cloud-mu 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (56) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +2 -1
  3. data/bin/mu-upload-chef-artifacts +3 -0
  4. data/cloud-mu.gemspec +2 -2
  5. data/cookbooks/firewall/CHANGELOG.md +295 -0
  6. data/cookbooks/firewall/CONTRIBUTING.md +2 -0
  7. data/cookbooks/firewall/MAINTAINERS.md +19 -0
  8. data/cookbooks/firewall/README.md +339 -0
  9. data/cookbooks/firewall/attributes/default.rb +5 -0
  10. data/cookbooks/firewall/attributes/firewalld.rb +1 -0
  11. data/cookbooks/firewall/attributes/iptables.rb +17 -0
  12. data/cookbooks/firewall/attributes/ufw.rb +12 -0
  13. data/cookbooks/firewall/attributes/windows.rb +8 -0
  14. data/cookbooks/firewall/libraries/helpers.rb +100 -0
  15. data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
  16. data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
  17. data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
  18. data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
  19. data/cookbooks/firewall/libraries/matchers.rb +30 -0
  20. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
  21. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
  22. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
  23. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
  24. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
  25. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
  26. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
  27. data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
  28. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
  29. data/cookbooks/firewall/metadata.json +1 -0
  30. data/cookbooks/firewall/recipes/default.rb +80 -0
  31. data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
  32. data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
  33. data/cookbooks/mu-firewall/metadata.rb +1 -1
  34. data/cookbooks/mu-master/recipes/default.rb +3 -1
  35. data/cookbooks/mu-master/recipes/init.rb +3 -1
  36. data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
  37. data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
  38. data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
  39. data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
  40. data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
  41. data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
  42. data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
  43. data/cookbooks/mu-tools/recipes/eks.rb +1 -1
  44. data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
  45. data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
  46. data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
  47. data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
  48. data/environments/dev.json +1 -1
  49. data/environments/prod.json +1 -1
  50. data/modules/mu/cleanup.rb +4 -0
  51. data/modules/mu/clouds/aws/container_cluster.rb +3 -0
  52. data/modules/mu/clouds/aws/role.rb +14 -2
  53. data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
  54. data/modules/mu/clouds/aws.rb +30 -14
  55. data/modules/mu.rb +4 -0
  56. metadata +30 -2
@@ -0,0 +1,171 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011-2016, Chef Software, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptables < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
26
+ node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
27
+ end
28
+
29
+ def whyrun_supported?
30
+ false
31
+ end
32
+
33
+ def action_install
34
+ return if disabled?(new_resource)
35
+
36
+ # Ensure the package is installed
37
+ iptables_packages(new_resource).each do |p|
38
+ iptables_pkg = package p do
39
+ action :nothing
40
+ end
41
+ iptables_pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
43
+ end
44
+
45
+ iptables_commands(new_resource).each do |svc|
46
+ # must create empty file for service to start
47
+ unless ::File.exist?("/etc/sysconfig/#{svc}")
48
+ # must create empty file for service to start
49
+ iptables_file = lookup_or_create_rulesfile(svc)
50
+ iptables_file.content '# created by chef to allow service to start'
51
+ iptables_file.run_action(:create)
52
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
53
+ end
54
+
55
+ iptables_service = lookup_or_create_service(svc)
56
+ [:enable, :start].each do |a|
57
+ iptables_service.run_action(a)
58
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
59
+ end
60
+ end
61
+ end
62
+
63
+ def action_restart
64
+ return if disabled?(new_resource)
65
+
66
+ # prints all the firewall rules
67
+ log_iptables(new_resource)
68
+
69
+ # ensure it's initialized
70
+ new_resource.rules({}) unless new_resource.rules
71
+ ensure_default_rules_exist(node, new_resource)
72
+
73
+ # this populates the hash of rules from firewall_rule resources
74
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
75
+ firewall_rules.each do |firewall_rule|
76
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
77
+
78
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
79
+ %w(ip6tables)
80
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
81
+ %w(iptables)
82
+ else # or not specific
83
+ %w(iptables ip6tables)
84
+ end
85
+
86
+ types.each do |iptables_type|
87
+ # build rules to apply with weight
88
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
89
+ v = firewall_rule.position
90
+
91
+ # unless we're adding them for the first time.... bail out.
92
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
93
+ new_resource.rules[iptables_type][k] = v
94
+ end
95
+ end
96
+
97
+ iptables_commands(new_resource).each do |iptables_type|
98
+ # this takes the commands in each hash entry and builds a rule file
99
+ iptables_file = lookup_or_create_rulesfile(iptables_type)
100
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
101
+ iptables_file.run_action(:create)
102
+
103
+ # if the file was unchanged, skip loop iteration, otherwise restart iptables
104
+ next unless iptables_file.updated_by_last_action?
