cloud-mu 2.0.1 → 2.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +2 -1
  3. data/bin/mu-upload-chef-artifacts +3 -0
  4. data/cloud-mu.gemspec +2 -2
  5. data/cookbooks/firewall/CHANGELOG.md +295 -0
  6. data/cookbooks/firewall/CONTRIBUTING.md +2 -0
  7. data/cookbooks/firewall/MAINTAINERS.md +19 -0
  8. data/cookbooks/firewall/README.md +339 -0
  9. data/cookbooks/firewall/attributes/default.rb +5 -0
  10. data/cookbooks/firewall/attributes/firewalld.rb +1 -0
  11. data/cookbooks/firewall/attributes/iptables.rb +17 -0
  12. data/cookbooks/firewall/attributes/ufw.rb +12 -0
  13. data/cookbooks/firewall/attributes/windows.rb +8 -0
  14. data/cookbooks/firewall/libraries/helpers.rb +100 -0
  15. data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
  16. data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
  17. data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
  18. data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
  19. data/cookbooks/firewall/libraries/matchers.rb +30 -0
  20. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
  21. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
  22. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
  23. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
  24. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
  25. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
  26. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
  27. data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
  28. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
  29. data/cookbooks/firewall/metadata.json +1 -0
  30. data/cookbooks/firewall/recipes/default.rb +80 -0
  31. data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
  32. data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
  33. data/cookbooks/mu-firewall/metadata.rb +1 -1
  34. data/cookbooks/mu-master/recipes/default.rb +3 -1
  35. data/cookbooks/mu-master/recipes/init.rb +3 -1
  36. data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
  37. data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
  38. data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
  39. data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
  40. data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
  41. data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
  42. data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
  43. data/cookbooks/mu-tools/recipes/eks.rb +1 -1
  44. data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
  45. data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
  46. data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
  47. data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
  48. data/environments/dev.json +1 -1
  49. data/environments/prod.json +1 -1
  50. data/modules/mu/cleanup.rb +4 -0
  51. data/modules/mu/clouds/aws/container_cluster.rb +3 -0
  52. data/modules/mu/clouds/aws/role.rb +14 -2
  53. data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
  54. data/modules/mu/clouds/aws.rb +30 -14
  55. data/modules/mu.rb +4 -0
  56. metadata +30 -2
@@ -0,0 +1,171 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011-2016, Chef Software, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptables < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
26
+ node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
27
+ end
28
+
29
+ def whyrun_supported?
30
+ false
31
+ end
32
+
33
+ def action_install
34
+ return if disabled?(new_resource)
35
+
36
+ # Ensure the package is installed
37
+ iptables_packages(new_resource).each do |p|
38
+ iptables_pkg = package p do
39
+ action :nothing
40
+ end
41
+ iptables_pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
43
+ end
44
+
45
+ iptables_commands(new_resource).each do |svc|
46
+ # must create empty file for service to start
47
+ unless ::File.exist?("/etc/sysconfig/#{svc}")
48
+ # must create empty file for service to start
49
+ iptables_file = lookup_or_create_rulesfile(svc)
50
+ iptables_file.content '# created by chef to allow service to start'
51
+ iptables_file.run_action(:create)
52
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
53
+ end
54
+
55
+ iptables_service = lookup_or_create_service(svc)
56
+ [:enable, :start].each do |a|
57
+ iptables_service.run_action(a)
58
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
59
+ end
60
+ end
61
+ end
62
+
63
+ def action_restart
64
+ return if disabled?(new_resource)
65
+
66
+ # prints all the firewall rules
67
+ log_iptables(new_resource)
68
+
69
+ # ensure it's initialized
70
+ new_resource.rules({}) unless new_resource.rules
71
+ ensure_default_rules_exist(node, new_resource)
72
+
73
+ # this populates the hash of rules from firewall_rule resources
74
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
75
+ firewall_rules.each do |firewall_rule|
76
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
77
+
78
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
79
+ %w(ip6tables)
80
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
81
+ %w(iptables)
82
+ else # or not specific
83
+ %w(iptables ip6tables)
84
+ end
85
+
86
+ types.each do |iptables_type|
87
+ # build rules to apply with weight
88
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
89
+ v = firewall_rule.position
90
+
91
+ # unless we're adding them for the first time.... bail out.
