freighthop 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Puppetfile +1 -1
- data/Puppetfile.lock +4 -5
- data/README.md +18 -7
- data/Vagrantfile +4 -0
- data/lib/freighthop/cli/help.rb +1 -0
- data/lib/freighthop/cli/init.rb +10 -10
- data/lib/freighthop/cli/version.rb +17 -0
- data/lib/freighthop/cli.rb +3 -1
- data/lib/freighthop/version.rb +1 -1
- data/lib/freighthop.rb +4 -0
- data/modules/apt/CHANGELOG +2 -36
- data/modules/apt/Gemfile +5 -6
- data/modules/apt/Gemfile.lock +7 -40
- data/modules/apt/Modulefile +1 -1
- data/modules/apt/README.md +1 -2
- data/modules/apt/Rakefile +0 -1
- data/modules/apt/manifests/init.pp +2 -5
- data/modules/apt/manifests/params.pp +1 -4
- data/modules/apt/manifests/pin.pp +1 -1
- data/modules/apt/manifests/ppa.pp +10 -24
- data/modules/apt/manifests/update.pp +0 -1
- data/modules/apt/metadata.json +19 -32
- data/modules/apt/spec/defines/ppa_spec.rb +2 -53
- data/modules/apt/spec/defines/source_spec.rb +2 -2
- data/modules/apt/templates/source.list.erb +2 -2
- data/modules/apt/tests/key.pp +3 -3
- data/modules/concat/CHANGELOG +73 -0
- data/modules/concat/Gemfile +20 -0
- data/modules/concat/Gemfile.lock +104 -0
- data/modules/concat/Modulefile +7 -6
- data/modules/concat/README.md +440 -0
- data/modules/concat/Rakefile +5 -1
- data/modules/concat/files/concatfragments.rb +137 -0
- data/modules/concat/files/concatfragments.sh +15 -4
- data/modules/concat/lib/facter/concat_basedir.rb +9 -3
- data/modules/concat/manifests/fragment.pp +108 -48
- data/modules/concat/manifests/init.pp +191 -210
- data/modules/concat/manifests/setup.pp +31 -31
- data/modules/concat/metadata.json +40 -21
- data/modules/{apt → concat}/spec/spec_helper_system.rb +11 -6
- data/modules/{firewall → concat}/spec/system/basic_spec.rb +1 -1
- data/modules/concat/spec/system/concat_spec.rb +154 -0
- data/modules/concat/spec/system/deprecation_warnings_spec.rb +247 -0
- data/modules/concat/spec/system/empty_spec.rb +27 -0
- data/modules/concat/spec/system/fragment_source_spec.rb +142 -0
- data/modules/concat/spec/system/replace_spec.rb +257 -0
- data/modules/concat/spec/system/symbolic_name_spec.rb +35 -0
- data/modules/concat/spec/system/warn_spec.rb +106 -0
- data/modules/concat/spec/unit/classes/concat_setup_spec.rb +42 -0
- data/modules/concat/spec/unit/defines/concat_fragment_spec.rb +267 -0
- data/modules/concat/spec/unit/defines/concat_spec.rb +380 -0
- data/modules/concat/spec/unit/facts/concat_basedir_spec.rb +18 -0
- data/modules/concat/tests/fragment.pp +19 -0
- data/modules/concat/tests/init.pp +7 -0
- data/modules/firewall/Changelog +38 -0
- data/modules/firewall/Gemfile +5 -2
- data/modules/firewall/Gemfile.lock +76 -26
- data/modules/firewall/Modulefile +1 -1
- data/modules/firewall/README.markdown +47 -15
- data/modules/firewall/Rakefile +0 -7
- data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb +50 -7
- data/modules/firewall/lib/puppet/provider/firewall/iptables.rb +147 -31
- data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb +19 -8
- data/modules/firewall/lib/puppet/type/firewall.rb +207 -3
- data/modules/firewall/lib/puppet/type/firewallchain.rb +73 -2
- data/modules/firewall/lib/puppet/util/firewall.rb +14 -0
- data/modules/firewall/metadata.json +181 -76
- data/modules/firewall/spec/acceptance/basic_spec.rb +8 -0
- data/modules/firewall/spec/acceptance/change_source_spec.rb +77 -0
- data/modules/firewall/spec/acceptance/class_spec.rb +27 -0
- data/modules/firewall/spec/acceptance/firewall_spec.rb +1608 -0
- data/modules/firewall/spec/acceptance/firewallchain_spec.rb +125 -0
- data/modules/firewall/spec/acceptance/ip6_fragment_spec.rb +94 -0
- data/modules/firewall/spec/acceptance/isfragment_spec.rb +92 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/firewall/spec/{system → acceptance}/params_spec.rb +44 -52
- data/modules/firewall/spec/acceptance/purge_spec.rb +124 -0
- data/modules/firewall/spec/acceptance/resource_cmd_spec.rb +93 -0
- data/modules/firewall/spec/acceptance/rules_spec.rb +248 -0
- data/modules/firewall/spec/acceptance/socket_spec.rb +96 -0
- data/modules/firewall/spec/{system → acceptance}/standard_usage_spec.rb +6 -10
- data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb +107 -0
- data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb +56 -2
- data/modules/firewall/spec/spec_helper_acceptance.rb +38 -0
- data/modules/firewall/spec/unit/classes/firewall_spec.rb +2 -2
- data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb +8 -5
- data/modules/firewall/spec/unit/facter/iptables_spec.rb +6 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb +14 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb +246 -5
- data/modules/firewall/spec/unit/puppet/type/firewall_spec.rb +99 -8
- data/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb +50 -6
- data/modules/firewall/spec/unit/puppet/util/firewall_spec.rb +21 -0
- data/modules/mysql/CHANGELOG +0 -30
- data/modules/mysql/Gemfile +0 -1
- data/modules/mysql/Gemfile.lock +30 -31
- data/modules/mysql/Modulefile +1 -1
- data/modules/mysql/README.md +2 -49
- data/modules/mysql/files/mysqltuner.pl +1 -1
- data/modules/mysql/lib/puppet/provider/database/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_user/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/mysql.rb +1 -2
- data/modules/mysql/lib/puppet/provider/mysql_database/mysql.rb +13 -2
- data/modules/mysql/lib/puppet/provider/mysql_user/mysql.rb +12 -0
- data/modules/mysql/lib/puppet/type/database_user.rb +1 -1
- data/modules/mysql/lib/puppet/type/mysql_grant.rb +3 -5
- data/modules/mysql/manifests/client.pp +0 -7
- data/modules/mysql/manifests/server/root_password.pp +0 -2
- data/modules/mysql/manifests/server.pp +0 -6
- data/modules/mysql/metadata.json +79 -81
- data/modules/mysql/spec/classes/mysql_server_spec.rb +0 -74
- data/modules/mysql/spec/system/mysql_server_root_password_spec.rb +1 -7
- data/modules/mysql/spec/system/mysql_server_spec.rb +3 -6
- data/modules/mysql/spec/system/types/mysql_grant_spec.rb +0 -27
- data/modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb +1 -1
- data/modules/mysql/spec/unit/puppet/provider/database/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/database_grant/mysql_spec.rb +15 -15
- data/modules/mysql/spec/unit/puppet/provider/database_user/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/mysql_database/mysql_spec.rb +3 -3
- data/modules/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +3 -3
- data/modules/mysql/templates/my.cnf.erb +2 -4
- data/modules/mysql/tests/mysql_grant.pp +1 -1
- data/modules/postgresql/Changelog +31 -0
- data/modules/postgresql/Gemfile +4 -2
- data/modules/postgresql/Modulefile +1 -1
- data/modules/postgresql/README.md +10 -4
- data/modules/postgresql/Rakefile +0 -1
- data/modules/postgresql/lib/puppet/provider/postgresql_psql/ruby.rb +25 -3
- data/modules/postgresql/manifests/globals.pp +2 -0
- data/modules/postgresql/manifests/params.pp +21 -0
- data/modules/postgresql/manifests/server/config.pp +0 -5
- data/modules/postgresql/manifests/server/config_entry.pp +1 -1
- data/modules/postgresql/manifests/server/database.pp +2 -1
- data/modules/postgresql/manifests/server/db.pp +2 -0
- data/modules/postgresql/manifests/server/grant.pp +20 -16
