cloud-mu 2.0.1 → 2.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +2 -1
- data/bin/mu-upload-chef-artifacts +3 -0
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/firewall/CHANGELOG.md +295 -0
- data/cookbooks/firewall/CONTRIBUTING.md +2 -0
- data/cookbooks/firewall/MAINTAINERS.md +19 -0
- data/cookbooks/firewall/README.md +339 -0
- data/cookbooks/firewall/attributes/default.rb +5 -0
- data/cookbooks/firewall/attributes/firewalld.rb +1 -0
- data/cookbooks/firewall/attributes/iptables.rb +17 -0
- data/cookbooks/firewall/attributes/ufw.rb +12 -0
- data/cookbooks/firewall/attributes/windows.rb +8 -0
- data/cookbooks/firewall/libraries/helpers.rb +100 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
- data/cookbooks/firewall/libraries/matchers.rb +30 -0
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
- data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
- data/cookbooks/firewall/metadata.json +1 -0
- data/cookbooks/firewall/recipes/default.rb +80 -0
- data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
- data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
- data/cookbooks/mu-firewall/metadata.rb +1 -1
- data/cookbooks/mu-master/recipes/default.rb +3 -1
- data/cookbooks/mu-master/recipes/init.rb +3 -1
- data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
- data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
- data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
- data/cookbooks/mu-tools/recipes/eks.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
- data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
- data/environments/dev.json +1 -1
- data/environments/prod.json +1 -1
- data/modules/mu/cleanup.rb +4 -0
- data/modules/mu/clouds/aws/container_cluster.rb +3 -0
- data/modules/mu/clouds/aws/role.rb +14 -2
- data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
- data/modules/mu/clouds/aws.rb +30 -14
- data/modules/mu.rb +4 -0
- metadata +30 -2
@@ -0,0 +1,171 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
3
|
+
# Cookbook:: firewall
|
4
|
+
# Resource:: default
|
5
|
+
#
|
6
|
+
# Copyright:: 2011-2016, Chef Software, Inc.
|
7
|
+
#
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
|
+
# you may not use this file except in compliance with the License.
|
10
|
+
# You may obtain a copy of the License at
|
11
|
+
#
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
13
|
+
#
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
17
|
+
# See the License for the specific language governing permissions and
|
18
|
+
# limitations under the License.
|
19
|
+
#
|
20
|
+
class Chef
|
21
|
+
class Provider::FirewallIptables < Chef::Provider::LWRPBase
|
22
|
+
include FirewallCookbook::Helpers
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
24
|
+
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
26
|
+
node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
|
27
|
+
end
|
28
|
+
|
29
|
+
def whyrun_supported?
|
30
|
+
false
|
31
|
+
end
|
32
|
+
|
33
|
+
def action_install
|
34
|
+
return if disabled?(new_resource)
|
35
|
+
|
36
|
+
# Ensure the package is installed
|
37
|
+
iptables_packages(new_resource).each do |p|
|
38
|
+
iptables_pkg = package p do
|
39
|
+
action :nothing
|
40
|
+
end
|
41
|
+
iptables_pkg.run_action(:install)
|
42
|
+
new_resource.updated_by_last_action(true) if iptables_pkg.updated_by_last_action?
