump).to_s == 'CT' raise 'Parameter zone requires jump => CT' end end if value(:helper) unless value(:jump).to_s == 'CT' raise 'Parameter helper requires jump => CT' end end if value(:notrack) unless value(:jump).to_s == 'CT' raise 'Parameter notrack requires jump => CT' end end if value(:jump).to_s == 'CT' unless %r{raw}.match?(value(:table).to_s) raise 'Parameter jump => CT only applies to table => raw' end end end end