freighthop 0.3.3 → 0.4.0

data/modules/firewall/Changelog

@@ -4,6 +4,44 @@ Release notes for puppetlabs-firewall module.
 
 ---------------------------------------
 
+#### 1.0.0 - 2014-02-11
+
+No changes, just renumbering to 1.0.0.
+
+#### 0.5.0 - 2014-02-10
+
+##### Summary:
+This is a bigger release that brings in "recent" connection limiting (think
+"port knocking"), firewall chain purging on a per-chain/per-table basis, and
+support for a few other use cases. This release also fixes a major bug which
+could cause modifications to the wrong rules when unmanaged rules are present.
+
+##### New Features:
+* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
+  `rname`, `rseconds`, `rsource`, and `rttl`
+* Add negation support for source and destination
+* Add per-chain/table purging support to `firewallchain`
+* IPv4 specific
+  * Add random port forwarding support
+  * Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
+* IPv6 specific
+  * Add support for hop limiting via `hop_limit` parameter
+  * Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
+  * Add support for conntrack stateful firewall matching via `ctstate`
+
+##### Bugfixes:
+- Boolean fixups allowing false values
+- Better detection of unmanaged rules
+- Fix multiport rule detection
+- Fix sport/dport rule detection
+- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
+- Allow INPUT with the nat table
+- Fix `src_range` & `dst_range` order detection
+- Documentation clarifications
+- Fixes to spec tests
+
+---------------------------------------
+
 #### 0.4.2 - 2013-09-10
 
 Another attempt to fix the packaging issue.  We think we understand exactly

data/modules/firewall/Gemfile

@@ -2,8 +2,11 @@ source 'https://rubygems.org'
 
 group :development, :test do
   gem 'puppetlabs_spec_helper', :require => false
-  gem 'rspec-system-puppet', '~>2.0'
-  gem 'puppet-lint'
+  gem 'rspec-puppet',           :require => false
+  gem 'serverspec',             :require => false
+  gem 'beaker-rspec',           :require => false
+  gem 'puppet-lint',            :require => false
+  gem 'pry',                    :require => false
 end
 
 if puppetversion = ENV['PUPPET_GEM_VERSION']

data/modules/firewall/Gemfile.lock

@@ -1,21 +1,67 @@
 GEM
   remote: https://rubygems.org/
   specs:
+    CFPropertyList (2.2.6)
+    beaker (1.6.2)
+      blimpy (~> 0.6)
+      fission (~> 0.4)
+      inifile (~> 2.0)
+      json (~> 1.8)
+      mime-types (~> 1.25)
+      net-scp (~> 1.1)
+      net-ssh (~> 2.6)
+      nokogiri (= 1.5.10)
+      rbvmomi (= 1.8.1)
+      unf (~> 0.1)
+    beaker-rspec (2.1.1)
+      beaker (~> 1.3)
+      rspec (~> 2.14)
+      serverspec (~> 0.14)
+      specinfra (~> 0.3)
+    blimpy (0.6.7)
+      fog
+      minitar
+      thor
     builder (3.2.2)
-    diff-lcs (1.2.4)
-    facter (1.7.2)
-    hiera (1.2.1)
+    coderay (1.1.0)
+    diff-lcs (1.2.5)
+    excon (0.31.0)
+    facter (1.7.4)
+    fission (0.5.0)
+      CFPropertyList (~> 2.2)
+    fog (1.19.0)
+      builder
+      excon (~> 0.31.0)
+      formatador (~> 0.2.0)
+      mime-types
+      multi_json (~> 1.0)
+      net-scp (~> 1.1)
+      net-ssh (>= 2.1.3)
+      nokogiri (~> 1.5)
+      ruby-hmac
+    formatador (0.2.4)
+    hiera (1.3.0)
       json_pure
-    json_pure (1.8.0)
-    kwalify (0.7.2)
+    highline (1.6.20)
+    inifile (2.0.2)
+    json (1.8.1)
+    json_pure (1.8.1)
     metaclass (0.0.1)
+    method_source (0.8.2)
+    mime-types (1.25.1)
+    minitar (0.5.4)
     mocha (0.14.0)
       metaclass (~> 0.0.1)
+    multi_json (1.8.4)
     net-scp (1.1.2)
       net-ssh (>= 2.6.5)
-    net-ssh (2.6.8)
+    net-ssh (2.8.0)
     nokogiri (1.5.10)
-    puppet (3.2.3)
+    pry (0.9.12.6)
+      coderay (~> 1.0)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    puppet (3.4.0)
       facter (~> 1.6)
       hiera (~> 1.0)
       rgen (~> 0.6.5)
@@ -25,40 +71,44 @@ GEM
       rake
       rspec (>= 2.9.0)
       rspec-puppet (>= 0.1.1)
-    rake (10.1.0)
-    rbvmomi (1.6.0)
+    rake (10.1.1)
+    rbvmomi (1.8.1)
       builder
       nokogiri (>= 1.4.1)
       trollop
-    rgen (0.6.5)
+    rgen (0.6.6)
     rspec (2.14.1)
       rspec-core (~> 2.14.0)
       rspec-expectations (~> 2.14.0)
       rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.5)
-    rspec-expectations (2.14.1)
+    rspec-core (2.14.7)
+    rspec-expectations (2.14.4)
       diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.3)
-    rspec-puppet (0.1.6)
+    rspec-mocks (2.14.4)
+    rspec-puppet (1.0.1)
       rspec
-    rspec-system (2.2.0)
-      kwalify (~> 0.7.2)
-      net-scp (~> 1.1)
-      net-ssh (~> 2.6)
-      nokogiri (~> 1.5.9)
-      rbvmomi (~> 1.6)
-      rspec (~> 2.13)
-      systemu (~> 2.5)
-    rspec-system-puppet (2.1.0)
-      rspec-system (~> 2.0)
-    systemu (2.5.2)
+    ruby-hmac (0.4.0)
+    serverspec (0.15.2)
+      highline
+      net-ssh
+      rspec (>= 2.13.0)
+      specinfra (>= 0.5.6)
+    slop (3.4.7)
+    specinfra (0.5.7)
+    thor (0.18.1)
     trollop (2.0)
+    unf (0.1.3)
+      unf_ext
+    unf_ext (0.0.6)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  beaker-rspec
+  pry
   puppet
   puppet-lint
   puppetlabs_spec_helper
-  rspec-system-puppet (~> 2.0)
+  rspec-puppet
+  serverspec