- data/modules/postgresql/manifests/server/initdb.pp +27 -3
- data/modules/postgresql/manifests/server/pg_hba_rule.pp +2 -4
- data/modules/postgresql/manifests/server/role.pp +8 -2
- data/modules/postgresql/manifests/server/service.pp +5 -0
- data/modules/postgresql/manifests/server.pp +2 -0
- data/modules/postgresql/metadata.json +88 -65
- data/modules/postgresql/spec/acceptance/client_spec.rb +18 -0
- data/modules/postgresql/spec/{system → acceptance}/common_patterns_spec.rb +8 -14
- data/modules/postgresql/spec/{system → acceptance}/contrib_spec.rb +4 -9
- data/modules/postgresql/spec/acceptance/lib/devel_spec.rb +17 -0
- data/modules/postgresql/spec/acceptance/lib/java_spec.rb +20 -0
- data/modules/postgresql/spec/acceptance/lib/python_spec.rb +19 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-510-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-73-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/postgresql/spec/{system → acceptance}/postgresql_psql_spec.rb +6 -14
- data/modules/postgresql/spec/{system → acceptance}/server/config_entry_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/db_spec.rb +47 -42
- data/modules/postgresql/spec/{system → acceptance}/server/grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/pg_hba_rule_spec.rb +10 -23
- data/modules/postgresql/spec/{system → acceptance}/server/plperl_spec.rb +6 -10
- data/modules/postgresql/spec/{system → acceptance}/server/role_spec.rb +13 -28
- data/modules/postgresql/spec/acceptance/server/table_grant_spec.rb +124 -0
- data/modules/postgresql/spec/{system → acceptance}/server/tablespace_spec.rb +8 -22
- data/modules/postgresql/spec/{system → acceptance}/server_spec.rb +38 -61
- data/modules/postgresql/spec/{system → acceptance}/validate_db_connection_spec.rb +8 -20
- data/modules/postgresql/spec/spec_helper_acceptance.rb +70 -0
- data/modules/postgresql/spec/unit/classes/globals_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/lib/devel_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/params_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/repo_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/server/initdb_spec.rb +2 -1
- data/modules/postgresql/spec/unit/classes/server/plperl_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/server_spec.rb +9 -2
- data/modules/postgresql/spec/unit/puppet/provider/postgresql_psql/ruby_spec.rb +15 -17
- data/modules/rbenv/bin/autospec +0 -0
- data/modules/rbenv/bin/facter +0 -0
- data/modules/rbenv/bin/filebucket +0 -0
- data/modules/rbenv/bin/hiera +0 -0
- data/modules/rbenv/bin/htmldiff +0 -0
- data/modules/rbenv/bin/ldiff +0 -0
- data/modules/rbenv/bin/pi +0 -0
- data/modules/rbenv/bin/puppet +0 -0
- data/modules/rbenv/bin/puppet-lint +0 -0
- data/modules/rbenv/bin/puppet-module +0 -0
- data/modules/rbenv/bin/puppetca +0 -0
- data/modules/rbenv/bin/puppetd +0 -0
- data/modules/rbenv/bin/puppetdoc +0 -0
- data/modules/rbenv/bin/puppetmasterd +0 -0
- data/modules/rbenv/bin/puppetqd +0 -0
- data/modules/rbenv/bin/puppetrun +0 -0
- data/modules/rbenv/bin/rake +0 -0
- data/modules/rbenv/bin/ralsh +0 -0
- data/modules/rbenv/bin/rspec +0 -0
- data/modules/rbenv/bin/rspec-puppet-init +0 -0
- data/modules/stdlib/spec/monkey_patches/alias_should_to_must.rb +0 -0
- data/modules/stdlib/spec/monkey_patches/publicize_methods.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/abs_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/bool2num_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/capitalize_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chomp_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chop_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_at_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/dirname_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/downcase_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/empty_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/flatten_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/grep_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_interface_with_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_address_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_network_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/max_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/min_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/reject_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/to_bytes_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/validate_slength_spec.rb +0 -0
- metadata +92 -77
- data/modules/apt/manifests/unattended_upgrades.pp +0 -68
- data/modules/apt/spec/classes/unattended_upgrades_spec.rb +0 -204
- data/modules/apt/spec/system/apt_builddep_spec.rb +0 -38
- data/modules/apt/spec/system/apt_key_spec.rb +0 -53
- data/modules/apt/spec/system/apt_ppa_spec.rb +0 -59
- data/modules/apt/spec/system/apt_source_spec.rb +0 -51
- data/modules/apt/spec/system/basic_spec.rb +0 -10
- data/modules/apt/spec/system/class_spec.rb +0 -20
- data/modules/apt/templates/10periodic.erb +0 -12
- data/modules/apt/templates/50unattended-upgrades.erb +0 -53
- data/modules/apt/tests/unattended-upgrades.pp +0 -1
- data/modules/concat/README.markdown +0 -150
- data/modules/concat/spec/defines/init_spec.rb +0 -115
- data/modules/concat/spec/fixtures/manifests/site.pp +0 -0
- data/modules/firewall/spec/spec_helper_system.rb +0 -49
- data/modules/firewall/spec/system/class_spec.rb +0 -39
- data/modules/firewall/spec/system/purge_spec.rb +0 -29
- data/modules/firewall/spec/system/resource_cmd_spec.rb +0 -53
- data/modules/mysql/manifests/server/providers.pp +0 -8
- data/modules/mysql/tests/bindings.pp +0 -3
- data/modules/postgresql/Gemfile.lock +0 -74
- data/modules/postgresql/spec/spec_helper_system.rb +0 -66
- data/modules/postgresql/spec/system/client_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/devel_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/java_spec.rb +0 -25
- data/modules/postgresql/spec/system/lib/python_spec.rb +0 -24
- data/modules/postgresql/spec/system/server/table_grant_spec.rb +0 -72
@@ -56,8 +56,8 @@ Puppet::Type.newtype(:firewallchain) do
|
|
56
56
|
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, FORWARD and OUTPUT are the only inbuilt chains that can be used in table 'mangle'"
|
57
57
|
end
|
58
58
|
when 'nat'
|
59
|
-
if chain =~ /^(BROUTING|
|
60
|
-
raise ArgumentError, "PREROUTING, POSTROUTING and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
|
59
|
+
if chain =~ /^(BROUTING|FORWARD)$/
|
60
|
+
raise ArgumentError, "PREROUTING, POSTROUTING, INPUT, and OUTPUT are the only inbuilt chains that can be used in table 'nat'"
|
61
61
|
end
|
62
62
|
if protocol =~/^(IP(v6)?)?$/
|
63
63
|
raise ArgumentError, "table nat isn't valid in IPv6. You must specify ':IPv4' as the name suffix"
|
@@ -105,6 +105,47 @@ Puppet::Type.newtype(:firewallchain) do
|
|
105
105
|
end
|
106
106
|
end
|
107
107
|
|
108
|
+
newparam(:purge, :boolean => true) do
|
109
|
+
desc <<-EOS
|
110
|
+
Purge unmanaged firewall rules in this chain
|
111
|
+
EOS
|
112
|
+
newvalues(:false, :true)
|
113
|
+
defaultto :false
|
114
|
+
end
|
115
|
+
|
116
|
+
newparam(:ignore) do
|
117
|
+
desc <<-EOS
|
118
|
+
Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).
