cloud-mu 2.0.1 → 2.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Berksfile +2 -1
- data/bin/mu-upload-chef-artifacts +3 -0
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/firewall/CHANGELOG.md +295 -0
- data/cookbooks/firewall/CONTRIBUTING.md +2 -0
- data/cookbooks/firewall/MAINTAINERS.md +19 -0
- data/cookbooks/firewall/README.md +339 -0
- data/cookbooks/firewall/attributes/default.rb +5 -0
- data/cookbooks/firewall/attributes/firewalld.rb +1 -0
- data/cookbooks/firewall/attributes/iptables.rb +17 -0
- data/cookbooks/firewall/attributes/ufw.rb +12 -0
- data/cookbooks/firewall/attributes/windows.rb +8 -0
- data/cookbooks/firewall/libraries/helpers.rb +100 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
- data/cookbooks/firewall/libraries/matchers.rb +30 -0
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
- data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
- data/cookbooks/firewall/metadata.json +1 -0
- data/cookbooks/firewall/recipes/default.rb +80 -0
- data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
- data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
- data/cookbooks/mu-firewall/metadata.rb +1 -1
- data/cookbooks/mu-master/recipes/default.rb +3 -1
- data/cookbooks/mu-master/recipes/init.rb +3 -1
- data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
- data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
- data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
- data/cookbooks/mu-tools/recipes/eks.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
- data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
- data/environments/dev.json +1 -1
- data/environments/prod.json +1 -1
- data/modules/mu/cleanup.rb +4 -0
- data/modules/mu/clouds/aws/container_cluster.rb +3 -0
- data/modules/mu/clouds/aws/role.rb +14 -2
- data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
- data/modules/mu/clouds/aws.rb +30 -14
- data/modules/mu.rb +4 -0
- metadata +30 -2
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
|
3
|
+
# Cookbook:: firewall
|
|
4
|
+
# Resource:: default
|
|
5
|
+
#
|
|
6
|
+
# Copyright:: 2011-2016, Chef Software, Inc.
|
|
7
|
+
#
|
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
+
# you may not use this file except in compliance with the License.
|
|
10
|
+
# You may obtain a copy of the License at
|
|
11
|
+
#
|
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
+
#
|
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
+
# See the License for the specific language governing permissions and
|
|
18
|
+
# limitations under the License.
|
|
19
|
+
#
|
|
20
|
+
class Chef
|
|
21
|
+
class Provider::FirewallIptables < Chef::Provider::LWRPBase
|
|
22
|
+
include FirewallCookbook::Helpers
|
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
|
24
|
+
|
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
|
26
|
+
node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def whyrun_supported?
|
|
30
|
+
false
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def action_install
|
|
34
|
+
return if disabled?(new_resource)
|
|
35
|
+
|
|
36
|
+
# Ensure the package is installed
|
|
37
|
+
iptables_packages(new_resource).each do |p|
|
|
38
|
+
iptables_pkg = package p do
|
|
39
|
+
action :nothing
|
|
40
|
+
end
|
|
41
|
+
iptables_pkg.run_action(:install)
|
|
42
|
+
new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
iptables_commands(new_resource).each do |svc|
|
|
46
|
+
# must create empty file for service to start
|
|
47
|
+
unless ::File.exist?("/etc/sysconfig/#{svc}")
|
|
48
|
+
# must create empty file for service to start
|
|
49
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
|
50
|
+
iptables_file.content '# created by chef to allow service to start'
|
|
51
|
+
iptables_file.run_action(:create)
|
|
52
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
iptables_service = lookup_or_create_service(svc)
|
|
56
|
+
[:enable, :start].each do |a|
|
|
57
|
+
iptables_service.run_action(a)
|
|
58
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def action_restart
|
|
64
|
+
return if disabled?(new_resource)
|
|
65
|
+
|
|
66
|
+
# prints all the firewall rules
|
|
67
|
+
log_iptables(new_resource)
|
|
68
|
+
|
|
69
|
+
# ensure it's initialized
|
|
70
|
+
new_resource.rules({}) unless new_resource.rules
|
|
71
|
+
ensure_default_rules_exist(node, new_resource)
|
|
72
|
+
|
|
73
|
+
# this populates the hash of rules from firewall_rule resources
|
|
74
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
75
|
+
firewall_rules.each do |firewall_rule|
|
|
76
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
77
|
+
|
|
78
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
|
79
|
+
%w(ip6tables)
|
|
80
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
|
81
|
+
%w(iptables)
|
|
82
|
+
else # or not specific
|
|
83
|
+
%w(iptables ip6tables)