92
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
93
+ new_resource.rules[iptables_type][k] = v
94
+ end
95
+ end
96
+
97
+ iptables_commands(new_resource).each do |iptables_type|
98
+ # this takes the commands in each hash entry and builds a rule file
99
+ iptables_file = lookup_or_create_rulesfile(iptables_type)
100
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
101
+ iptables_file.run_action(:create)
102
+
103
+ # if the file was unchanged, skip loop iteration, otherwise restart iptables
104
+ next unless iptables_file.updated_by_last_action?
105
+
106
+ iptables_service = lookup_or_create_service(iptables_type)
107
+ new_resource.notifies(:restart, iptables_service, :delayed)
108
+ new_resource.updated_by_last_action(true)
109
+ end
110
+ end
111
+
112
+ def action_disable
113
+ return if disabled?(new_resource)
114
+
115
+ iptables_flush!(new_resource)
116
+ iptables_default_allow!(new_resource)
117
+ new_resource.updated_by_last_action(true)
118
+
119
+ iptables_commands(new_resource).each do |svc|
120
+ iptables_service = lookup_or_create_service(svc)
121
+ [:disable, :stop].each do |a|
122
+ iptables_service.run_action(a)
123
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
124
+ end
125
+
126
+ # must create empty file for service to start
127
+ iptables_file = lookup_or_create_rulesfile(svc)
128
+ iptables_file.content '# created by chef to allow service to start'
129
+ iptables_file.run_action(:create)
130
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
131
+ end
132
+ end
133
+
134
+ def action_flush
135
+ return if disabled?(new_resource)
136
+
137
+ iptables_flush!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_commands(new_resource).each do |svc|
141
+ # must create empty file for service to start
142
+ iptables_file = lookup_or_create_rulesfile(svc)
143
+ iptables_file.content '# created by chef to allow service to start'
144
+ iptables_file.run_action(:create)
145
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
146
+ end
147
+ end
148
+
149
+ def lookup_or_create_service(name)
150
+ begin
151
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
152
+ rescue
153
+ iptables_service = service name do
154
+ action :nothing
155
+ end
156
+ end
157
+ iptables_service
158
+ end
159
+
160
+ def lookup_or_create_rulesfile(name)
161
+ begin
162
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
163
+ rescue
164
+ iptables_file = file "/etc/sysconfig/#{name}" do
165
+ action :nothing
166
+ end
167
+ end
168
+ iptables_file
169
+ end
170
+ end
171
+ end
@@ -0,0 +1,196 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011-2016, Chef Software, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
26
+ node['firewall'] && node['firewall']['ubuntu_iptables'] &&
27
+ node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
28
+ end
29
+
30
+ def whyrun_supported?
31
+ false
32
+ end
33
+
34
+ def action_install
35
+ return if disabled?(new_resource)
36
+
37
+ # Ensure the package is installed
38
+ pkg = package 'iptables-persistent' do
39
+ action :nothing
40
+ end
41
+ pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
43
+
44
+ rule_files = %w(rules.v4)
45
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
46
+ rule_files.each do |svc|
47
+ next if ::File.exist?("/etc/iptables/#{svc}")
48
+
49
+ # must create empty file for service to start
50
+ f = lookup_or_create_rulesfile(svc)
51
+ f.content '# created by chef to allow service to start'
52
+ f.run_action(:create)
53
+
54
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
55
+ end
56
+
57
+ iptables_service = lookup_or_create_service('netfilter-persistent')
58
+ [:enable, :start].each do |act|
59
+ # iptables-persistent isn't a real service
60
+ iptables_service.status_command 'true'
61
+
62
+ iptables_service.run_action(act)
63
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
64
+ end
65
+ end
66
+
67
+ def action_restart
68
+ return if disabled?(new_resource)
69
+
70
+ # prints all the firewall rules
71
+ log_iptables(new_resource)
72
+
73
+ # ensure it's initialized
74
+ new_resource.rules({}) unless new_resource.rules
75
+ ensure_default_rules_exist(node, new_resource)
76
+
77
+ # this populates the hash of rules from firewall_rule resources
78
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
79
+ firewall_rules.each do |firewall_rule|
80
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
81
+
82
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
83
+ %w(ip6tables)
84
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
85
+ %w(iptables)
86
+ else # or not specific
87
+ %w(iptables ip6tables)
88
+ end
89
+
90
+ types.each do |iptables_type|
91
+ # build rules to apply with weight
92
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
93
+ v = firewall_rule.position
94
+
95
+ # unless we're adding them for the first time.... bail out.