|
119
|
+
This is matched against the output of `iptables-save`.
|
120
|
+
|
121
|
+
This can be a single regex, or an array of them.
|
122
|
+
To support flags, use the ruby inline flag mechanism.
|
123
|
+
Meaning a regex such as
|
124
|
+
/foo/i
|
125
|
+
can be written as
|
126
|
+
'(?i)foo' or '(?i:foo)'
|
127
|
+
|
128
|
+
Full example:
|
129
|
+
firewallchain { 'INPUT:filter:IPv4':
|
130
|
+
purge => true,
|
131
|
+
ignore => [
|
132
|
+
'-j fail2ban-ssh', # ignore the fail2ban jump rule
|
133
|
+
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
|
134
|
+
],
|
135
|
+
}
|
136
|
+
EOS
|
137
|
+
|
138
|
+
validate do |value|
|
139
|
+
unless value.is_a?(Array) or value.is_a?(String) or value == false
|
140
|
+
self.devfail "Ignore must be a string or an Array"
|
141
|
+
end
|
142
|
+
end
|
143
|
+
munge do |patterns| # convert into an array of {Regex}es
|
144
|
+
patterns = [patterns] if patterns.is_a?(String)
|
145
|
+
patterns.map{|p| Regexp.new(p)}
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
108
149
|
# Classes would be a better abstraction, pending:
|
109
150
|
# http://projects.puppetlabs.com/issues/19001
|
110
151
|
autorequire(:package) do
|
@@ -148,4 +189,34 @@ Puppet::Type.newtype(:firewallchain) do
|
|
148
189
|
self.fail 'The "nat" table is not intended for filtering, the use of DROP is therefore inhibited'
|
149
190
|
end
|
150
191
|
end
|
192
|
+
|
193
|
+
def generate
|
194
|
+
return [] unless self.purge?
|
195
|
+
|
196
|
+
value(:name).match(Nameformat)
|
197
|
+
chain = $1
|
198
|
+
table = $2
|
199
|
+
protocol = $3
|
200
|
+
|
201
|
+
provider = case protocol
|
202
|
+
when 'IPv4'
|
203
|
+
:iptables
|
204
|
+
when 'IPv6'
|
205
|
+
:ip6tables
|
206
|
+
end
|
207
|
+
|
208
|
+
# gather a list of all rules present on the system
|
209
|
+
rules_resources = Puppet::Type.type(:firewall).instances
|
210
|
+
|
211
|
+
# Keep only rules in this chain
|
212
|
+
rules_resources.delete_if { |res| (res[:provider] != provider or res.provider.properties[:table].to_s != table or res.provider.properties[:chain] != chain) }
|
213
|
+
|
214
|
+
# Remove rules which match our ignore filter
|
215
|
+
rules_resources.delete_if {|res| value(:ignore).find_index{|f| res.provider.properties[:line].match(f)}} if value(:ignore)
|
216
|
+
|
217
|
+
# We mark all remaining rules for deletion, and then let the catalog override us on rules which should be present
|
218
|
+
rules_resources.each {|res| res[:ensure] = :absent}
|
219
|
+
|
220
|
+
rules_resources
|
221
|
+
end
|
151
222
|
end
|
@@ -116,6 +116,20 @@ module Puppet::Util::Firewall
|
|
116
116
|
value.cidr
|
117
117
|
end
|
118
118
|
|
119
|
+
# Takes an address mask and converts the host portion to CIDR notation.
|
120
|
+
#
|
121
|
+
# This takes into account you can negate a mask but follows all rules
|
122
|
+
# defined in host_to_ip for the host/address part.
|
123
|
+
#
|
124
|
+
def host_to_mask(value)
|
125
|
+
match = value.match /(!)\s?(.*)$/
|
126
|
+
return host_to_ip(value) unless match
|
127
|
+
|
128
|
+
cidr = host_to_ip(match[2])
|
129
|
+
return nil if cidr == nil
|
130
|
+
"#{match[1]} #{cidr}"
|
131
|
+
end
|
132
|
+
|
119
133
|
# Validates the argument is int or hex, and returns valid hex
|
120
134
|
# conversion of the value or nil otherwise.
|
121
135
|
def to_hex32(value)
|
@@ -1,251 +1,356 @@
|
|
1
1
|
{
|
2
2
|
"name": "puppetlabs-firewall",
|
3
|
-
"version": "0.