105
+
106
+ iptables_service = lookup_or_create_service(iptables_type)
107
+ new_resource.notifies(:restart, iptables_service, :delayed)
108
+ new_resource.updated_by_last_action(true)
109
+ end
110
+ end
111
+
112
+ def action_disable
113
+ return if disabled?(new_resource)
114
+
115
+ iptables_flush!(new_resource)
116
+ iptables_default_allow!(new_resource)
117
+ new_resource.updated_by_last_action(true)
118
+
119
+ iptables_commands(new_resource).each do |svc|
120
+ iptables_service = lookup_or_create_service(svc)
121
+ [:disable, :stop].each do |a|
122
+ iptables_service.run_action(a)
123
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
124
+ end
125
+
126
+ # must create empty file for service to start
127
+ iptables_file = lookup_or_create_rulesfile(svc)
128
+ iptables_file.content '# created by chef to allow service to start'
129
+ iptables_file.run_action(:create)
130
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
131
+ end
132
+ end
133
+
134
+ def action_flush
135
+ return if disabled?(new_resource)
136
+
137
+ iptables_flush!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_commands(new_resource).each do |svc|
141
+ # must create empty file for service to start
142
+ iptables_file = lookup_or_create_rulesfile(svc)
143
+ iptables_file.content '# created by chef to allow service to start'
144
+ iptables_file.run_action(:create)
145
+ new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
146
+ end
147
+ end
148
+
149
+ def lookup_or_create_service(name)
150
+ begin
151
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
152
+ rescue
153
+ iptables_service = service name do
154
+ action :nothing
155
+ end
156
+ end
157
+ iptables_service
158
+ end
159
+
160
+ def lookup_or_create_rulesfile(name)
161
+ begin
162
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
163
+ rescue
164
+ iptables_file = file "/etc/sysconfig/#{name}" do
165
+ action :nothing
166
+ end
167
+ end
168
+ iptables_file
169
+ end
170
+ end
171
+ end
@@ -0,0 +1,196 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011-2016, Chef Software, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
26
+ node['firewall'] && node['firewall']['ubuntu_iptables'] &&
27
+ node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
28
+ end
29
+
30
+ def whyrun_supported?
31
+ false
32
+ end
33
+
34
+ def action_install
35
+ return if disabled?(new_resource)
36
+
37
+ # Ensure the package is installed
38
+ pkg = package 'iptables-persistent' do
39
+ action :nothing
40
+ end
41
+ pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
43
+
44
+ rule_files = %w(rules.v4)
45
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
46
+ rule_files.each do |svc|
47
+ next if ::File.exist?("/etc/iptables/#{svc}")
48
+
49
+ # must create empty file for service to start
50
+ f = lookup_or_create_rulesfile(svc)
51
+ f.content '# created by chef to allow service to start'
52
+ f.run_action(:create)
53
+
54
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
55
+ end
56
+
57
+ iptables_service = lookup_or_create_service('netfilter-persistent')
58
+ [:enable, :start].each do |act|
59
+ # iptables-persistent isn't a real service
60
+ iptables_service.status_command 'true'
61
+
62
+ iptables_service.run_action(act)
63
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
64
+ end
65
+ end
66
+
67
+ def action_restart
68
+ return if disabled?(new_resource)
69
+
70
+ # prints all the firewall rules
71
+ log_iptables(new_resource)
72
+
73
+ # ensure it's initialized
74
+ new_resource.rules({}) unless new_resource.rules
75
+ ensure_default_rules_exist(node, new_resource)
76
+
77
+ # this populates the hash of rules from firewall_rule resources
78
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
79
+ firewall_rules.each do |firewall_rule|
80
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
81
+
82
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
83
+ %w(ip6tables)
84
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
85
+ %w(iptables)
86
+ else # or not specific
87
+ %w(iptables ip6tables)
88
+ end
89
+
90
+ types.each do |iptables_type|
91
+ # build rules to apply with weight
92
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
93
+ v = firewall_rule.position
94
+
95
+ # unless we're adding them for the first time.... bail out.
96
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
97
+ new_resource.rules[iptables_type][k] = v
98
+ end
99
+ end
100
+
101
+ rule_files = %w(iptables)
102
+ rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
+
104
+ rule_files.each do |iptables_type|
105
+ iptables_filename = if iptables_type == 'ip6tables'
106
+ '/etc/iptables/rules.v6'
107
+ else
108
+ '/etc/iptables/rules.v4'
109
+ end
110
+
111
+ # ensure a file resource exists with the current iptables rules
112
+ begin
113
+ iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
114
+ rescue
115
+ iptables_file = file iptables_filename do
116
+ action :nothing
117
+ end
118
+ end
119
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
120
+ iptables_file.run_action(:create)
121
+
122
+ # if the file was changed, restart iptables
123
+ next unless iptables_file.updated_by_last_action?