|
43
|
+
end
|
44
|
+
|
45
|
+
iptables_commands(new_resource).each do |svc|
|
46
|
+
# must create empty file for service to start
|
47
|
+
unless ::File.exist?("/etc/sysconfig/#{svc}")
|
48
|
+
# must create empty file for service to start
|
49
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
50
|
+
iptables_file.content '# created by chef to allow service to start'
|
51
|
+
iptables_file.run_action(:create)
|
52
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
53
|
+
end
|
54
|
+
|
55
|
+
iptables_service = lookup_or_create_service(svc)
|
56
|
+
[:enable, :start].each do |a|
|
57
|
+
iptables_service.run_action(a)
|
58
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
62
|
+
|
63
|
+
def action_restart
|
64
|
+
return if disabled?(new_resource)
|
65
|
+
|
66
|
+
# prints all the firewall rules
|
67
|
+
log_iptables(new_resource)
|
68
|
+
|
69
|
+
# ensure it's initialized
|
70
|
+
new_resource.rules({}) unless new_resource.rules
|
71
|
+
ensure_default_rules_exist(node, new_resource)
|
72
|
+
|
73
|
+
# this populates the hash of rules from firewall_rule resources
|
74
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
75
|
+
firewall_rules.each do |firewall_rule|
|
76
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
77
|
+
|
78
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
79
|
+
%w(ip6tables)
|
80
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
81
|
+
%w(iptables)
|
82
|
+
else # or not specific
|
83
|
+
%w(iptables ip6tables)
|
84
|
+
end
|
85
|
+
|
86
|
+
types.each do |iptables_type|
|
87
|
+
# build rules to apply with weight
|
88
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
89
|
+
v = firewall_rule.position
|
90
|
+
|
91
|
+
# unless we're adding them for the first time.... bail out.
|
92
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
93
|
+
new_resource.rules[iptables_type][k] = v
|
94
|
+
end
|
95
|
+
end
|
96
|
+
|
97
|
+
iptables_commands(new_resource).each do |iptables_type|
|
98
|
+
# this takes the commands in each hash entry and builds a rule file
|
99
|
+
iptables_file = lookup_or_create_rulesfile(iptables_type)
|
100
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
101
|
+
iptables_file.run_action(:create)
|
102
|
+
|
103
|
+
# if the file was unchanged, skip loop iteration, otherwise restart iptables
|
104
|
+
next unless iptables_file.updated_by_last_action?
|
105
|
+
|
106
|
+
iptables_service = lookup_or_create_service(iptables_type)
|
107
|
+
new_resource.notifies(:restart, iptables_service, :delayed)
|
108
|
+
new_resource.updated_by_last_action(true)
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
def action_disable
|
113
|
+
return if disabled?(new_resource)
|
114
|
+
|
115
|
+
iptables_flush!(new_resource)
|
116
|
+
iptables_default_allow!(new_resource)
|
117
|
+
new_resource.updated_by_last_action(true)
|
118
|
+
|
119
|
+
iptables_commands(new_resource).each do |svc|
|
120
|
+
iptables_service = lookup_or_create_service(svc)
|
121
|
+
[:disable, :stop].each do |a|
|
122
|
+
iptables_service.run_action(a)
|
123
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
124
|
+
end
|
125
|
+
|
126
|
+
# must create empty file for service to start
|
127
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
128
|
+
iptables_file.content '# created by chef to allow service to start'
|
129
|
+
iptables_file.run_action(:create)
|
130
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
131
|
+
end
|
132
|
+
end
|
133
|
+
|
134
|
+
def action_flush
|
135
|
+
return if disabled?(new_resource)
|
136
|
+
|
137
|
+
iptables_flush!(new_resource)
|
138
|
+
new_resource.updated_by_last_action(true)
|
139
|
+
|
140
|
+
iptables_commands(new_resource).each do |svc|
|
141
|
+
# must create empty file for service to start
|
142
|
+
iptables_file = lookup_or_create_rulesfile(svc)
|
143
|
+
iptables_file.content '# created by chef to allow service to start'
|
144
|
+
iptables_file.run_action(:create)
|
145
|
+
new_resource.updated_by_last_action(true) if iptables_file.updated_by_last_action?