|
3
|
+
"version": "1.0.0",
|
4
|
+
"summary": "Firewall Module",
|
4
5
|
"source": "git://github.com/puppetlabs/puppetlabs-firewall.git",
|
6
|
+
"project_page": "http://forge.puppetlabs.com/puppetlabs/firewall",
|
5
7
|
"author": "puppetlabs",
|
6
8
|
"license": "ASL 2.0",
|
7
|
-
"
|
8
|
-
|
9
|
-
|
9
|
+
"operatingsystem_support": [
|
10
|
+
"RedHat",
|
11
|
+
"Debian",
|
12
|
+
"Ubuntu",
|
13
|
+
"SuSE",
|
14
|
+
"SLED"
|
15
|
+
],
|
16
|
+
"puppet_version": [
|
17
|
+
2.7,
|
18
|
+
3.0,
|
19
|
+
3.1,
|
20
|
+
3.2,
|
21
|
+
3.3
|
22
|
+
],
|
10
23
|
"dependencies": [
|
11
24
|
|
12
25
|
],
|
26
|
+
"description": "Manages Firewalls such as iptables",
|
13
27
|
"types": [
|
14
28
|
{
|
15
29
|
"name": "firewall",
|
16
|
-
"doc": "
|
30
|
+
"doc": "This type provides the capability to manage firewall rules within\npuppet.\n\n**Autorequires:**\n\nIf Puppet is managing the iptables or ip6tables chains specified in the\n`chain` or `jump` parameters, the firewall resource will autorequire\nthose firewallchain resources.\n\nIf Puppet is managing the iptables or iptables-persistent packages, and\nthe provider is iptables or ip6tables, the firewall resource will\nautorequire those packages to ensure that any required binaries are\ninstalled.",
|
17
31
|
"properties": [
|
18
32
|
{
|
19
33
|
"name": "ensure",
|
20
|
-
"doc": " Manage the state of this rule. The default action is *present*.\n
|
34
|
+
"doc": " Manage the state of this rule. The default action is *present*.\n\nValid values are `present`, `absent`. "
|
21
35
|
},
|
22
36
|
{
|
23
37
|
"name": "action",
|
24
|
-
"doc": "
|
38
|
+
"doc": "This is the action to perform on a match. Can be one of:\n\n* accept - the packet is accepted\n* reject - the packet is rejected with a suitable ICMP response\n* drop - the packet is dropped\n\nIf you specify no value it will simply match the rule but perform no\naction unless you provide a provider specific parameter (such as *jump*).\n\nValid values are `accept`, `reject`, `drop`. "
|
25
39
|
},
|
26
40
|
{
|
27
41
|
"name": "source",
|
28
|
-
"doc": "
|
42
|
+
"doc": "The source address. For example:\n\n source => '192.168.2.0/24'\n\nYou can also negate a mask by putting ! in front. For example:\n\n source => '! 192.168.2.0/24'\n\nThe source can also be an IPv6 address if your provider supports it.\n\n"
|
29
43
|
},
|
30
44
|
{
|
31
45
|
"name": "src_range",
|
32
|
-
"doc": "
|
46
|
+
"doc": "The source IP range. For example:\n\n src_range => '192.168.1.1-192.168.1.10'\n\nThe source IP range is must in 'IP1-IP2' format.\n\nValues can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.\n\nRequires features iprange."
|
33
47
|
},
|
34
48
|
{
|
35
49
|
"name": "destination",
|
36
|
-
"doc": "
|
50
|
+
"doc": "The destination address to match. For example:\n\n destination => '192.168.1.0/24'\n\nYou can also negate a mask by putting ! in front. For example:\n\n destination => '! 192.168.2.0/24'\n\nThe destination can also be an IPv6 address if your provider supports it.\n\n"
|
37
51
|
},
|
38
52
|
{
|
39
53
|
"name": "dst_range",
|
40
|
-
"doc": "
|
54
|
+
"doc": "The destination IP range. For example:\n\n dst_range => '192.168.1.1-192.168.1.10'\n\nThe destination IP range is must in 'IP1-IP2' format.\n\nValues can match `/^((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)-((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]\\d|\\d)/`.\n\nRequires features iprange."
|
41
55
|
},
|
42
56
|
{
|
43
57
|
"name": "sport",
|
44
|
-
"doc": "
|
58
|
+
"doc": "The source port to match for this filter (if the protocol supports\nports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n <start_number>-<ending_number>\n\nFor example:\n\n 1-1024\n\nThis would cover ports 1 to 1024.\n\n"
|
45
59
|
},
|
46
60
|
{
|
47
61
|
"name": "dport",
|
48
|
-
"doc": "
|
62
|
+
"doc": "The destination port to match for this filter (if the protocol supports\nports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n <start_number>-<ending_number>\n\nFor example:\n\n 1-1024\n\nThis would cover ports 1 to 1024.\n\n"
|
49
63
|
},
|
50
64
|
{
|
51
65
|
"name": "port",
|
52
|
-
"doc": "
|
66
|
+
"doc": "The destination or source port to match for this filter (if the protocol\nsupports ports). Will accept a single element or an array.\n\nFor some firewall providers you can pass a range of ports in the format:\n\n <start_number>-<ending_number>\n\nFor example:\n\n 1-1024\n\nThis would cover ports 1 to 1024.\n\n"
|
53
67
|
},
|
54
68
|
{
|
55
69
|
"name": "dst_type",
|
56
|
-
"doc": "
|
70
|
+
"doc": "The destination address type. For example:\n\n dst_type => 'LOCAL'\n\nCan be one of:\n\n* UNSPEC - an unspecified address\n* UNICAST - a unicast address\n* LOCAL - a local address\n* BROADCAST - a broadcast address\n* ANYCAST - an anycast packet\n* MULTICAST - a multicast address\n* BLACKHOLE - a blackhole address\n* UNREACHABLE - an unreachable address\n* PROHIBIT - a prohibited address\n* THROW - undocumented\n* NAT - undocumented\n* XRESOLVE - undocumented\n\nValid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`. \n\nRequires features address_type."
|
57
71
|
},
|
58
72
|
{
|
59
73
|
"name": "src_type",
|
60
|
-
"doc": "
|
74
|
+
"doc": "The source address type. For example:\n\n src_type => 'LOCAL'\n\nCan be one of:\n\n* UNSPEC - an unspecified address\n* UNICAST - a unicast address\n* LOCAL - a local address\n* BROADCAST - a broadcast address\n* ANYCAST - an anycast packet\n* MULTICAST - a multicast address\n* BLACKHOLE - a blackhole address\n* UNREACHABLE - an unreachable address\n* PROHIBIT - a prohibited address\n* THROW - undocumented\n* NAT - undocumented\n* XRESOLVE - undocumented\n\nValid values are `UNSPEC`, `UNICAST`, `LOCAL`, `BROADCAST`, `ANYCAST`, `MULTICAST`, `BLACKHOLE`, `UNREACHABLE`, `PROHIBIT`, `THROW`, `NAT`, `XRESOLVE`. \n\nRequires features address_type."
|
61
75
|
},
|
62
76
|
{
|
63
77
|
"name": "proto",
|
64
|
-
"doc": "
|
78
|
+
"doc": "The specific protocol to match for this rule. By default this is\n*tcp*.\n\nValid values are `tcp`, `udp`, `icmp`, `ipv6-icmp`, `esp`, `ah`, `vrrp`, `igmp`, `ipencap`, `ospf`, `gre`, `all`. "
|
65
79
|
},
|
66
80
|
{
|
67
81
|
"name": "tcp_flags",
|
68
|
-
"doc": " Match when the TCP flags are as specified.\n Is a string with a list of comma-separated flag names for the mask,\n then a space, then a comma-separated list of flags that should be set.\n The flags are: SYN ACK FIN RST URG PSH ALL NONE\n Note that you specify them in the order that iptables --list-rules\n would list them to avoid having puppet think you changed the flags.\n Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the\
|
82
|
+
"doc": " Match when the TCP flags are as specified.\n Is a string with a list of comma-separated flag names for the mask,\n then a space, then a comma-separated list of flags that should be set.\n The flags are: SYN ACK FIN RST URG PSH ALL NONE\n Note that you specify them in the order that iptables --list-rules\n would list them to avoid having puppet think you changed the flags.\n Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the\nACK,RST and FIN bits cleared. Such packets are used to request\n TCP connection initiation.\n\n\n\nRequires features tcp_flags."
|
69
83
|
},
|
70
84
|
{
|
71
85
|
"name": "chain",
|
72
|
-
"doc": "
|
86
|
+
"doc": "Name of the chain to use. Can be one of the built-ins:\n\n* INPUT\n* FORWARD\n* OUTPUT\n* PREROUTING\n* POSTROUTING\n\nOr you can provide a user-based chain.\n\nThe default value is 'INPUT'.\n\nValues can match `/^[a-zA-Z0-9\\-_]+$/`.\n\nRequires features iptables."