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
types.each do |iptables_type|
|
|
87
|
+
# build rules to apply with weight
|
|
88
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
|
89
|
+
v = firewall_rule.position
|
|
90
|
+
|
|
91
|
+
# unless we're adding them for the first time.... bail out.
|
|
92
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
|
93
|
+
new_resource.rules[iptables_type][k] = v
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
iptables_commands(new_resource).each do |iptables_type|
|
|
98
|
+
# this takes the commands in each hash entry and builds a rule file
|
|
99
|
+
iptables_file = lookup_or_create_rulesfile(iptables_type)
|
|
100
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
|
101
|
+
iptables_file.run_action(:create)
|
|
102
|
+
|
|
103
|
+
# if the file was unchanged, skip loop iteration, otherwise restart iptables
|
|
104
|
+
next unless iptables_file.updated_by_last_action?
|
|
105
|
+
|
|
106
|
+
iptables_service = lookup_or_create_service(iptables_type)
|
|
107
|
+
new_resource.notifies(:restart, iptables_service, :delayed)
|
|
108
|
+
new_resource.updated_by_last_action(true)
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
def action_disable
|
|
113
|
+
return if disabled?(new_resource)
|
|
114
|
+
|
|
115
|
+
iptables_flush!(new_resource)
|
|
116
|
+
iptables_default_allow!(new_resource)
|
|
117
|
+
new_resource.updated_by_last_action(true)
|
|
118
|
+
|
|
119
|
+
iptables_commands(new_resource).each do |svc|
|
|
120
|
+
iptables_service = lookup_or_create_service(svc)
|
|
121
|
+
[:disable, :stop].each do |a|
|
|
122
|
+
iptables_service.run_action(a)
|
|
123
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
124
|
+
end
|
|
125
|
+
|
|
126
|
+
# must create empty file for service to start
|
|
127
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
|
128
|
+
iptables_file.content '# created by chef to allow service to start'
|
|
129
|
+
iptables_file.run_action(:create)
|
|
130
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
|
|
134
|
+
def action_flush
|
|
135
|
+
return if disabled?(new_resource)
|
|
136
|
+
|
|
137
|
+
iptables_flush!(new_resource)
|
|
138
|
+
new_resource.updated_by_last_action(true)
|
|
139
|
+
|
|
140
|
+
iptables_commands(new_resource).each do |svc|
|
|
141
|
+
# must create empty file for service to start
|
|
142
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
|
143
|
+
iptables_file.content '# created by chef to allow service to start'
|
|
144
|
+
iptables_file.run_action(:create)
|
|
145
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
|
146
|
+
end
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def lookup_or_create_service(name)
|
|
150
|
+
begin
|
|
151
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
|
152
|
+
rescue
|
|
153
|
+
iptables_service = service name do
|
|
154
|
+
action :nothing
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
iptables_service
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
def lookup_or_create_rulesfile(name)
|
|
161
|
+
begin
|
|
162
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
|
163
|
+
rescue
|
|
164
|
+
iptables_file = file "/etc/sysconfig/#{name}" do
|
|
165
|
+
action :nothing
|
|
166
|
+
end
|
|
167
|
+
end
|
|
168
|
+
iptables_file
|
|
169
|
+
end
|
|
170
|
+
end
|
|
171
|
+
end
|
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
|
3
|
+
# Cookbook:: firewall
|
|
4
|
+
# Resource:: default
|
|
5
|
+
#
|
|
6
|
+
# Copyright:: 2011-2016, Chef Software, Inc.
|
|
7
|
+
#
|
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
+
# you may not use this file except in compliance with the License.
|
|
10
|
+
# You may obtain a copy of the License at
|
|
11
|
+
#
|
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
+
#
|
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
+
# See the License for the specific language governing permissions and
|
|
18
|
+
# limitations under the License.
|
|
19
|
+
#
|
|
20
|
+
class Chef
|
|
21
|
+
class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
|
|
22
|
+
include FirewallCookbook::Helpers
|
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
|
24
|
+
|
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
|
|
26
|
+
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
|
|
27
|
+
node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def whyrun_supported?