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
149
|
+
def lookup_or_create_service(name)
|
150
|
+
begin
|
151
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
152
|
+
rescue
|
153
|
+
iptables_service = service name do
|
154
|
+
action :nothing
|
155
|
+
end
|
156
|
+
end
|
157
|
+
iptables_service
|
158
|
+
end
|
159
|
+
|
160
|
+
def lookup_or_create_rulesfile(name)
|
161
|
+
begin
|
162
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
163
|
+
rescue
|
164
|
+
iptables_file = file "/etc/sysconfig/#{name}" do
|
165
|
+
action :nothing
|
166
|
+
end
|
167
|
+
end
|
168
|
+
iptables_file
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
@@ -0,0 +1,196 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
3
|
+
# Cookbook:: firewall
|
4
|
+
# Resource:: default
|
5
|
+
#
|
6
|
+
# Copyright:: 2011-2016, Chef Software, Inc.
|
7
|
+
#
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
|
+
# you may not use this file except in compliance with the License.
|
10
|
+
# You may obtain a copy of the License at
|
11
|
+
#
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
13
|
+
#
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
17
|
+
# See the License for the specific language governing permissions and
|
18
|
+
# limitations under the License.
|
19
|
+
#
|
20
|
+
class Chef
|
21
|
+
class Provider::FirewallIptablesUbuntu < Chef::Provider::LWRPBase
|
22
|
+
include FirewallCookbook::Helpers
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
24
|
+
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
|
26
|
+
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
|
27
|
+
node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
|
28
|
+
end
|
29
|
+
|
30
|
+
def whyrun_supported?
|
31
|
+
false
|
32
|
+
end
|
33
|
+
|
34
|
+
def action_install
|
35
|
+
return if disabled?(new_resource)
|
36
|
+
|
37
|
+
# Ensure the package is installed
|
38
|
+
pkg = package 'iptables-persistent' do
|
39
|
+
action :nothing
|
40
|
+
end
|
41
|
+
pkg.run_action(:install)
|
42
|
+
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
43
|
+
|
44
|
+
rule_files = %w(rules.v4)
|
45
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
46
|
+
rule_files.each do |svc|
|
47
|
+
next if ::File.exist?("/etc/iptables/#{svc}")
|
48
|
+
|
49
|
+
# must create empty file for service to start
|
50
|
+
f = lookup_or_create_rulesfile(svc)
|
51
|
+
f.content '# created by chef to allow service to start'
|
52
|
+
f.run_action(:create)
|
53
|
+
|
54
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
55
|
+
end
|
56
|
+
|
57
|
+
iptables_service = lookup_or_create_service('netfilter-persistent')
|
58
|
+
[:enable, :start].each do |act|
|
59
|
+
# iptables-persistent isn't a real service
|
60
|
+
iptables_service.status_command 'true'
|
61
|
+
|
62
|
+
iptables_service.run_action(act)
|
63
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def action_restart
|
68
|
+
return if disabled?(new_resource)
|
69
|
+
|
70
|
+
# prints all the firewall rules
|
71
|
+
log_iptables(new_resource)
|
72
|
+
|
73
|
+
# ensure it's initialized
|
74
|
+
new_resource.rules({}) unless new_resource.rules
|
75
|
+
ensure_default_rules_exist(node, new_resource)
|
76
|
+
|
77
|
+
# this populates the hash of rules from firewall_rule resources
|
78
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
79
|
+
firewall_rules.each do |firewall_rule|
|
80
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
81
|
+
|
82
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
83
|
+
%w(ip6tables)
|
84
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
85
|
+
%w(iptables)
|
86
|
+
else # or not specific
|
87
|
+
%w(iptables ip6tables)
|
88
|
+
end
|
89
|
+
|
90
|
+
types.each do |iptables_type|
|
91
|
+
# build rules to apply with weight
|
92
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
93
|
+
v = firewall_rule.position
|
94
|
+
|
95
|
+
# unless we're adding them for the first time.... bail out.
|
96
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
97
|
+
new_resource.rules[iptables_type][k] = v
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
rule_files = %w(iptables)
|
102
|
+
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
103
|
+
|
104
|
+
rule_files.each do |iptables_type|
|
105
|
+
iptables_filename = if iptables_type == 'ip6tables'
|
106
|
+
'/etc/iptables/rules.v6'
|
107
|
+
else
|
108
|
+
'/etc/iptables/rules.v4'
|
109
|
+
end
|
110
|
+
|
111
|
+
# ensure a file resource exists with the current iptables rules
|
112
|
+
begin
|
113
|
+
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
114
|
+
rescue
|
115
|
+
iptables_file = file iptables_filename do
|
116
|
+
action :nothing
|
117
|
+
end
|
118
|
+
end
|
119
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
120
|
+
iptables_file.run_action(:create)
|
121
|
+
|
122
|
+
# if the file was changed, restart iptables
|
123
|
+
next unless iptables_file.updated_by_last_action?
