dust-deploy 0.3.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/changelog.md +7 -0
- data/lib/dust/recipes/iptables.rb +46 -17
- data/lib/dust/recipes/repositories.rb +1 -0
- data/lib/dust/version.rb +1 -1
- metadata +3 -3
data/changelog.md
CHANGED
@@ -32,24 +32,33 @@ class Iptables < Thor
|
|
32
32
|
::Dust.print_msg "configuring and deploying ipv4 rules\n" if ipv4
|
33
33
|
::Dust.print_msg "configuring and deploying ipv6 rules\n" if ipv6
|
34
34
|
|
35
|
-
|
35
|
+
iptables_filter = ''
|
36
|
+
iptables_nat = '' if node.uses_rpm?
|
36
37
|
|
37
38
|
# default policy for chains
|
38
39
|
if node.uses_apt? or node.uses_emerge?
|
39
|
-
|
40
|
-
|
41
|
-
|
40
|
+
iptables_filter += rules['input'] ? "-P INPUT DROP\n" : "-P INPUT ACCEPT\n"
|
41
|
+
iptables_filter += rules['output'] ? "-P OUTPUT DROP\n" : "-P OUTPUT ACCEPT\n"
|
42
|
+
iptables_filter += rules['forward'] ? "-P FORWARD DROP\n" : "-P FORWARD ACCEPT\n"
|
42
43
|
|
43
|
-
|
44
|
-
|
45
|
-
|
44
|
+
iptables_filter += "-F\n"
|
45
|
+
iptables_filter += "-F -t nat\n" if ipv4
|
46
|
+
iptables_filter += "-X\n"
|
46
47
|
|
47
48
|
elsif node.uses_rpm?
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
49
|
+
iptables_filter += "*filter\n"
|
50
|
+
|
51
|
+
iptables_filter += rules['input'] ? ":INPUT DROP [0:0]\n" : ":INPUT ACCEPT [0:0]\n"
|
52
|
+
iptables_filter += rules['output'] ? ":OUTPUT DROP [0:0]\n" : ":OUTPUT ACCEPT [0:0]\n"
|
53
|
+
iptables_filter += rules['forward'] ? ":FORWARD DROP [0:0]\n" : ":FORWARD ACCEPT [0:0]\n"
|
54
|
+
|
55
|
+
# also create a *nat element, centos-like systems need that.
|
56
|
+
if ipv4
|
57
|
+
iptables_nat += "*nat\n"
|
58
|
+
iptables_nat += ":PREROUTING ACCEPT [0:0]\n"
|
59
|
+
iptables_nat += ":POSTROUTING ACCEPT [0:0]\n"
|
60
|
+
iptables_nat += ":OUTPUT ACCEPT [0:0]\n"
|
61
|
+
end
|
53
62
|
end
|
54
63
|
|
55
64
|
# map rules to iptables strings
|
@@ -67,20 +76,37 @@ class Iptables < Thor
|
|
67
76
|
|
68
77
|
next unless check_ipversion rule, ipv
|
69
78
|
|
79
|
+
# on centos-like machines, nat tables are handled differently
|
80
|
+
# remove --table argument and
|
81
|
+
is_nat = false
|
82
|
+
if node.uses_rpm? and rule['table']
|
83
|
+
rule.delete 'table'
|
84
|
+
is_nat = true
|
85
|
+
end
|
86
|
+
|
70
87
|
parse_rule(rule).each do |r|
|
71
88
|
# TODO: parse nicer output
|
72
89
|
::Dust.print_msg "#{name}:#{::Dust.grey 0} '#{r.join ' ' }'#{::Dust.none}\n", :indent => 3
|
73
|
-
|
90
|
+
|
91
|
+
if is_nat
|
92
|
+
# handle centos special case
|
93
|
+
iptables_nat += "-A #{chain.upcase} #{r.join ' '}\n"
|
94
|
+
else
|
95
|
+
iptables_filter += "-A #{chain.upcase} #{r.join ' '}\n"
|
96
|
+
end
|
74
97
|
end
|
75
98
|
end
|
76
99
|
end
|
77
100
|
|
78
101
|
# put commit statement for rpm machines
|
79
|
-
|
102
|
+
if node.uses_rpm?
|
103
|
+
iptables_filter += "COMMIT\n"
|
104
|
+
iptables_nat += "COMMIT\n" if ipv4
|
105
|
+
end
|
80
106
|
|
81
107
|
# prepend iptables command on non-centos-like machines
|
82
108
|
if node.uses_apt? or node.uses_emerge?
|
83
|
-
|
109
|
+
iptables_filter = iptables_filter.map { |s| "#{iptables} #{s}" }.to_s
|
84
110
|
end
|
85
111
|
|
86
112
|
# set header
|
@@ -89,14 +115,17 @@ class Iptables < Thor
|
|
89
115
|
header = "#!/bin/sh\n"
|
90
116
|
end
|
91
117
|
header += "# automatically generated by dust\n\n"
|
92
|
-
|
118
|
+
iptables_filter = header + iptables_filter
|
119
|
+
|
120
|
+
# append nat table to filter
|
121
|
+
iptables_filter = iptables_filter + iptables_nat if node.uses_rpm? and ipv4
|
93
122
|
|
94
123
|
# set the target file depending on distribution
|
95
124
|
target = "/etc/network/if-pre-up.d/#{iptables}" if node.uses_apt?
|
96
125
|
target = "/etc/#{iptables}" if node.uses_emerge?
|
97
126
|
target = "/etc/sysconfig/#{iptables}" if node.uses_rpm?
|
98
127
|
|
99
|
-
node.write target,
|
128
|
+
node.write target, iptables_filter, :quiet => true
|
100
129
|
|
101
130
|
if node.uses_apt? or node.uses_emerge?
|
102
131
|
node.chmod '700', target
|
data/lib/dust/version.rb
CHANGED
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 3
|
8
|
-
-
|
9
|
-
version: 0.3.
|
8
|
+
- 1
|
9
|
+
version: 0.3.1
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- kris kechagia
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2012-01-
|
17
|
+
date: 2012-01-12 00:00:00 +01:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|