|
|
31
|
+
false
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def action_install
|
|
35
|
+
return if disabled?(new_resource)
|
|
36
|
+
|
|
37
|
+
# Ensure the package is installed
|
|
38
|
+
pkg = package 'iptables-persistent' do
|
|
39
|
+
action :nothing
|
|
40
|
+
end
|
|
41
|
+
pkg.run_action(:install)
|
|
42
|
+
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
|
43
|
+
|
|
44
|
+
rule_files = %w(rules.v4)
|
|
45
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
46
|
+
rule_files.each do |svc|
|
|
47
|
+
next if ::File.exist?("/etc/iptables/#{svc}")
|
|
48
|
+
|
|
49
|
+
# must create empty file for service to start
|
|
50
|
+
f = lookup_or_create_rulesfile(svc)
|
|
51
|
+
f.content '# created by chef to allow service to start'
|
|
52
|
+
f.run_action(:create)
|
|
53
|
+
|
|
54
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
iptables_service = lookup_or_create_service('netfilter-persistent')
|
|
58
|
+
[:enable, :start].each do |act|
|
|
59
|
+
# iptables-persistent isn't a real service
|
|
60
|
+
iptables_service.status_command 'true'
|
|
61
|
+
|
|
62
|
+
iptables_service.run_action(act)
|
|
63
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def action_restart
|
|
68
|
+
return if disabled?(new_resource)
|
|
69
|
+
|
|
70
|
+
# prints all the firewall rules
|
|
71
|
+
log_iptables(new_resource)
|
|
72
|
+
|
|
73
|
+
# ensure it's initialized
|
|
74
|
+
new_resource.rules({}) unless new_resource.rules
|
|
75
|
+
ensure_default_rules_exist(node, new_resource)
|
|
76
|
+
|
|
77
|
+
# this populates the hash of rules from firewall_rule resources
|
|
78
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
79
|
+
firewall_rules.each do |firewall_rule|
|
|
80
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
81
|
+
|
|
82
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
|
83
|
+
%w(ip6tables)
|
|
84
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
|
85
|
+
%w(iptables)
|
|
86
|
+
else # or not specific
|
|
87
|
+
%w(iptables ip6tables)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
types.each do |iptables_type|
|
|
91
|
+
# build rules to apply with weight
|
|
92
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
|
93
|
+
v = firewall_rule.position
|
|
94
|
+
|
|
95
|
+
# unless we're adding them for the first time.... bail out.
|
|
96
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
|
97
|
+
new_resource.rules[iptables_type][k] = v
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
rule_files = %w(iptables)
|
|
102
|
+
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
|
103
|
+
|
|
104
|
+
rule_files.each do |iptables_type|
|
|
105
|
+
iptables_filename = if iptables_type == 'ip6tables'
|
|
106
|
+
'/etc/iptables/rules.v6'
|
|
107
|
+
else
|
|
108
|
+
'/etc/iptables/rules.v4'
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
# ensure a file resource exists with the current iptables rules
|
|
112
|
+
begin
|
|
113
|
+
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
|
114
|
+
rescue
|
|
115
|
+
iptables_file = file iptables_filename do
|
|
116
|
+
action :nothing
|
|
117
|
+
end
|
|
118
|
+
end
|
|
119
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
|
120
|
+
iptables_file.run_action(:create)
|
|
121
|
+
|
|
122
|
+
# if the file was changed, restart iptables
|
|
123
|
+
next unless iptables_file.updated_by_last_action?
|
|
124
|
+
service_affected = service 'netfilter-persistent' do
|
|
125
|
+
action :nothing
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
new_resource.notifies(:restart, service_affected, :delayed)
|
|
129
|
+
new_resource.updated_by_last_action(true)
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
def action_disable
|
|
134
|
+
return if disabled?(new_resource)
|
|
135
|
+
|
|
136
|
+
iptables_flush!(new_resource)
|
|
137
|
+
iptables_default_allow!(new_resource)
|
|
138
|
+
new_resource.updated_by_last_action(true)
|
|
139
|
+
|
|
140
|
+
iptables_service = lookup_or_create_service('netfilter-persistent')
|
|
141
|
+
[:disable, :stop].each do |act|
|
|
142
|
+
iptables_service.run_action(act)
|
|
143
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
144
|
+
end
|
|
145
|
+
|
|
146
|
+
%w(rules.v4 rules.v6).each do |svc|
|
|
147
|
+
# must create empty file for service to start
|
|
148
|
+
f = lookup_or_create_rulesfile(svc)
|
|
149
|
+
f.content '# created by chef to allow service to start'
|
|
150
|
+
f.run_action(:create)
|
|
151
|
+
|
|
152
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
def action_flush
|
|
157
|
+
return if disabled?(new_resource)
|
|
158
|
+
|
|
159
|
+
iptables_flush!(new_resource)
|
|
160
|
+
new_resource.updated_by_last_action(true)
|
|
161
|
+
|
|
162
|
+
rule_files = %w(rules.v4)
|
|
163
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
164
|
+
rule_files.each do |svc|
|
|
165
|
+
# must create empty file for service to start
|
|
166
|
+
f = lookup_or_create_rulesfile(svc)
|
|
167
|
+
f.content '# created by chef to allow service to start'
|
|
168
|
+
f.run_action(:create)
|
|
169
|
+
|
|
170
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
def lookup_or_create_service(name)
|
|
175
|
+
begin
|
|
176
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
|
177
|
+
rescue
|
|
178
|
+
iptables_service = service name do
|
|
179
|
+
action :nothing
|
|
180
|
+
end
|
|
181
|
+
end
|
|
182
|
+
iptables_service
|
|
183
|
+
end
|
|
184
|
+
|
|
185
|
+
def lookup_or_create_rulesfile(name)