|
73
87
|
},
|
74
88
|
{
|
75
89
|
"name": "table",
|
76
|
-
"doc": "
|
90
|
+
"doc": "Table to use. Can be one of:\n\n* nat\n* mangle\n* filter\n* raw\n* rawpost\n\nBy default the setting is 'filter'.\n\nValid values are `nat`, `mangle`, `filter`, `raw`, `rawpost`. \n\nRequires features iptables."
|
77
91
|
},
|
78
92
|
{
|
79
93
|
"name": "jump",
|
80
|
-
"doc": "
|
94
|
+
"doc": "The value for the iptables --jump parameter. Normal values are:\n\n* QUEUE\n* RETURN\n* DNAT\n* SNAT\n* LOG\n* MASQUERADE\n* REDIRECT\n* MARK\n\nBut any valid chain name is allowed.\n\nFor the values ACCEPT, DROP and REJECT you must use the generic\n'action' parameter. This is to enfore the use of generic parameters where\npossible for maximum cross-platform modelling.\n\nIf you set both 'accept' and 'jump' parameters, you will get an error as\nonly one of the options should be set.\n\n\n\nRequires features iptables."
|
81
95
|
},
|
82
96
|
{
|
83
97
|
"name": "iniface",
|
84
|
-
"doc": " Input interface to filter on.\n
|
98
|
+
"doc": " Input interface to filter on.\n\nValues can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.\n\nRequires features interface_match."
|
85
99
|
},
|
86
100
|
{
|
87
101
|
"name": "outiface",
|
88
|
-
"doc": " Output interface to filter on.\n
|
102
|
+
"doc": " Output interface to filter on.\n\nValues can match `/^[a-zA-Z0-9\\-\\._\\+]+$/`.\n\nRequires features interface_match."
|
89
103
|
},
|
90
104
|
{
|
91
105
|
"name": "tosource",
|
92
|
-
"doc": "
|
106
|
+
"doc": "When using jump => \"SNAT\" you can specify the new source address using\nthis parameter.\n\n\n\nRequires features snat."
|
93
107
|
},
|
94
108
|
{
|
95
109
|
"name": "todest",
|
96
|
-
"doc": "
|
110
|
+
"doc": "When using jump => \"DNAT\" you can specify the new destination address\nusing this paramter.\n\n\n\nRequires features dnat."
|
97
111
|
},
|
98
112
|
{
|
99
113
|
"name": "toports",
|
100
|
-
"doc": " For DNAT this is the port that will replace the destination port.\n
|
114
|
+
"doc": " For DNAT this is the port that will replace the destination port.\n\n\n\nRequires features dnat."
|
115
|
+
},
|
116
|
+
{
|
117
|
+
"name": "random",
|
118
|
+
"doc": "When using a jump value of \"MASQUERADE\", \"DNAT\", \"REDIRECT\", or \"SNAT\"\nthis boolean will enable randomized port mapping.\n\nValid values are `true`, `false`. \n\nRequires features dnat."
|
101
119
|
},
|
102
120
|
{
|
103
121
|
"name": "reject",
|
104
|
-
"doc": "
|
122
|
+
"doc": "When combined with jump => \"REJECT\" you can specify a different icmp\nresponse to be sent back to the packet sender.\n\n\n\nRequires features reject_type."
|
105
123
|
},
|
106
124
|
{
|
107
125
|
"name": "log_level",
|
108
|
-
"doc": "
|
126
|
+
"doc": "When combined with jump => \"LOG\" specifies the system log level to log\nto.\n\n\n\nRequires features log_level."
|
109
127
|
},
|
110
128
|
{
|
111
129
|
"name": "log_prefix",
|
112
|
-
"doc": "
|
130
|
+
"doc": "When combined with jump => \"LOG\" specifies the log prefix to use when\nlogging.\n\n\n\nRequires features log_prefix."
|
113
131
|
},
|
114
132
|
{
|
115
133
|
"name": "icmp",
|
116
|
-
"doc": "
|
134
|
+
"doc": "When matching ICMP packets, this is the type of ICMP packet to match.\n\nA value of \"any\" is not supported. To achieve this behaviour the\nparameter should simply be omitted or undefined.\n\n\n\nRequires features icmp_match."
|
117
135
|
},
|
118
136
|
{
|
119
137
|
"name": "state",
|
120
|
-
"doc": "
|
138
|
+
"doc": "Matches a packet based on its state in the firewall stateful inspection\ntable. Values can be:\n\n* INVALID\n* ESTABLISHED\n* NEW\n* RELATED\n\nValid values are `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`. \n\nRequires features state_match."
|
139
|
+
},
|
140
|
+
{
|
141
|
+
"name": "ctstate",
|
142
|
+
"doc": "Matches a packet based on its state in the firewall stateful inspection\ntable, using the conntrack module. Values can be:\n\n* INVALID\n* ESTABLISHED\n* NEW\n* RELATED\n\nValid values are `INVALID`, `ESTABLISHED`, `NEW`, `RELATED`. \n\nRequires features state_match."
|
143
|
+
},
|
144
|
+
{
|
145
|
+
"name": "hop_limit",
|
146
|
+
"doc": " Hop limiting value for matched packets.\n\nValues can match `/^\\d+$/`.\n\nRequires features hop_limiting."
|
121
147
|
},
|
122
148
|
{
|
123
149
|
"name": "limit",
|
124
|
-
"doc": "
|
150
|
+
"doc": "Rate limiting value for matched packets. The format is:\nrate/[/second/|/minute|/hour|/day].\n\nExample values are: '50/sec', '40/min', '30/hour', '10/day'.\"\n\n\n\nRequires features rate_limiting."
|
125
151
|
},
|
126
152
|
{
|
127
153
|
"name": "burst",
|
128
|
-
"doc": " Rate limiting burst value (per second) before limit checks apply.\n
|
154
|
+
"doc": " Rate limiting burst value (per second) before limit checks apply.\n\nValues can match `/^\\d+$/`.\n\nRequires features rate_limiting."
|
129
155
|
},
|
130
156
|
{
|
131
157
|
"name": "uid",
|
132
|
-
"doc": "
|
158
|
+
"doc": "UID or Username owner matching rule. Accepts a string argument\nonly, as iptables does not accept multiple uid in a single\nstatement.\n\n\n\nRequires features owner."
|
133
159
|
},
|
134
160
|
{
|
135
161
|
"name": "gid",
|
136
|
-
"doc": "
|
162
|
+
"doc": "GID or Group owner matching rule. Accepts a string argument\nonly, as iptables does not accept multiple gid in a single\nstatement.\n\n\n\nRequires features owner."
|
137
163
|
},
|
138
164
|
{
|
139
165
|
"name": "set_mark",
|
140
|
-
"doc": "
|
166
|
+
"doc": "Set the Netfilter mark value associated with the packet. Accepts either of:\nmark/mask or mark. These will be converted to hex if they are not already.\n\n\n\nRequires features mark."