96
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
97
+ new_resource.rules[iptables_type][k] = v
98
+ end
99
+ end
100
+
101
+ rule_files = %w(iptables)
102
+ rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
+
104
+ rule_files.each do |iptables_type|
105
+ iptables_filename = if iptables_type == 'ip6tables'
106
+ '/etc/iptables/rules.v6'
107
+ else
108
+ '/etc/iptables/rules.v4'
109
+ end
110
+
111
+ # ensure a file resource exists with the current iptables rules
112
+ begin
113
+ iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
114
+ rescue
115
+ iptables_file = file iptables_filename do
116
+ action :nothing
117
+ end
118
+ end
119
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
120
+ iptables_file.run_action(:create)
121
+
122
+ # if the file was changed, restart iptables
123
+ next unless iptables_file.updated_by_last_action?
124
+ service_affected = service 'netfilter-persistent' do
125
+ action :nothing
126
+ end
127
+
128
+ new_resource.notifies(:restart, service_affected, :delayed)
129
+ new_resource.updated_by_last_action(true)
130
+ end
131
+ end
132
+
133
+ def action_disable
134
+ return if disabled?(new_resource)
135
+
136
+ iptables_flush!(new_resource)
137
+ iptables_default_allow!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_service = lookup_or_create_service('netfilter-persistent')
141
+ [:disable, :stop].each do |act|
142
+ iptables_service.run_action(act)
143
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
144
+ end
145
+
146
+ %w(rules.v4 rules.v6).each do |svc|
147
+ # must create empty file for service to start
148
+ f = lookup_or_create_rulesfile(svc)
149
+ f.content '# created by chef to allow service to start'
150
+ f.run_action(:create)
151
+
152
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
153
+ end
154
+ end
155
+
156
+ def action_flush
157
+ return if disabled?(new_resource)
158
+
159
+ iptables_flush!(new_resource)
160
+ new_resource.updated_by_last_action(true)
161
+
162
+ rule_files = %w(rules.v4)
163
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
164
+ rule_files.each do |svc|
165
+ # must create empty file for service to start
166
+ f = lookup_or_create_rulesfile(svc)
167
+ f.content '# created by chef to allow service to start'
168
+ f.run_action(:create)
169
+
170
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
171
+ end
172
+ end
173
+
174
+ def lookup_or_create_service(name)
175
+ begin
176
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
177
+ rescue
178
+ iptables_service = service name do
179
+ action :nothing
180
+ end
181
+ end
182
+ iptables_service
183
+ end
184
+
185
+ def lookup_or_create_rulesfile(name)
186
+ begin
187
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
188
+ rescue
189
+ iptables_file = file "/etc/iptables/#{name}" do
190
+ action :nothing
191
+ end
192
+ end
193
+ iptables_file
194
+ end
195
+ end
196
+ end
@@ -0,0 +1,196 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook Name:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011, Opscode, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
26
+ node['firewall'] && node['firewall']['ubuntu_iptables'] &&
27
+ node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
28
+ end
29
+
30
+ def whyrun_supported?
31
+ false
32
+ end
33
+
34
+ def action_install
35
+ return if disabled?(new_resource)
36
+
37
+ # Ensure the package is installed
38
+ pkg = package 'iptables-persistent' do
39
+ action :nothing
40
+ end
41
+ pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
43
+
44
+ rule_files = %w(rules.v4)
45
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
46
+ rule_files.each do |svc|
47
+ next if ::File.exist?("/etc/iptables/#{svc}")
48
+
49
+ # must create empty file for service to start
50
+ f = lookup_or_create_rulesfile(svc)
51
+ f.content '# created by chef to allow service to start'
52
+ f.run_action(:create)
53
+
54
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
55
+ end
56
+
57
+ iptables_service = lookup_or_create_service('iptables-persistent')
58
+ [:enable, :start].each do |act|
59
+ # iptables-persistent isn't a real service
60
+ iptables_service.status_command 'true'
61
+
62
+ iptables_service.run_action(act)
63
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
64
+ end
65
+ end
66
+
67
+ def action_restart
68
+ return if disabled?(new_resource)
69
+
70
+ # prints all the firewall rules
71
+ log_iptables(new_resource)
72
+
73
+ # ensure it's initialized
74
+ new_resource.rules({}) unless new_resource.rules
75
+ ensure_default_rules_exist(node, new_resource)
76
+
77
+ # this populates the hash of rules from firewall_rule resources
78
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
79
+ firewall_rules.each do |firewall_rule|
80
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
81
+
82
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
83
+ %w(ip6tables)
84
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
85
+ %w(iptables)
86
+ else # or not specific
87
+ %w(iptables ip6tables)
88
+ end
89
+
90
+ types.each do |iptables_type|
91
+ # build rules to apply with weight
92
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
93
+ v = firewall_rule.position
94
+
95
+ # unless we're adding them for the first time.... bail out.