|
|
186
|
+
begin
|
|
187
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
|
188
|
+
rescue
|
|
189
|
+
iptables_file = file "/etc/iptables/#{name}" do
|
|
190
|
+
action :nothing
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
iptables_file
|
|
194
|
+
end
|
|
195
|
+
end
|
|
196
|
+
end
|
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
|
3
|
+
# Cookbook Name:: firewall
|
|
4
|
+
# Resource:: default
|
|
5
|
+
#
|
|
6
|
+
# Copyright:: 2011, Opscode, Inc.
|
|
7
|
+
#
|
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
+
# you may not use this file except in compliance with the License.
|
|
10
|
+
# You may obtain a copy of the License at
|
|
11
|
+
#
|
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
+
#
|
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
+
# See the License for the specific language governing permissions and
|
|
18
|
+
# limitations under the License.
|
|
19
|
+
#
|
|
20
|
+
class Chef
|
|
21
|
+
class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
|
|
22
|
+
include FirewallCookbook::Helpers
|
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
|
24
|
+
|
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
|
|
26
|
+
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
|
|
27
|
+
node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def whyrun_supported?
|
|
31
|
+
false
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def action_install
|
|
35
|
+
return if disabled?(new_resource)
|
|
36
|
+
|
|
37
|
+
# Ensure the package is installed
|
|
38
|
+
pkg = package 'iptables-persistent' do
|
|
39
|
+
action :nothing
|
|
40
|
+
end
|
|
41
|
+
pkg.run_action(:install)
|
|
42
|
+
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
|
43
|
+
|
|
44
|
+
rule_files = %w(rules.v4)
|
|
45
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
46
|
+
rule_files.each do |svc|
|
|
47
|
+
next if ::File.exist?("/etc/iptables/#{svc}")
|
|
48
|
+
|
|
49
|
+
# must create empty file for service to start
|
|
50
|
+
f = lookup_or_create_rulesfile(svc)
|
|
51
|
+
f.content '# created by chef to allow service to start'
|
|
52
|
+
f.run_action(:create)
|
|
53
|
+
|
|
54
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
iptables_service = lookup_or_create_service('iptables-persistent')
|
|
58
|
+
[:enable, :start].each do |act|
|
|
59
|
+
# iptables-persistent isn't a real service
|
|
60
|
+
iptables_service.status_command 'true'
|
|
61
|
+
|
|
62
|
+
iptables_service.run_action(act)
|
|
63
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def action_restart
|
|
68
|
+
return if disabled?(new_resource)
|
|
69
|
+
|
|
70
|
+
# prints all the firewall rules
|
|
71
|
+
log_iptables(new_resource)
|
|
72
|
+
|
|
73
|
+
# ensure it's initialized
|
|
74
|
+
new_resource.rules({}) unless new_resource.rules
|
|
75
|
+
ensure_default_rules_exist(node, new_resource)
|
|
76
|
+
|
|
77
|
+
# this populates the hash of rules from firewall_rule resources
|
|
78
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
|
79
|
+
firewall_rules.each do |firewall_rule|
|
|
80
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
|
81
|
+
|
|
82
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
|
83
|
+
%w(ip6tables)
|
|
84
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
|
85
|
+
%w(iptables)