|
124
|
+
service_affected = service 'netfilter-persistent' do
|
125
|
+
action :nothing
|
126
|
+
end
|
127
|
+
|
128
|
+
new_resource.notifies(:restart, service_affected, :delayed)
|
129
|
+
new_resource.updated_by_last_action(true)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
def action_disable
|
134
|
+
return if disabled?(new_resource)
|
135
|
+
|
136
|
+
iptables_flush!(new_resource)
|
137
|
+
iptables_default_allow!(new_resource)
|
138
|
+
new_resource.updated_by_last_action(true)
|
139
|
+
|
140
|
+
iptables_service = lookup_or_create_service('netfilter-persistent')
|
141
|
+
[:disable, :stop].each do |act|
|
142
|
+
iptables_service.run_action(act)
|
143
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
144
|
+
end
|
145
|
+
|
146
|
+
%w(rules.v4 rules.v6).each do |svc|
|
147
|
+
# must create empty file for service to start
|
148
|
+
f = lookup_or_create_rulesfile(svc)
|
149
|
+
f.content '# created by chef to allow service to start'
|
150
|
+
f.run_action(:create)
|
151
|
+
|
152
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
def action_flush
|
157
|
+
return if disabled?(new_resource)
|
158
|
+
|
159
|
+
iptables_flush!(new_resource)
|
160
|
+
new_resource.updated_by_last_action(true)
|
161
|
+
|
162
|
+
rule_files = %w(rules.v4)
|
163
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
164
|
+
rule_files.each do |svc|
|
165
|
+
# must create empty file for service to start
|
166
|
+
f = lookup_or_create_rulesfile(svc)
|
167
|
+
f.content '# created by chef to allow service to start'
|
168
|
+
f.run_action(:create)
|
169
|
+
|
170
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
def lookup_or_create_service(name)
|
175
|
+
begin
|
176
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
177
|
+
rescue
|
178
|
+
iptables_service = service name do
|
179
|
+
action :nothing
|
180
|
+
end
|
181
|
+
end
|
182
|
+
iptables_service
|
183
|
+
end
|
184
|
+
|
185
|
+
def lookup_or_create_rulesfile(name)
|
186
|
+
begin
|
187
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
188
|
+
rescue
|
189
|
+
iptables_file = file "/etc/iptables/#{name}" do
|
190
|
+
action :nothing
|
191
|
+
end
|
192
|
+
end
|
193
|
+
iptables_file
|
194
|
+
end
|
195
|
+
end
|
196
|
+
end
|
@@ -0,0 +1,196 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Seth Chisamore (<schisamo@opscode.com>)
|
3
|
+
# Cookbook Name:: firewall
|
4
|
+
# Resource:: default
|
5
|
+
#
|
6
|
+
# Copyright:: 2011, Opscode, Inc.
|
7
|
+
#
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
|
+
# you may not use this file except in compliance with the License.
|
10
|
+
# You may obtain a copy of the License at
|
11
|
+
#
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
13
|
+
#
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
17
|
+
# See the License for the specific language governing permissions and
|
18
|
+
# limitations under the License.
|
19
|
+
#
|
20
|
+
class Chef
|
21
|
+
class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
|
22
|
+
include FirewallCookbook::Helpers
|
23
|
+
include FirewallCookbook::Helpers::Iptables
|
24
|
+
|
25
|
+
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
|
26
|
+
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
|
27
|
+
node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
|
28
|
+
end
|
29
|
+
|
30
|
+
def whyrun_supported?