data/modules/firewall/Modulefile

@@ -1,5 +1,5 @@
 name 'puppetlabs-firewall'
-version '0.4.2'
+version '1.0.0'
 source 'git://github.com/puppetlabs/puppetlabs-firewall.git'
 author 'puppetlabs'
 license 'ASL 2.0'

data/modules/firewall/README.markdown

@@ -92,7 +92,7 @@ The `pre` class should be located in `my_fw/manifests/pre.pp` and should contain
       }->
       firewall { '002 accept related established rules':
         proto   => 'all',
-        state   => ['RELATED', 'ESTABLISHED'],
+        ctstate => ['RELATED', 'ESTABLISHED'],
         action  => 'accept',
       }
     }
@@ -109,7 +109,7 @@ The `post` class should be located in `my_fw/manifests/post.pp` and include any
       }
     }
 
-To put it all together: the `before` parameter in `Firewall {}` ensures `my_fw::post` is run before any other rules and the the `require` parameter ensures `my_fw::pre` is run after any other rules. So the run order is:
+To put it all together: the `require` parameter in `Firewall {}` ensures `my_fw::pre` is run before any other rules and the `before` parameter ensures `my_fw::post` is run after any other rules. So the run order is:
 
 * run the rules in `my_fw::pre`
 * run your rules (defined in code)
@@ -197,24 +197,56 @@ Drop all:
 
 ###Application-specific rules
 
-Application-specific rules can live anywhere you declare the firewall resource. It is best to put your firewall rules close to the service that needs it, such as in the module that configures it.
+Puppet doesn't care where you define rules, and this means that you can place
+your firewall resources as close to the applications and services that you
+manage as you wish.  If you use the [roles and profiles
+pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
+would make sense to create your firewall rules in the profiles, so that they
+remain close to the services managed by the profile.
 
-You should be able to add firewall rules to your application-specific classes so firewalling is performed at the same time when the class is invoked.
+An example of this might be:
 
-For example, if you have an Apache module, you could declare the class as below
+```puppet
+class profile::apache {
+  include apache
+  apache::vhost { 'mysite': ensure => present }
 
-    class apache {
-      firewall { '100 allow http and https access':
-        port   => [80, 443],
-        proto  => tcp,
-        action => accept,
-      }
-      # ... the rest of your code ...
-    }
+  firewall { '100 allow http and https access':
+    port   => [80, 443],
+    proto  => tcp,
+    action => accept,
+  }
+}
+```
+
+
+However, if you're not using that pattern then you can place them directly into
+the individual module that manages a service, such as:
+
+```puppet
+class apache {
+  firewall { '100 allow http and https access':
+    port   => [80, 443],
+    proto  => tcp,
+    action => accept,
+  }
+  # ... the rest of your code ...
+}
+```
+
+This means if someone includes either the profile:
+
+```puppet
+include profile::apache
+```
+
+Or the module, if you're not using roles and profiles:
 
-When someone uses the class, firewalling is provided automatically.
+```puppet
+  include ::apache
+```
 
-    class { 'apache': }
+Then they would automatically get appropriate firewall rules.
 