|
141
167
|
},
|
142
168
|
{
|
143
169
|
"name": "pkttype",
|
144
|
-
"doc": " Sets the packet type to match.\n
|
170
|
+
"doc": " Sets the packet type to match.\n\nValid values are `unicast`, `broadcast`, `multicast`. \n\nRequires features pkttype."
|
145
171
|
},
|
146
172
|
{
|
147
173
|
"name": "isfragment",
|
148
|
-
"doc": " Set to true to match tcp fragments (requires type to be set to tcp)\n
|
174
|
+
"doc": " Set to true to match tcp fragments (requires type to be set to tcp)\n\nValid values are `true`, `false`. \n\nRequires features isfragment."
|
175
|
+
},
|
176
|
+
{
|
177
|
+
"name": "recent",
|
178
|
+
"doc": "Enable the recent module. Takes as an argument one of set, update,\nrcheck or remove. For example:\n\n # If anyone's appeared on the 'badguy' blacklist within\n # the last 60 seconds, drop their traffic, and update the timestamp.\n firewall { '100 Drop badguy traffic':\n recent => 'update',\n rseconds => 60,\n rsource => true,\n rname => 'badguy',\n action => 'DROP',\n chain => 'FORWARD',\n }\n # No-one should be sending us traffic on eth0 from localhost\n # Blacklist them\n firewall { '101 blacklist strange traffic':\n recent => 'set',\n rsource => true,\n rname => 'badguy',\n destination => '127.0.0.0/8',\n iniface => 'eth0',\n action => 'DROP',\n chain => 'FORWARD',\n }\n\nValid values are `set`, `update`, `rcheck`, `remove`. \n\nRequires features recent_limiting."
|
179
|
+
},
|
180
|
+
{
|
181
|
+
"name": "rdest",
|
182
|
+
"doc": "Recent module; add the destination IP address to the list.\nMust be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
|
183
|
+
},
|
184
|
+
{
|
185
|
+
"name": "rsource",
|
186
|
+
"doc": "Recent module; add the source IP address to the list.\nMust be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
|
187
|
+
},
|
188
|
+
{
|
189
|
+
"name": "rname",
|
190
|
+
"doc": " Recent module; The name of the list. Takes a string argument.\n\n\n\nRequires features recent_limiting."
|
191
|
+
},
|
192
|
+
{
|
193
|
+
"name": "rseconds",
|
194
|
+
"doc": "Recent module; used in conjunction with one of `recent => 'rcheck'` or\n`recent => 'update'`. When used, this will narrow the match to only\nhappen when the address is in the list and was seen within the last given\nnumber of seconds.\n\n\n\nRequires features recent_limiting."
|
195
|
+
},
|
196
|
+
{
|
197
|
+
"name": "reap",
|
198
|
+
"doc": "Recent module; can only be used in conjunction with the `rseconds`\nattribute. When used, this will cause entries older than 'seconds' to be\npurged. Must be boolean true.\n\n\n\nRequires features recent_limiting."
|
199
|
+
},
|
200
|
+
{
|
201
|
+
"name": "rhitcount",
|
202
|
+
"doc": "Recent module; used in conjunction with `recent => 'update'` or `recent\n=> 'rcheck'. When used, this will narrow the match to only happen when\nthe address is in the list and packets had been received greater than or\nequal to the given value.\n\n\n\nRequires features recent_limiting."
|
203
|
+
},
|
204
|
+
{
|
205
|
+
"name": "rttl",
|
206
|
+
"doc": "Recent module; may only be used in conjunction with one of `recent =>\n'rcheck'` or `recent => 'update'`. When used, this will narrow the match\nto only happen when the address is in the list and the TTL of the current\npacket matches that of the packet which hit the `recent => 'set'` rule.\nThis may be useful if you have problems with people faking their source\naddress in order to DoS you via this module by disallowing others access\nto your site by sending bogus packets to you. Must be boolean true.\n\nValid values are `true`, `false`. \n\nRequires features recent_limiting."
|
149
207
|
},
|
150
208
|
{
|
151
209
|
"name": "socket",
|
152
|
-
"doc": "
|
210
|
+
"doc": "If true, matches if an open socket can be found by doing a coket lookup\non the packet.\n\nValid values are `true`, `false`. \n\nRequires features socket."
|
211
|
+
},
|
212
|
+
{
|
213
|
+
"name": "ishasmorefrags",
|
214
|
+
"doc": " If true, matches if the packet has it's 'more fragments' bit set. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features ishasmorefrags."
|
215
|
+
},
|
216
|
+
{
|
217
|
+
"name": "islastfrag",
|
218
|
+
"doc": " If true, matches if the packet is the last fragment. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features islastfrag."
|
219
|
+
},
|
220
|
+
{
|
221
|
+
"name": "isfirstfrag",
|
222
|
+
"doc": "If true, matches if the packet is the first fragment.\nSadly cannot be negated. ipv6.\n\nValid values are `true`, `false`. \n\nRequires features isfirstfrag."
|
223
|
+
},
|
224
|
+
{
|
225
|
+
"name": "ipsec_policy",
|
226
|
+
"doc": "\t \t Sets the ipsec policy type\n\nValid values are `none`, `ipsec`. \n\nRequires features ipsec_policy."
|
227
|
+
},
|
228
|
+
{
|
229
|
+
"name": "ipsec_dir",
|
230
|
+
"doc": "\t \t Sets the ipsec policy direction\n\nValid values are `in`, `out`. \n\nRequires features ipsec_dir."
|
153
231
|
}
|
154
232
|
],
|
155
233
|
"parameters": [
|
156
234
|
{
|
157
235
|
"name": "name",
|
158
|
-
"doc": "
|
236
|
+
"doc": "The canonical name of the rule. This name is also used for ordering\nso make sure you prefix the rule with a number:\n\n 000 this runs first\n 999 this runs last\n\nDepending on the provider, the name of the rule can be stored using\nthe comment feature of the underlying firewall subsystem.\n\nValues can match `/^\\d+[[:alpha:][:digit:][:punct:][:space:]]+$/`."
|
159
237
|
},
|
160
238
|
{
|
161
239
|
"name": "line",
|
162
|
-
"doc": " Read-only property for caching the rule line.\n"
|
240
|
+
"doc": " Read-only property for caching the rule line.\n\n"
|
163
241
|
}
|
164
242
|
],
|
165
243
|
"providers": [
|
166
244
|
{
|
167
245
|
"name": "ip6tables",
|
168
|
-
"doc": "Ip6tables type provider\n\
|
246
|
+
"doc": "Ip6tables type provider\n\n* Required binaries: `ip6tables-save`, `ip6tables`.\n* Supported features: `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `state_match`, `tcp_flags`."
|
169
247
|
},
|
170
248
|
{
|
171
249
|
"name": "iptables",
|
172
|
-
"doc": "Iptables type provider\n\
|
250
|
+
"doc": "Iptables type provider\n\n* Required binaries: `iptables-save`, `iptables`.\n* Default for `kernel` == `linux`.\n* Supported features: `address_type`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`."