|
|
86
|
+
else # or not specific
|
|
87
|
+
%w(iptables ip6tables)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
types.each do |iptables_type|
|
|
91
|
+
# build rules to apply with weight
|
|
92
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
|
93
|
+
v = firewall_rule.position
|
|
94
|
+
|
|
95
|
+
# unless we're adding them for the first time.... bail out.
|
|
96
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
|
97
|
+
new_resource.rules[iptables_type][k] = v
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
rule_files = %w(iptables)
|
|
102
|
+
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
|
103
|
+
|
|
104
|
+
rule_files.each do |iptables_type|
|
|
105
|
+
iptables_filename = if iptables_type == 'ip6tables'
|
|
106
|
+
'/etc/iptables/rules.v6'
|
|
107
|
+
else
|
|
108
|
+
'/etc/iptables/rules.v4'
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
# ensure a file resource exists with the current iptables rules
|
|
112
|
+
begin
|
|
113
|
+
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
|
114
|
+
rescue
|
|
115
|
+
iptables_file = file iptables_filename do
|
|
116
|
+
action :nothing
|
|
117
|
+
end
|
|
118
|
+
end
|
|
119
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
|
120
|
+
iptables_file.run_action(:create)
|
|
121
|
+
|
|
122
|
+
# if the file was changed, restart iptables
|
|
123
|
+
next unless iptables_file.updated_by_last_action?
|
|
124
|
+
service_affected = service 'iptables-persistent' do
|
|
125
|
+
action :nothing
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
new_resource.notifies(:restart, service_affected, :delayed)
|
|
129
|
+
new_resource.updated_by_last_action(true)
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
def action_disable
|
|
134
|
+
return if disabled?(new_resource)
|
|
135
|
+
|
|
136
|
+
iptables_flush!(new_resource)
|
|
137
|
+
iptables_default_allow!(new_resource)
|
|
138
|
+
new_resource.updated_by_last_action(true)
|
|
139
|
+
|
|
140
|
+
iptables_service = lookup_or_create_service('iptables-persistent')
|
|
141
|
+
[:disable, :stop].each do |act|
|
|
142
|
+
iptables_service.run_action(act)
|
|
143
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
|
144
|
+
end
|
|
145
|
+
|
|
146
|
+
%w(rules.v4 rules.v6).each do |svc|
|
|
147
|
+
# must create empty file for service to start
|
|
148
|
+
f = lookup_or_create_rulesfile(svc)
|
|
149
|
+
f.content '# created by chef to allow service to start'
|
|
150
|
+
f.run_action(:create)
|
|
151
|
+
|
|
152
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
def action_flush
|
|
157
|
+
return if disabled?(new_resource)
|
|
158
|
+
|
|
159
|
+
iptables_flush!(new_resource)
|
|
160
|
+
new_resource.updated_by_last_action(true)
|
|
161
|
+
|
|
162
|
+
rule_files = %w(rules.v4)
|
|
163
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
|
164
|
+
rule_files.each do |svc|
|
|
165
|
+
# must create empty file for service to start
|
|
166
|
+
f = lookup_or_create_rulesfile(svc)
|
|
167
|
+
f.content '# created by chef to allow service to start'
|
|
168
|
+
f.run_action(:create)
|
|
169
|
+
|
|
170
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
def lookup_or_create_service(name)
|
|
175
|
+
begin
|
|
176
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
|
177
|
+
rescue
|
|
178
|
+
iptables_service = service name do
|
|
179
|
+
action :nothing
|
|
180
|
+
end
|
|
181
|
+
end
|
|
182
|
+
iptables_service
|
|
183
|
+
end
|
|
184
|
+
|
|
185
|
+
def lookup_or_create_rulesfile(name)
|
|
186
|
+
begin
|
|
187
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
|
188
|
+
rescue
|
|
189
|
+
iptables_file = file "/etc/iptables/#{name}" do
|
|
190
|
+
action :nothing
|
|
191
|
+
end
|
|
192
|
+
end
|
|
193
|
+
iptables_file
|
|
194
|
+
end
|
|
195
|
+
end
|
|
196
|
+
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
|
|
3
|
+
# Cookbook:: firewall
|
|
4
|
+
# Provider:: rule_iptables
|
|
5
|
+
#
|
|
6
|
+
# Copyright:: 2015-2016, computerlyrik
|
|
7
|
+
#
|
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
9
|
+
# you may not use this file except in compliance with the License.
|
|
10
|
+
# You may obtain a copy of the License at
|
|
11
|
+
#
|
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
13
|
+
#
|
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
17
|
+
# See the License for the specific language governing permissions and
|
|
18
|
+
# limitations under the License.
|
|
19
|
+
#
|
|
20
|
+
class Chef
|
|
21
|
+
class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
|
|
22
|
+
provides :firewall_rule
|
|
23
|
+
|
|
24
|
+
def action_create
|
|
25
|
+
return unless new_resource.notify_firewall
|
|
26
|
+
|
|
27
|
+
firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
|
|
28
|
+
raise 'could not find a firewall resource' unless firewall_resource
|
|
29
|
+
|
|
30
|
+
new_resource.notifies(:restart, firewall_resource, :delayed)
|
|
31
|
+
new_resource.updated_by_last_action(true)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|