 ###Other rules
 

data/modules/firewall/Rakefile

@@ -1,11 +1,4 @@
-require 'rubygems'
-require 'bundler/setup'
-
-Bundler.require :default
-
-require 'rspec/core/rake_task'
 require 'puppetlabs_spec_helper/rake_tasks'
-require 'rspec-system/rake_task'
 
 require 'puppet-lint/tasks/puppet-lint'
 PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp']

data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb

@@ -2,7 +2,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   @doc = "Ip6tables type provider"
 
   has_feature :iptables
+  has_feature :hop_limiting
   has_feature :rate_limiting
+  has_feature :recent_limiting
   has_feature :snat
   has_feature :dnat
   has_feature :interface_match
@@ -15,6 +17,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   has_feature :mark
   has_feature :tcp_flags
   has_feature :pkttype
+  has_feature :ishasmorefrags
+  has_feature :islastfrag
+  has_feature :isfirstfrag
 
   optional_commands({
     :ip6tables      => 'ip6tables',
@@ -33,12 +38,14 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
 
   @resource_map = {
     :burst => "--limit-burst",
+    :ctstate => "-m conntrack --ctstate",
     :destination => "-d",
     :dport => "-m multiport --dports",
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp6 --icmpv6-type",
     :iniface => "-i",
     :jump => "-j",
+    :hop_limit => "-m hl --hl-eq",
     :limit => "-m limit --limit",
     :log_level => "--log-level",
     :log_prefix => "--log-prefix",
@@ -46,7 +53,15 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :outiface => "-o",
     :port => '-m multiport --ports',
     :proto => "-p",
+    :rdest => "--rdest",
+    :reap => "--reap",
+    :recent => "-m recent",
     :reject => "--reject-with",
+    :rhitcount => "--hitcount",
+    :rname => "--name",
+    :rseconds => "--seconds",
+    :rsource => "--rsource",
+    :rttl => "--rttl",
     :source => "-s",
     :state => "-m state --state",
     :sport => "-m multiport --sports",
@@ -55,17 +70,40 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :toports => "--to-ports",
     :tosource => "--to-source",
     :uid => "-m owner --uid-owner",
-    :pkttype => "-m pkttype --pkt-type"
+    :pkttype => "-m pkttype --pkt-type",
+    :ishasmorefrags => "-m frag --fragid 0 --fragmore",
+    :islastfrag => "-m frag --fragid 0 --fraglast",
+    :isfirstfrag => "-m frag --fragid 0 --fragfirst",
   }
 
+  # These are known booleans that do not take a value, but we want to munge
+  # to true if they exist.
+  @known_booleans = [:ishasmorefrags, :islastfrag, :isfirstfrag, :rsource, :rdest, :reap, :rttl]
+
   # Create property methods dynamically
   (@resource_map.keys << :chain << :table << :action).each do |property|
-    define_method "#{property}" do
-      @property_hash[property.to_sym]
+    if @known_booleans.include?(property) then
+      # The boolean properties default to '' which should be read as false
+      define_method "#{property}" do
+        @property_hash[property] = :false if @property_hash[property] == nil
+        @property_hash[property.to_sym]
+      end
+    else
+      define_method "#{property}" do
+        @property_hash[property.to_sym]
+      end
     end
 
-    define_method "#{property}=" do |value|
-      @property_hash[:needs_change] = true
+    if property == :chain
+      define_method "#{property}=" do |value|
+        if @property_hash[:chain] != value
+          raise ArgumentError, "Modifying the chain for existing rules is not supported."
+        end
+      end
+    else
+      define_method "#{property}=" do |value|
+        @property_hash[:needs_change] = true
+      end
     end
   end
 
@@ -73,8 +111,13 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   # we need it to properly parse and apply rules, if the order of resource
   # changes between puppet runs, the changed rules will be re-applied again.
   # This order can be determined by going through iptables source code or just tweaking and trying manually
+  # (Note: on my CentOS 6.4 ip6tables-save returns -m frag on the place
+  # I put it when calling the command. So compability with manual changes
+  # not provided with current parser [georg.koester])
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
-    :proto, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst, :jump,
-    :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
+    :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
+    :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
+    :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
+    :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
 
 end