124
+ service_affected = service 'netfilter-persistent' do
125
+ action :nothing
126
+ end
127
+
128
+ new_resource.notifies(:restart, service_affected, :delayed)
129
+ new_resource.updated_by_last_action(true)
130
+ end
131
+ end
132
+
133
+ def action_disable
134
+ return if disabled?(new_resource)
135
+
136
+ iptables_flush!(new_resource)
137
+ iptables_default_allow!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_service = lookup_or_create_service('netfilter-persistent')
141
+ [:disable, :stop].each do |act|
142
+ iptables_service.run_action(act)
143
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
144
+ end
145
+
146
+ %w(rules.v4 rules.v6).each do |svc|
147
+ # must create empty file for service to start
148
+ f = lookup_or_create_rulesfile(svc)
149
+ f.content '# created by chef to allow service to start'
150
+ f.run_action(:create)
151
+
152
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
153
+ end
154
+ end
155
+
156
+ def action_flush
157
+ return if disabled?(new_resource)
158
+
159
+ iptables_flush!(new_resource)
160
+ new_resource.updated_by_last_action(true)
161
+
162
+ rule_files = %w(rules.v4)
163
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
164
+ rule_files.each do |svc|
165
+ # must create empty file for service to start
166
+ f = lookup_or_create_rulesfile(svc)
167
+ f.content '# created by chef to allow service to start'
168
+ f.run_action(:create)
169
+
170
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
171
+ end
172
+ end
173
+
174
+ def lookup_or_create_service(name)
175
+ begin
176
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
177
+ rescue
178
+ iptables_service = service name do
179
+ action :nothing
180
+ end
181
+ end
182
+ iptables_service
183
+ end
184
+
185
+ def lookup_or_create_rulesfile(name)
186
+ begin
187
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
188
+ rescue
189
+ iptables_file = file "/etc/iptables/#{name}" do
190
+ action :nothing
191
+ end
192
+ end
193
+ iptables_file
194
+ end
195
+ end
196
+ end
@@ -0,0 +1,196 @@
1
+ #
2
+ # Author:: Seth Chisamore (<schisamo@opscode.com>)
3
+ # Cookbook Name:: firewall
4
+ # Resource:: default
5
+ #
6
+ # Copyright:: 2011, Opscode, Inc.
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
22
+ include FirewallCookbook::Helpers
23
+ include FirewallCookbook::Helpers::Iptables
24
+
25
+ provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
26
+ node['firewall'] && node['firewall']['ubuntu_iptables'] &&
27
+ node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
28
+ end
29
+
30
+ def whyrun_supported?
31
+ false
32
+ end
33
+
34
+ def action_install
35
+ return if disabled?(new_resource)
36
+
37
+ # Ensure the package is installed
38
+ pkg = package 'iptables-persistent' do
39
+ action :nothing
40
+ end
41
+ pkg.run_action(:install)
42
+ new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
43
+
44
+ rule_files = %w(rules.v4)
45
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
46
+ rule_files.each do |svc|
47
+ next if ::File.exist?("/etc/iptables/#{svc}")
48
+
49
+ # must create empty file for service to start
50
+ f = lookup_or_create_rulesfile(svc)
51
+ f.content '# created by chef to allow service to start'
52
+ f.run_action(:create)
53
+
54
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
55
+ end
56
+
57
+ iptables_service = lookup_or_create_service('iptables-persistent')
58
+ [:enable, :start].each do |act|
59
+ # iptables-persistent isn't a real service
60
+ iptables_service.status_command 'true'
61
+
62
+ iptables_service.run_action(act)
63
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
64
+ end
65
+ end
66
+
67
+ def action_restart
68
+ return if disabled?(new_resource)
69
+
70
+ # prints all the firewall rules
71
+ log_iptables(new_resource)
72
+
73
+ # ensure it's initialized
74
+ new_resource.rules({}) unless new_resource.rules
75
+ ensure_default_rules_exist(node, new_resource)
76
+
77
+ # this populates the hash of rules from firewall_rule resources
78
+ firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
79
+ firewall_rules.each do |firewall_rule|
80
+ next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
81
+
82
+ types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
83
+ %w(ip6tables)
84
+ elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
85
+ %w(iptables)
86
+ else # or not specific
87
+ %w(iptables ip6tables)
88
+ end
89
+
90
+ types.each do |iptables_type|
91
+ # build rules to apply with weight
92
+ k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
93
+ v = firewall_rule.position
94
+
95
+ # unless we're adding them for the first time.... bail out.
