dust-deploy 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- data/changelog.md +7 -0
- data/lib/dust/recipes/iptables.rb +46 -17
- data/lib/dust/recipes/repositories.rb +1 -0
- data/lib/dust/version.rb +1 -1
- metadata +3 -3
data/changelog.md
CHANGED
@@ -32,24 +32,33 @@ class Iptables < Thor
|
|
32
32
|
::Dust.print_msg "configuring and deploying ipv4 rules\n" if ipv4
|
33
33
|
::Dust.print_msg "configuring and deploying ipv6 rules\n" if ipv6
|
34
34
|
|
35
|
-
|
35
|
+
iptables_filter = ''
|
36
|
+
iptables_nat = '' if node.uses_rpm?
|
36
37
|
|
37
38
|
# default policy for chains
|
38
39
|
if node.uses_apt? or node.uses_emerge?
|
39
|
-
|
40
|
-
|
41
|
-
|
40
|
+
iptables_filter += rules['input'] ? "-P INPUT DROP\n" : "-P INPUT ACCEPT\n"
|
41
|
+
iptables_filter += rules['output'] ? "-P OUTPUT DROP\n" : "-P OUTPUT ACCEPT\n"
|
42
|
+
iptables_filter += rules['forward'] ? "-P FORWARD DROP\n" : "-P FORWARD ACCEPT\n"
|
42
43
|
|
43
|
-
|
44
|
-
|
45
|
-
|
44
|
+
iptables_filter += "-F\n"
|
45
|
+
iptables_filter += "-F -t nat\n" if ipv4
|
46
|
+
iptables_filter += "-X\n"
|
46
47
|
|
47
48
|
elsif node.uses_rpm?
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
49
|
+
iptables_filter += "*filter\n"
|
50
|
+
|
51
|
+
iptables_filter += rules['input'] ? ":INPUT DROP [0:0]\n" : ":INPUT ACCEPT [0:0]\n"
|
52
|
+
iptables_filter += rules['output'] ? ":OUTPUT DROP [0:0]\n" : ":OUTPUT ACCEPT [0:0]\n"
|
53
|
+
iptables_filter += rules['forward'] ? ":FORWARD DROP [0:0]\n" : ":FORWARD ACCEPT [0:0]\n"
|
54
|
+
|
55
|
+
# also create a *nat element, centos-like systems need that.
|
56
|
+
if ipv4
|
57
|
+
iptables_nat += "*nat\n"
|
58
|
+
iptables_nat += ":PREROUTING ACCEPT [0:0]\n"
|
59
|
+
iptables_nat += ":POSTROUTING ACCEPT [0:0]\n"
|
60
|
+
iptables_nat += ":OUTPUT ACCEPT [0:0]\n"
|
61
|
+
end
|
53
62
|
end
|
54
63
|
|
55
64
|
# map rules to iptables strings
|
@@ -67,20 +76,37 @@ class Iptables < Thor
|
|
67
76
|
|
68
77
|
next unless check_ipversion rule, ipv
|
69
78
|
|
79
|
+
# on centos-like machines, nat tables are handled differently
|
80
|
+
# remove --table argument and
|
81
|
+
is_nat = false
|
82
|
+
if node.uses_rpm? and rule['table']
|
83
|
+
rule.delete 'table'
|
84
|
+
is_nat = true
|
85
|
+
end
|
86
|
+
|
70
87
|
parse_rule(rule).each do |r|
|
71
88
|
# TODO: parse nicer output
|
72
89
|
::Dust.print_msg "#{name}:#{::Dust.grey 0} '#{r.join ' ' }'#{::Dust.none}\n", :indent => 3
|
73
|
-
|
90
|
+
|
91
|
+
if is_nat
|
92
|
+
# handle centos special case
|
93
|
+
iptables_nat += "-A #{chain.upcase} #{r.join ' '}\n"
|
94
|
+
else
|
95
|
+
iptables_filter += "-A #{chain.upcase} #{r.join ' '}\n"
|
96
|
+
end
|
74
97
|
end
|
75
98
|
end
|
76
99
|
end
|
77
100
|
|
78
101
|
# put commit statement for rpm machines
|
79
|
-
|
102
|
+
if node.uses_rpm?
|
103
|
+
iptables_filter += "COMMIT\n"
|
104
|
+
iptables_nat += "COMMIT\n" if ipv4
|
105
|
+
end
|
80
106
|
|
81
107
|
# prepend iptables command on non-centos-like machines
|
82
108
|
if node.uses_apt? or node.uses_emerge?
|
83
|
-
|
109
|
+
iptables_filter = iptables_filter.map { |s| "#{iptables} #{s}" }.to_s
|
84
110
|
end
|
85
111
|
|
86
112
|
# set header
|
@@ -89,14 +115,17 @@ class Iptables < Thor
|
|
89
115
|
header = "#!/bin/sh\n"
|
90
116
|
end
|
91
117
|
header += "# automatically generated by dust\n\n"
|
92
|
-
|
118
|
+
iptables_filter = header + iptables_filter
|
119
|
+
|
120
|
+
# append nat table to filter
|
121
|
+
iptables_filter = iptables_filter + iptables_nat if node.uses_rpm? and ipv4
|
93
122
|
|
94
123
|
# set the target file depending on distribution
|
95
124
|
target = "/etc/network/if-pre-up.d/#{iptables}" if node.uses_apt?
|
96
125
|
target = "/etc/#{iptables}" if node.uses_emerge?
|
97
126
|
target = "/etc/sysconfig/#{iptables}" if node.uses_rpm?
|
98
127
|
|
99
|
-
node.write target,
|
128
|
+
node.write target, iptables_filter, :quiet => true
|
100
129
|
|
101
130
|
if node.uses_apt? or node.uses_emerge?
|
102
131
|
node.chmod '700', target
|
data/lib/dust/version.rb
CHANGED
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 3
|
8
|
-
-
|
9
|
-
version: 0.3.
|
8
|
+
- 1
|
9
|
+
version: 0.3.1
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- kris kechagia
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2012-01-
|
17
|
+
date: 2012-01-12 00:00:00 +01:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|