cloud-mu 3.6.10 → 3.6.11

data/cookbooks/firewall/resources/firewalld_service.rb

@@ -1,98 +0,0 @@
-unified_mode true
-
-provides :firewalld_service,
-         os: 'linux'
-
-property :version,
-         String,
-         description: 'see version attribute of service tag in firewalld.service(5).'
-property :short,
-         String,
-         name_property: true,
-         description: 'see short tag in firewalld.service(5).'
-property :description,
-         String,
-         description: 'see description tag in firewalld.service(5).'
-property :ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See port tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-property :module_names,
-         [Array, String],
-         description: 'array of kernel netfilter helpers, see module tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-property :destination,
-         Hash,
-         description: 'hash of {IP family : IP address} where \'IP family\' key can be either \'ipv4\' or \'ipv6\'. See destination tag in firewalld.service(5).'
-property :protocols,
-         [Array, String],
-         description: 'array of protocols, see protocol tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-property :source_ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See source-port tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-property :includes,
-         [Array, String],
-         description: 'array of service includes, see include tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-property :helpers,
-         [Array, String],
-         description: 'array of service helpers, see helper tag in firewalld.service(5).',
-         coerce: proc { |o| Array(o) }
-
-load_current_value do |new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getServiceNames.include?(new_resource.short)
-    service_path = fw_config.getServiceByName(new_resource.short)
-    object = firewalld_service[service_path]
-    config_service = object['org.fedoraproject.FirewallD1.config.service']
-    config_service.getSettings2.each do |k, v|
-      send(k, v)
-    end
-  else
-    Chef::Log.info "Service #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-  fw_config = config_interface(dbus)
-  reload = false
-  unless fw_config.getServiceNames.include?(new_resource.short)
-    fw_config.addService2(new_resource.short, {})
-  end
-
-  service_path = fw_config.getServiceByName(new_resource.short)
-  service = service_interface(dbus, service_path)
-  properties = new_resource.class.state_properties.map(&:name)
-  properties.each do |property|
-    new_value = new_resource.send(property)
-    next unless new_value
-    if [:ports, :source_ports].include?(property)
-      new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
-    elsif property == :description
-      new_value = default_description(new_resource)
-    end
-    converge_if_changed property do
-      key = property == :short ? 'name' : property.to_s
-      service.update2({ key => new_value })
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/firewalld_zone.rb

@@ -1,118 +0,0 @@
-unified_mode true
-
-provides :firewalld_zone,
-         os: 'linux'
-
-property :description,
-         String,
-         description: 'see description tag in firewalld.zone(5).'
-property :forward,
-         [true, false],
-         description: 'see forward tag in firewalld.zone(5).'
-property :forward_ports,
-         [Array, String],
-         description: 'array of (port, protocol, to-port, to-addr). See forward-port tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :icmp_block_inversion,
-         [true, false],
-         description: 'see icmp-block-inversion tag in firewalld.zone(5).'
-property :icmp_blocks,
-         [Array, String],
-         description: 'array of icmp-blocks. See icmp-block tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :interfaces,
-         [Array, String],
-         description: 'array of interfaces. See interface tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :masquerade,
-         [true, false],
-         description: 'see masquerade tag in firewalld.zone(5).'
-property :ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See port tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :protocols,
-         [Array, String],
-         description: 'array of protocols, see protocol tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :rules_str,
-         [Array, String],
-         description: 'array of rich-language rules. See rule tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :services,
-         [Array, String],
-         description: 'array of service names, see service tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :short,
-         String,
-         name_property: true,
-         description: 'see short tag in firewalld.zone(5).'
-property :source_ports,
-         [Array, String],
-         description: 'array of port and protocol pairs. See source-port tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :sources,
-         [Array, String],
-         description: 'array of source addresses. See source tag in firewalld.zone(5).',
-         coerce: proc { |o| Array(o) }
-property :target,
-         String,
-         description: 'see target attribute of zone tag in firewalld.zone(5).'
-property :version,
-         String,
-         description: 'see version attribute of zone tag in firewalld.zone(5).'
-
-load_current_value do |new_resource|
-  sysbus = DBus.system_bus
-  firewalld_service = sysbus['org.fedoraproject.FirewallD1']
-  firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
-  fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
-  if fw_config.getZoneNames.include?(new_resource.short)
-    zone_path = fw_config.getZoneByName(new_resource.short)
-    object = firewalld_service[zone_path]
-    config_zone = object['org.fedoraproject.FirewallD1.config.zone']
-    config_zone.getSettings2.each do |k, v|
-      send(k, v)
-    end
-  else
-    Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
-  end
-end
-
-action :update do
-  dbus = DBus.system_bus
-  fw = firewalld_interface(dbus)
-  fw_config = config_interface(dbus)
-
-  unless fw_config.getZoneNames.include?(new_resource.short)
-    fw_config.addZone2(new_resource.short, {})
-  end
-  zone_path = fw_config.getZoneByName(new_resource.short)
-  zone = zone_interface(dbus, zone_path)
-
-  reload = false
-  properties = new_resource.class.state_properties.map(&:name)
-  properties.each do |property|
-    new_value = new_resource.send(property)
-    next unless new_value
-    if [:ports, :source_ports].include?(property)
-      new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
-    elsif [:forward_ports].include?(property)
-      new_value = forward_ports_to_dbus(new_resource)
-    end
-    converge_if_changed property do
-      zone.update2({ property.to_s => new_value })
-      reload = true
-    end
-  end
-
-  if reload
-    converge_by ['reload permanent configuration of firewalld'] do
-      fw.reload
-    end
-  end
-end
-
-action_class do
-  include FirewallCookbook::Helpers::FirewalldDBus
-end