|
173
251
|
}
|
174
252
|
]
|
175
253
|
},
|
176
254
|
{
|
177
255
|
"name": "firewallchain",
|
178
|
-
"doc": "
|
256
|
+
"doc": "This type provides the capability to manage rule chains for firewalls.\n\nCurrently this supports only iptables, ip6tables and ebtables on Linux. And\nprovides support for setting the default policy on chains and tables that\nallow it.\n\n**Autorequires:**\nIf Puppet is managing the iptables or iptables-persistent packages, and\nthe provider is iptables_chain, the firewall resource will autorequire\nthose packages to ensure that any required binaries are installed.",
|
179
257
|
"properties": [
|
180
258
|
{
|
181
259
|
"name": "ensure",
|
182
|
-
"doc": "The basic property that the resource should be in
|
260
|
+
"doc": "The basic property that the resource should be in.\n\nValid values are `present`, `absent`. "
|
183
261
|
},
|
184
262
|
{
|
185
263
|
"name": "policy",
|
186
|
-
"doc": "
|
264
|
+
"doc": "This is the action to when the end of the chain is reached.\nIt can only be set on inbuilt chains (INPUT, FORWARD, OUTPUT,\nPREROUTING, POSTROUTING) and can be one of:\n\n* accept - the packet is accepted\n* drop - the packet is dropped\n* queue - the packet is passed userspace\n* return - the packet is returned to calling (jump) queue\n or the default of inbuilt chains\n\nValid values are `accept`, `drop`, `queue`, `return`. "
|
187
265
|
}
|
188
266
|
],
|
189
267
|
"parameters": [
|
190
268
|
{
|
191
269
|
"name": "name",
|
192
|
-
"doc": "
|
270
|
+
"doc": "The canonical name of the chain.\n\nFor iptables the format must be {chain}:{table}:{protocol}.\n\n"
|
271
|
+
},
|
272
|
+
{
|
273
|
+
"name": "purge",
|
274
|
+
"doc": " Purge unmanaged firewall rules in this chain\n\nValid values are `false`, `true`. "
|
275
|
+
},
|
276
|
+
{
|
277
|
+
"name": "ignore",
|
278
|
+
"doc": "Regex to perform on firewall rules to exempt unmanaged rules from purging (when enabled).\nThis is matched against the output of `iptables-save`.\n\nThis can be a single regex, or an array of them.\nTo support flags, use the ruby inline flag mechanism.\nMeaning a regex such as\n /foo/i\ncan be written as\n '(?i)foo' or '(?i:foo)'\n\nFull example:\nfirewallchain { 'INPUT:filter:IPv4':\n purge => true,\n ignore => [\n '-j fail2ban-ssh', # ignore the fail2ban jump rule\n '--comment \"[^\"]*(?i:ignore)[^\"]*\"', # ignore any rules with \"ignore\" (case insensitive) in the comment in the rule\n ],\n}\n\n"
|
193
279
|
}
|
194
280
|
],
|
195
281
|
"providers": [
|
196
282
|
{
|
197
283
|
"name": "iptables_chain",
|
198
|
-
"doc": "Iptables chain provider\n\
|
284
|
+
"doc": "Iptables chain provider\n\n* Required binaries: `ebtables-save`, `ebtables`, `ip6tables-save`, `ip6tables`, `iptables-save`, `iptables`.\n* Default for `kernel` == `linux`.\n* Supported features: `iptables_chain`, `policy`."
|
199
285
|
}
|
200
286
|
]
|
201
287
|
}
|
202
288
|
],
|
203
289
|
"checksums": {
|
204
290
|
"CONTRIBUTING.md": "346969b756bc432a2a2fab4307ebb93a",
|
205
|
-
"Changelog": "
|
206
|
-
"Gemfile": "
|
207
|
-
"Gemfile.lock": "
|
291
|
+
"Changelog": "c5dd3154e7017a9b48e0a61c23681648",
|
292
|
+
"Gemfile": "450446f9b88dab151cab2cdf1690b1a6",
|
293
|
+
"Gemfile.lock": "7f852ff968e33f8b6c08f0e6660e151e",
|
208
294
|
"LICENSE": "ade7f2bb88b5b4f034152822222ec314",
|
209
|
-
"Modulefile": "
|
210
|
-
"README.markdown": "
|
211
|
-
"Rakefile": "
|
295
|
+
"Modulefile": "098d56d405b4e949f3bf431942a4ae73",
|
296
|
+
"README.markdown": "2c2661559368753804318e39bbea9fc5",
|
297
|
+
"Rakefile": "f939a830f3e97bea4ebfa5773af890d2",
|
212
298
|
"lib/facter/ip6tables_version.rb": "091123ad703f1706686bca4398c5b06f",
|
213
299
|
"lib/facter/iptables_persistent_version.rb": "b7a47827cd3d3bb1acbd526a31da3acb",
|
214
300
|
"lib/facter/iptables_version.rb": "facbd760223f236538b731c1d1f6cf8f",
|
215
|
-
"lib/puppet/provider/firewall/ip6tables.rb": "
|
216
|
-
"lib/puppet/provider/firewall/iptables.rb": "
|
301
|
+
"lib/puppet/provider/firewall/ip6tables.rb": "5ad995b85053fba4576aca96e6d0dc9d",
|
302
|
+
"lib/puppet/provider/firewall/iptables.rb": "74c89e3b2032478d8ba793cb75096b07",
|
217
303
|
"lib/puppet/provider/firewall.rb": "32d2f5e5dcc082986b82ef26a119038b",
|
218
|
-
"lib/puppet/provider/firewallchain/iptables_chain.rb": "
|
219
|
-
"lib/puppet/type/firewall.rb": "
|
220
|
-
"lib/puppet/type/firewallchain.rb": "
|
221
|
-
"lib/puppet/util/firewall.rb": "
|
304
|
+
"lib/puppet/provider/firewallchain/iptables_chain.rb": "194bde3d3992a37aa7d76e431d251178",
|
305
|
+
"lib/puppet/type/firewall.rb": "1c37cfa054b0640aa4febfdc76c402c8",
|
306
|
+
"lib/puppet/type/firewallchain.rb": "548676cc7da53598eb24268ebac38a0d",
|
307
|
+
"lib/puppet/util/firewall.rb": "1200b76a24e3d7bc1520e39005e6848e",
|
222
308
|
"lib/puppet/util/ipcidr.rb": "e1160dfd6e73fc5ef2bb8abc291f6fd5",
|
223
309
|
"manifests/init.pp": "ba3e697f00fc3d4e7e5b9c7fdbc6a89d",
|
224
310
|
"manifests/linux/archlinux.pp": "1257fe335ecafa0629b285dc8621cf75",
|
225
311
|
"manifests/linux/debian.pp": "626f0fd23f2f451ca14e2b7f690675fe",
|
226
312
|
"manifests/linux/redhat.pp": "44ce25057ae8d814465260767b39c414",