96
+ next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
97
+ new_resource.rules[iptables_type][k] = v
98
+ end
99
+ end
100
+
101
+ rule_files = %w(iptables)
102
+ rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
+
104
+ rule_files.each do |iptables_type|
105
+ iptables_filename = if iptables_type == 'ip6tables'
106
+ '/etc/iptables/rules.v6'
107
+ else
108
+ '/etc/iptables/rules.v4'
109
+ end
110
+
111
+ # ensure a file resource exists with the current iptables rules
112
+ begin
113
+ iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
114
+ rescue
115
+ iptables_file = file iptables_filename do
116
+ action :nothing
117
+ end
118
+ end
119
+ iptables_file.content build_rule_file(new_resource.rules[iptables_type])
120
+ iptables_file.run_action(:create)
121
+
122
+ # if the file was changed, restart iptables
123
+ next unless iptables_file.updated_by_last_action?
124
+ service_affected = service 'iptables-persistent' do
125
+ action :nothing
126
+ end
127
+
128
+ new_resource.notifies(:restart, service_affected, :delayed)
129
+ new_resource.updated_by_last_action(true)
130
+ end
131
+ end
132
+
133
+ def action_disable
134
+ return if disabled?(new_resource)
135
+
136
+ iptables_flush!(new_resource)
137
+ iptables_default_allow!(new_resource)
138
+ new_resource.updated_by_last_action(true)
139
+
140
+ iptables_service = lookup_or_create_service('iptables-persistent')
141
+ [:disable, :stop].each do |act|
142
+ iptables_service.run_action(act)
143
+ new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
144
+ end
145
+
146
+ %w(rules.v4 rules.v6).each do |svc|
147
+ # must create empty file for service to start
148
+ f = lookup_or_create_rulesfile(svc)
149
+ f.content '# created by chef to allow service to start'
150
+ f.run_action(:create)
151
+
152
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
153
+ end
154
+ end
155
+
156
+ def action_flush
157
+ return if disabled?(new_resource)
158
+
159
+ iptables_flush!(new_resource)
160
+ new_resource.updated_by_last_action(true)
161
+
162
+ rule_files = %w(rules.v4)
163
+ rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
164
+ rule_files.each do |svc|
165
+ # must create empty file for service to start
166
+ f = lookup_or_create_rulesfile(svc)
167
+ f.content '# created by chef to allow service to start'
168
+ f.run_action(:create)
169
+
170
+ new_resource.updated_by_last_action(true) if f.updated_by_last_action?
171
+ end
172
+ end
173
+
174
+ def lookup_or_create_service(name)
175
+ begin
176
+ iptables_service = Chef.run_context.resource_collection.find(service: svc)
177
+ rescue
178
+ iptables_service = service name do
179
+ action :nothing
180
+ end
181
+ end
182
+ iptables_service
183
+ end
184
+
185
+ def lookup_or_create_rulesfile(name)
186
+ begin
187
+ iptables_file = Chef.run_context.resource_collection.find(file: name)
188
+ rescue
189
+ iptables_file = file "/etc/iptables/#{name}" do
190
+ action :nothing
191
+ end
192
+ end
193
+ iptables_file
194
+ end
195
+ end
196
+ end
@@ -0,0 +1,34 @@
1
+ #
2
+ # Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
3
+ # Cookbook:: firewall
4
+ # Provider:: rule_iptables
5
+ #
6
+ # Copyright:: 2015-2016, computerlyrik
7
+ #
8
+ # Licensed under the Apache License, Version 2.0 (the "License");
9
+ # you may not use this file except in compliance with the License.
10
+ # You may obtain a copy of the License at
11
+ #
12
+ # http://www.apache.org/licenses/LICENSE-2.0
13
+ #
14
+ # Unless required by applicable law or agreed to in writing, software
15
+ # distributed under the License is distributed on an "AS IS" BASIS,
16
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17
+ # See the License for the specific language governing permissions and
18
+ # limitations under the License.
19
+ #
20
+ class Chef
21
+ class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
22
+ provides :firewall_rule
23
+
24
+ def action_create
25
+ return unless new_resource.notify_firewall
26
+
27
+ firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
28
+ raise 'could not find a firewall resource' unless firewall_resource
29
+
30
+ new_resource.notifies(:restart, firewall_resource, :delayed)
31
+ new_resource.updated_by_last_action(true)
32
+ end
33
+ end
34
+ end