96
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
97
+ new_resource.rules[iptables_type][k] = v
98
+ end
99
+ end
100
+
101
+ rule_files = %w(iptables)
102
+ rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
+
104
+ rule_files.each do |iptables_type|
105
+ iptables_filename = if iptables_type == 'ip6tables'
106
+ '/etc/iptables/rules.v6'
107
+ else
108
+ '/etc/iptables/rules.v4'
109
+ end
110
+
111
+ # ensure a file resource exists with the current iptables rules
112
+ begin
113
+ iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
114
+ rescue
115
+ iptables_file = file iptables_filename do
116
+ action :nothing
117
+ end
118
+ end
119
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
120
+ iptables_file.run_action(:create)
121
+
122
+ # if the file was changed, restart iptables
123
+ next unless iptables_file.updated_by_last_action?
124
+ service_affected = service 'iptables-persistent' do
125
+ action :nothing
126
+ end
127
+
128
+ new_resource.notifies(:restart, service_affected, :delayed)
129
+ new_resource.updated_by_last_action(true)
130
+ end
131
+ end
132
+
133
+ def action_disable
134
+ return if disabled?(new_resource)
135
+
136
+ iptables_flush!(new_resource)
137
+ iptables_default_allow!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_service = lookup_or_create_service('iptables-persistent')
141
+ [:disable, :stop].each do |act|
142
+ iptables_service.run_action(act)
143
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
144
+ end
145
+
146
+ %w(rules.v4 rules.v6).each do |svc|
147
+ # must create empty file for service to start
148
+ f = lookup_or_create_rulesfile(svc)
149
+ f.content '# created by chef to allow service to start'
150
+ f.run_action(:create)
151
+
152
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
153
+ end
154
+ end
155
+
156
+ def action_flush
157
+ return if disabled?(new_resource)
158
+
159
+ iptables_flush!(new_resource)
160
+ new_resource.updated_by_last_action(true)
161
+
162
+ rule_files = %w(rules.v4)
163
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
164
+ rule_files.each do |svc|
165
+ # must create empty file for service to start
166
+ f = lookup_or_create_rulesfile(svc)
167
+ f.content '# created by chef to allow service to start'
168
+ f.run_action(:create)
169
+
170
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
171
+ end
172
+ end
173
+
174
+ def lookup_or_create_service(name)
175
+ begin
176
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
177
+ rescue
178
+ iptables_service = service name do
179
+ action :nothing
180
+ end
181
+ end
182
+ iptables_service
183
+ end
184
+
185
+ def lookup_or_create_rulesfile(name)
186
+ begin
187
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
188
+ rescue
189
+ iptables_file = file "/etc/iptables/#{name}" do
190
+ action :nothing
191
+ end
192
+ end
193
+ iptables_file
194
+ end
195
+ end
196
+ end
@@ -0,0 +1,34 @@
1
+ #
2
+ # Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
3
+ # Cookbook:: firewall
4
+ # Provider:: rule_iptables
5
+ #
6
+ # Copyright:: 2015-2016, computerlyrik
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
22
+ provides :firewall_rule
23
+
24
+ def action_create
25
+ return unless new_resource.notify_firewall
26
+
27
+ firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
28
+ raise 'could not find a firewall resource' unless firewall_resource
29
+
30
+ new_resource.notifies(:restart, firewall_resource, :delayed)
31
+ new_resource.updated_by_last_action(true)
32
+ end
33
+ end
34
+ end