|
227
313
|
"manifests/linux.pp": "7380519131fa8daae0ef45f9a162aff7",
|
228
|
-
"spec/
|
314
|
+
"spec/acceptance/basic_spec.rb": "9c19898ff3922fe12eec3d7276d46543",
|
315
|
+
"spec/acceptance/change_source_spec.rb": "0be26a6f0f3550e8b12049fe6c21ae35",
|
316
|
+
"spec/acceptance/class_spec.rb": "43e3c4d143cb01df17425aff51e6a164",
|
317
|
+
"spec/acceptance/firewall_spec.rb": "de2d52e24052c2d71da2c960b39a6671",
|
318
|
+
"spec/acceptance/firewallchain_spec.rb": "9a7128911aa17cfeed5fa5c8062138d9",
|
319
|
+
"spec/acceptance/ip6_fragment_spec.rb": "3b5e3a751e82f5771ec560174beb5d24",
|
320
|
+
"spec/acceptance/isfragment_spec.rb": "d4e986141f671cc59a05b6fb91a04a9e",
|
321
|
+
"spec/acceptance/nodesets/centos-59-x64.yml": "879c50ab100b927bdbbc130f23baaff7",
|
322
|
+
"spec/acceptance/nodesets/centos-64-x64-fusion.yml": "f5da18ffa623c6a13d9f48521b1bfa39",
|
323
|
+
"spec/acceptance/nodesets/centos-64-x64-pe.yml": "ec075d95760df3d4702abea1ce0a829b",
|
324
|
+
"spec/acceptance/nodesets/centos-64-x64.yml": "092dd2c588a9f87fa1fb12997c0723ef",
|
325
|
+
"spec/acceptance/nodesets/debian-607-x64.yml": "d566bf76f534e2af7c9a4605316d232c",
|
326
|
+
"spec/acceptance/nodesets/debian-70rc1-x64.yml": "31ccca73af7b74e1cc2fb0035c230b2c",
|
327
|
+
"spec/acceptance/nodesets/default.yml": "092dd2c588a9f87fa1fb12997c0723ef",
|
328
|
+
"spec/acceptance/nodesets/fedora-18-x64.yml": "acc126fa764c39a3b1df36e9224a21d9",
|
329
|
+
"spec/acceptance/nodesets/sles-11sp1-x64.yml": "fa0046bd89c1ab4ba9521ad79db234cd",
|
330
|
+
"spec/acceptance/nodesets/ubuntu-server-10044-x64.yml": "dc0da2d2449f66c8fdae16593811504f",
|
331
|
+
"spec/acceptance/nodesets/ubuntu-server-12042-x64.yml": "d30d73e34cd50b043c7d14e305955269",
|
332
|
+
"spec/acceptance/params_spec.rb": "8c2719621c3c352e78417d966f971b9a",
|
333
|
+
"spec/acceptance/purge_spec.rb": "dc9f999d810f5e069c1ca6287aa1b2a2",
|
334
|
+
"spec/acceptance/resource_cmd_spec.rb": "b3d0aa09125e13b0d0bf56d0faa437e2",
|
335
|
+
"spec/acceptance/rules_spec.rb": "4bb277a8121c33ea34fad8e900ba8ba9",
|
336
|
+
"spec/acceptance/socket_spec.rb": "ddb67978e37956f42f56535f6312f0a4",
|
337
|
+
"spec/acceptance/standard_usage_spec.rb": "66d7bae5a3dd4b595c1aa236c1a7b8b0",
|
338
|
+
"spec/fixtures/ip6tables/conversion_hash.rb": "0d88a4226fdf28dd55e30f7e6d4a1cb7",
|
339
|
+
"spec/fixtures/iptables/conversion_hash.rb": "4875f7b75948746063c8be8d8af05fa8",
|
229
340
|
"spec/spec_helper.rb": "faae8467928b93bd251a1a66e1eedbe5",
|
230
|
-
"spec/
|
231
|
-
"spec/system/basic_spec.rb": "34a22dedba01b8239024137bda8ab3f8",
|
232
|
-
"spec/system/class_spec.rb": "04d89039312c3b9293dbb680878101c6",
|
233
|
-
"spec/system/params_spec.rb": "f982f9eb6ecc8d6782b9267b59d321bf",
|
234
|
-
"spec/system/purge_spec.rb": "a336e8a20d4c330606bf5955799a7e35",
|
235
|
-
"spec/system/resource_cmd_spec.rb": "f991d2b7a3e2eb6d28471534cd38b0c8",
|
236
|
-
"spec/system/standard_usage_spec.rb": "f80f86703843775ac14635464e9f7549",
|
341
|
+
"spec/spec_helper_acceptance.rb": "b456214a7299e8cdc9c3c488cf49f398",
|
237
342
|
"spec/unit/classes/firewall_linux_archlinux_spec.rb": "1c600a9852ec328b14cb15b0630ed5ff",
|
238
343
|
"spec/unit/classes/firewall_linux_debian_spec.rb": "6334936fb16223cf15f637083c67850e",
|
239
344
|
"spec/unit/classes/firewall_linux_redhat_spec.rb": "f41b21caf6948f3ac08f42c1bc59ba1b",
|
240
345
|
"spec/unit/classes/firewall_linux_spec.rb": "b934ab4e0a806f29bfdabd2369e41d0e",
|
241
|
-
"spec/unit/classes/firewall_spec.rb": "
|
242
|
-
"spec/unit/facter/iptables_persistent_version_spec.rb": "
|
243
|
-
"spec/unit/facter/iptables_spec.rb": "
|
244
|
-
"spec/unit/puppet/provider/iptables_chain_spec.rb": "
|
245
|
-
"spec/unit/puppet/provider/iptables_spec.rb": "
|
246
|
-
"spec/unit/puppet/type/firewall_spec.rb": "
|
247
|
-
"spec/unit/puppet/type/firewallchain_spec.rb": "
|
248
|
-
"spec/unit/puppet/util/firewall_spec.rb": "
|
346
|
+
"spec/unit/classes/firewall_spec.rb": "65e27f1c85066641d65d52c35c1d46cf",
|
347
|
+
"spec/unit/facter/iptables_persistent_version_spec.rb": "e08c68b6400c51735a3ac1cc4acf2d15",
|
348
|
+
"spec/unit/facter/iptables_spec.rb": "5265be1e6ec652184de8b314ae396d1a",
|
349
|
+
"spec/unit/puppet/provider/iptables_chain_spec.rb": "5b5dbc4cea409f6f40ef3f18e46fa270",
|
350
|
+
"spec/unit/puppet/provider/iptables_spec.rb": "3b922db8c897ed158da202e71105de82",
|
351
|
+
"spec/unit/puppet/type/firewall_spec.rb": "a57dc53289de01f80611292f5367b4ae",
|
352
|
+
"spec/unit/puppet/type/firewallchain_spec.rb": "ea82405b12b9c0069a6b38a48a6a544a",
|
353
|
+
"spec/unit/puppet/util/firewall_spec.rb": "fc2679265def001f3531817c1f34d4b9",
|
249
354
|
"spec/unit/puppet/util/ipcidr_spec.rb": "1a6eeb2dd7c9634fcfb60d8ead6e1d79"
|
250
355
|
}
|
251
356
|
}
|
@@ -0,0 +1,8 @@
|
|
1
|
+
require 'spec_helper_acceptance'
|
2
|
+
|
3
|
+
# Here we put the more basic fundamental tests, ultra obvious stuff.
|
4
|
+
describe "basic tests:" do
|
5
|
+
it 'make sure we have copied the module across' do
|
6
|
+
shell('ls /etc/puppet/modules/firewall/Modulefile', {:acceptable_exit_codes => 0})
|
7
|
+
end
|
8
|
+
end
|