data/cookbooks/firewall/resources/nftables.rb

@@ -1,71 +0,0 @@
-unified_mode true
-
-include FirewallCookbook::Helpers
-include FirewallCookbook::Helpers::Nftables
-
-provides :nftables,
-         os: 'linux'
-
-property :rules,
-         Hash,
-         default: {}
-property :input_policy,
-         String,
-         equal_to: %w(drop accept),
-         default: 'accept'
-property :output_policy,
-         String,
-         equal_to: %w(drop accept),
-         default: 'accept'
-property :forward_policy,
-         String,
-         equal_to: %w(drop accept),
-         default: 'accept'
-property :table_ip_nat,
-         [true, false],
-         default: false
-property :table_ip6_nat,
-         [true, false],
-         default: false
-property :nftables_conf_path, String,
-         description: 'nftables.conf filepath',
-         default: lazy { default_nftables_conf_path }
-
-action :install do
-  package 'nftables' do
-    action :install
-    notifies :rebuild, "nftables[#{new_resource.name}]"
-  end
-end
-
-action :rebuild do
-  ensure_default_rules_exist(new_resource)
-
-  file new_resource.nftables_conf_path do
-    content  <<~NFT
-      #!/usr/sbin/nft -f
-      flush ruleset
-      #{build_rule_file(new_resource.rules)}
-    NFT
-    mode '0750'
-    owner 'root'
-    group 'root'
-    notifies :restart, 'service[nftables]'
-  end
-
-  service 'nftables' do
-    action [:enable, :start]
-  end
-end
-
-action :restart do
-  service 'nftables' do
-    action :restart
-  end
-end
-
-action :disable do
-  service 'nftables' do
-    action [:disable, :stop]
-  end
-end

data/cookbooks/firewall/resources/nftables_rule.rb

@@ -1,113 +0,0 @@
-unified_mode true
-
-require 'ipaddr'
-
-action_class do
-  include FirewallCookbook::Helpers
-  include FirewallCookbook::Helpers::Nftables
-
-  def return_early?(new_resource)
-    !new_resource.notify_firewall ||
-      !(new_resource.action.include?(:create) &&
-        !new_resource.should_skip?(:create))
-  end
-end
-
-provides :nftables_rule
-default_action :create
-
-property :firewall_name,
-         String,
-         default: 'default'
-property :command,
-         [Array, Symbol],
-         default: :accept
-property :protocol,
-         [Integer, Symbol],
-         default: :tcp,
-         callbacks: {
-           'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
-             %i(udp tcp icmp icmpv6 ipv6-icmp esp ah ipv6 none).include?(p) || (0..142).include?(p)
-           end,
-         }
-property :direction,
-         Symbol,
-         equal_to: [:in, :out, :pre, :post, :forward],
-         default: :in
-# nftables handles ip6 and ip simultaneously.  Except for directions
-# :pre and :post, where where either :ip6 or :ip must be specified.
-# callback should prevent from mixing that up.
-property :family,
-         Symbol,
-         equal_to: [:ip6, :ip],
-         default: :ip
-property :source,
-         [String, Array],
-         callbacks: {
-           'must be a valid ip address' => lambda do |ips|
-             Array(ips).inject(false) do |a, ip|
-               a || !!IPAddr.new(ip)
-             end
-           end,
-         }
-property :sport,
-         [Integer, String, Array, Range]
-property :interface,
-         String
-
-property :dport,
-         [Integer, String, Array, Range]
-property :destination,
-         [String, Array],
-         callbacks: {
-           'must be a valid ip address' => lambda do |ips|
-             Array(ips).inject(false) do |a, ip|
-               a || !!IPAddr.new(ip)
-             end
-           end,
-         }
-property :outerface,
-         String
-
-property :position,
-         Integer,
-         default: 50
-property :stateful,
-         [Symbol, Array]
-property :redirect_port,
-         Integer
-property :description,
-         String,
-         name_property: true
-property :include_comment,
-         [true, false],
-         default: true
-property :log_prefix,
-         String
-property :log_group,
-         Integer
-# for when you just want to pass a raw rule
-property :raw,
-         String
-
-# do you want this rule to notify the firewall to recalculate
-# (and potentially reapply) the firewall_rule(s) it finds?
-property :notify_firewall,
-         [true, false],
-         default: true
-
-action :create do
-  return if return_early?(new_resource)
-  fwr = build_firewall_rule(new_resource)
-
-  with_run_context :root do
-    edit_resource!('nftables', new_resource.firewall_name) do |fw_rule|
-      r = rules.dup || {}
-      r.merge!({
-                 fwr => fw_rule.position,
-               })
-      rules(r)
-      delayed_action :rebuild
-    end
-  end
-end

data/cookbooks/firewall/templates/default/ufw/default.erb

@@ -1,13 +0,0 @@
-# /etc/default/ufw
-# This file is managed by Chef.  Do not edit.
-
-IPV6=<%= node['firewall']['ufw']['defaults']['ipv6'] %>
-MANAGE_BUILTINS=<%= node['firewall']['ufw']['defaults']['manage_builtins'] %>
-
-<% node['firewall']['ufw']['defaults']['policy'].each do |policy, value| -%>
-<%= "DEFAULT_#{policy.upcase}_POLICY=\"#{value}\"" %>
-<% end -%>
-
-IPT_SYSCTL="<%= node['firewall']['ufw']['defaults']['ipt_sysctl'] %>"
-
-IPT_MODULES="<%= node['firewall']['ufw']['defaults']['ipt_modules'] %>"