|
31
|
+
false
|
32
|
+
end
|
33
|
+
|
34
|
+
def action_install
|
35
|
+
return if disabled?(new_resource)
|
36
|
+
|
37
|
+
# Ensure the package is installed
|
38
|
+
pkg = package 'iptables-persistent' do
|
39
|
+
action :nothing
|
40
|
+
end
|
41
|
+
pkg.run_action(:install)
|
42
|
+
new_resource.updated_by_last_action(true) if pkg.updated_by_last_action?
|
43
|
+
|
44
|
+
rule_files = %w(rules.v4)
|
45
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
46
|
+
rule_files.each do |svc|
|
47
|
+
next if ::File.exist?("/etc/iptables/#{svc}")
|
48
|
+
|
49
|
+
# must create empty file for service to start
|
50
|
+
f = lookup_or_create_rulesfile(svc)
|
51
|
+
f.content '# created by chef to allow service to start'
|
52
|
+
f.run_action(:create)
|
53
|
+
|
54
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
55
|
+
end
|
56
|
+
|
57
|
+
iptables_service = lookup_or_create_service('iptables-persistent')
|
58
|
+
[:enable, :start].each do |act|
|
59
|
+
# iptables-persistent isn't a real service
|
60
|
+
iptables_service.status_command 'true'
|
61
|
+
|
62
|
+
iptables_service.run_action(act)
|
63
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def action_restart
|
68
|
+
return if disabled?(new_resource)
|
69
|
+
|
70
|
+
# prints all the firewall rules
|
71
|
+
log_iptables(new_resource)
|
72
|
+
|
73
|
+
# ensure it's initialized
|
74
|
+
new_resource.rules({}) unless new_resource.rules
|
75
|
+
ensure_default_rules_exist(node, new_resource)
|
76
|
+
|
77
|
+
# this populates the hash of rules from firewall_rule resources
|
78
|
+
firewall_rules = Chef.run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
|
79
|
+
firewall_rules.each do |firewall_rule|
|
80
|
+
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
|
81
|
+
|
82
|
+
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
|
83
|
+
%w(ip6tables)
|
84
|
+
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
|
85
|
+
%w(iptables)
|
86
|
+
else # or not specific
|
87
|
+
%w(iptables ip6tables)
|
88
|
+
end
|
89
|
+
|
90
|
+
types.each do |iptables_type|
|
91
|
+
# build rules to apply with weight
|
92
|
+
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
|
93
|
+
v = firewall_rule.position
|
94
|
+
|
95
|
+
# unless we're adding them for the first time.... bail out.
|
96
|
+
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
|
97
|
+
new_resource.rules[iptables_type][k] = v
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
rule_files = %w(iptables)
|
102
|
+
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
103
|
+
|
104
|
+
rule_files.each do |iptables_type|
|
105
|
+
iptables_filename = if iptables_type == 'ip6tables'
|
106
|
+
'/etc/iptables/rules.v6'
|
107
|
+
else
|
108
|
+
'/etc/iptables/rules.v4'
|
109
|
+
end
|
110
|
+
|
111
|
+
# ensure a file resource exists with the current iptables rules
|
112
|
+
begin
|
113
|
+
iptables_file = Chef.run_context.resource_collection.find(file: iptables_filename)
|
114
|
+
rescue
|
115
|
+
iptables_file = file iptables_filename do
|
116
|
+
action :nothing
|
117
|
+
end
|
118
|
+
end
|
119
|
+
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
|
120
|
+
iptables_file.run_action(:create)
|
121
|
+
|
122
|
+
# if the file was changed, restart iptables
|
123
|
+
next unless iptables_file.updated_by_last_action?
|
124
|
+
service_affected = service 'iptables-persistent' do
|
125
|
+
action :nothing
|
126
|
+
end
|
127
|
+
|
128
|
+
new_resource.notifies(:restart, service_affected, :delayed)
|
129
|
+
new_resource.updated_by_last_action(true)
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
def action_disable
|
134
|
+
return if disabled?(new_resource)
|
135
|
+
|
136
|
+
iptables_flush!(new_resource)
|
137
|
+
iptables_default_allow!(new_resource)
|
138
|
+
new_resource.updated_by_last_action(true)
|
139
|
+
|
140
|
+
iptables_service = lookup_or_create_service('iptables-persistent')
|
141
|
+
[:disable, :stop].each do |act|
|
142
|
+
iptables_service.run_action(act)
|
143
|
+
new_resource.updated_by_last_action(true) if iptables_service.updated_by_last_action?
|
144
|
+
end
|
145
|
+
|
146
|
+
%w(rules.v4 rules.v6).each do |svc|
|
147
|
+
# must create empty file for service to start
|
148
|
+
f = lookup_or_create_rulesfile(svc)
|
149
|
+
f.content '# created by chef to allow service to start'
|
150
|
+
f.run_action(:create)
|
151
|
+
|
152
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
153
|
+
end
|
154
|
+
end
|
155
|
+
|
156
|
+
def action_flush
|
157
|
+
return if disabled?(new_resource)
|
158
|
+
|
159
|
+
iptables_flush!(new_resource)
|
160
|
+
new_resource.updated_by_last_action(true)
|
161
|
+
|
162
|
+
rule_files = %w(rules.v4)
|
163
|
+
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
|
164
|
+
rule_files.each do |svc|
|
165
|
+
# must create empty file for service to start
|
166
|
+
f = lookup_or_create_rulesfile(svc)
|
167
|
+
f.content '# created by chef to allow service to start'
|
168
|
+
f.run_action(:create)
|
169
|
+
|
170
|
+
new_resource.updated_by_last_action(true) if f.updated_by_last_action?
|
171
|
+
end
|
172
|
+
end
|
173
|
+
|
174
|
+
def lookup_or_create_service(name)
|
175
|
+
begin
|
176
|
+
iptables_service = Chef.run_context.resource_collection.find(service: svc)
|
177
|
+
rescue
|
178
|
+
iptables_service = service name do
|
179
|
+
action :nothing
|
180
|
+
end
|
181
|
+
end
|
182
|
+
iptables_service
|
183
|
+
end
|
184
|
+
|
185
|
+
def lookup_or_create_rulesfile(name)
|
186
|
+
begin
|
187
|
+
iptables_file = Chef.run_context.resource_collection.find(file: name)
|
188
|
+
rescue
|
189
|
+
iptables_file = file "/etc/iptables/#{name}" do
|
190
|
+
action :nothing
|
191
|
+
end
|
192
|
+
end
|
193
|
+
iptables_file
|
194
|
+
end
|
195
|
+
end
|
196
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
|
3
|
+
# Cookbook:: firewall
|
4
|
+
# Provider:: rule_iptables
|
5
|
+
#
|
6
|
+
# Copyright:: 2015-2016, computerlyrik
|
7
|
+
#
|
8
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
|
+
# you may not use this file except in compliance with the License.
|
10
|
+
# You may obtain a copy of the License at
|
11
|
+
#
|
12
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
13
|
+
#
|
14
|
+
# Unless required by applicable law or agreed to in writing, software
|
15
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
16
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
17
|
+
# See the License for the specific language governing permissions and
|
18
|
+
# limitations under the License.
|
19
|
+
#
|
20
|
+
class Chef
|
21
|
+
class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
|
22
|
+
provides :firewall_rule
|
23
|
+
|
24
|
+
def action_create
|
25
|
+
return unless new_resource.notify_firewall
|
26
|
+
|
27
|
+
firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)
|
28
|
+
raise 'could not find a firewall resource' unless firewall_resource
|
29
|
+
|
30
|
+
new_resource.notifies(:restart, firewall_resource, :delayed)
|
31
|
+
new_resource.updated_by_last_action(true)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|