freighthop 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Puppetfile +1 -1
- data/Puppetfile.lock +4 -5
- data/README.md +18 -7
- data/Vagrantfile +4 -0
- data/lib/freighthop/cli/help.rb +1 -0
- data/lib/freighthop/cli/init.rb +10 -10
- data/lib/freighthop/cli/version.rb +17 -0
- data/lib/freighthop/cli.rb +3 -1
- data/lib/freighthop/version.rb +1 -1
- data/lib/freighthop.rb +4 -0
- data/modules/apt/CHANGELOG +2 -36
- data/modules/apt/Gemfile +5 -6
- data/modules/apt/Gemfile.lock +7 -40
- data/modules/apt/Modulefile +1 -1
- data/modules/apt/README.md +1 -2
- data/modules/apt/Rakefile +0 -1
- data/modules/apt/manifests/init.pp +2 -5
- data/modules/apt/manifests/params.pp +1 -4
- data/modules/apt/manifests/pin.pp +1 -1
- data/modules/apt/manifests/ppa.pp +10 -24
- data/modules/apt/manifests/update.pp +0 -1
- data/modules/apt/metadata.json +19 -32
- data/modules/apt/spec/defines/ppa_spec.rb +2 -53
- data/modules/apt/spec/defines/source_spec.rb +2 -2
- data/modules/apt/templates/source.list.erb +2 -2
- data/modules/apt/tests/key.pp +3 -3
- data/modules/concat/CHANGELOG +73 -0
- data/modules/concat/Gemfile +20 -0
- data/modules/concat/Gemfile.lock +104 -0
- data/modules/concat/Modulefile +7 -6
- data/modules/concat/README.md +440 -0
- data/modules/concat/Rakefile +5 -1
- data/modules/concat/files/concatfragments.rb +137 -0
- data/modules/concat/files/concatfragments.sh +15 -4
- data/modules/concat/lib/facter/concat_basedir.rb +9 -3
- data/modules/concat/manifests/fragment.pp +108 -48
- data/modules/concat/manifests/init.pp +191 -210
- data/modules/concat/manifests/setup.pp +31 -31
- data/modules/concat/metadata.json +40 -21
- data/modules/{apt → concat}/spec/spec_helper_system.rb +11 -6
- data/modules/{firewall → concat}/spec/system/basic_spec.rb +1 -1
- data/modules/concat/spec/system/concat_spec.rb +154 -0
- data/modules/concat/spec/system/deprecation_warnings_spec.rb +247 -0
- data/modules/concat/spec/system/empty_spec.rb +27 -0
- data/modules/concat/spec/system/fragment_source_spec.rb +142 -0
- data/modules/concat/spec/system/replace_spec.rb +257 -0
- data/modules/concat/spec/system/symbolic_name_spec.rb +35 -0
- data/modules/concat/spec/system/warn_spec.rb +106 -0
- data/modules/concat/spec/unit/classes/concat_setup_spec.rb +42 -0
- data/modules/concat/spec/unit/defines/concat_fragment_spec.rb +267 -0
- data/modules/concat/spec/unit/defines/concat_spec.rb +380 -0
- data/modules/concat/spec/unit/facts/concat_basedir_spec.rb +18 -0
- data/modules/concat/tests/fragment.pp +19 -0
- data/modules/concat/tests/init.pp +7 -0
- data/modules/firewall/Changelog +38 -0
- data/modules/firewall/Gemfile +5 -2
- data/modules/firewall/Gemfile.lock +76 -26
- data/modules/firewall/Modulefile +1 -1
- data/modules/firewall/README.markdown +47 -15
- data/modules/firewall/Rakefile +0 -7
- data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb +50 -7
- data/modules/firewall/lib/puppet/provider/firewall/iptables.rb +147 -31
- data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb +19 -8
- data/modules/firewall/lib/puppet/type/firewall.rb +207 -3
- data/modules/firewall/lib/puppet/type/firewallchain.rb +73 -2
- data/modules/firewall/lib/puppet/util/firewall.rb +14 -0
- data/modules/firewall/metadata.json +181 -76
- data/modules/firewall/spec/acceptance/basic_spec.rb +8 -0
- data/modules/firewall/spec/acceptance/change_source_spec.rb +77 -0
- data/modules/firewall/spec/acceptance/class_spec.rb +27 -0
- data/modules/firewall/spec/acceptance/firewall_spec.rb +1608 -0
- data/modules/firewall/spec/acceptance/firewallchain_spec.rb +125 -0
- data/modules/firewall/spec/acceptance/ip6_fragment_spec.rb +94 -0
- data/modules/firewall/spec/acceptance/isfragment_spec.rb +92 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/firewall/spec/{system → acceptance}/params_spec.rb +44 -52
- data/modules/firewall/spec/acceptance/purge_spec.rb +124 -0
- data/modules/firewall/spec/acceptance/resource_cmd_spec.rb +93 -0
- data/modules/firewall/spec/acceptance/rules_spec.rb +248 -0
- data/modules/firewall/spec/acceptance/socket_spec.rb +96 -0
- data/modules/firewall/spec/{system → acceptance}/standard_usage_spec.rb +6 -10
- data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb +107 -0
- data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb +56 -2
- data/modules/firewall/spec/spec_helper_acceptance.rb +38 -0
- data/modules/firewall/spec/unit/classes/firewall_spec.rb +2 -2
- data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb +8 -5
- data/modules/firewall/spec/unit/facter/iptables_spec.rb +6 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb +14 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb +246 -5
- data/modules/firewall/spec/unit/puppet/type/firewall_spec.rb +99 -8
- data/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb +50 -6
- data/modules/firewall/spec/unit/puppet/util/firewall_spec.rb +21 -0
- data/modules/mysql/CHANGELOG +0 -30
- data/modules/mysql/Gemfile +0 -1
- data/modules/mysql/Gemfile.lock +30 -31
- data/modules/mysql/Modulefile +1 -1
- data/modules/mysql/README.md +2 -49
- data/modules/mysql/files/mysqltuner.pl +1 -1
- data/modules/mysql/lib/puppet/provider/database/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_user/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/mysql.rb +1 -2
- data/modules/mysql/lib/puppet/provider/mysql_database/mysql.rb +13 -2
- data/modules/mysql/lib/puppet/provider/mysql_user/mysql.rb +12 -0
- data/modules/mysql/lib/puppet/type/database_user.rb +1 -1
- data/modules/mysql/lib/puppet/type/mysql_grant.rb +3 -5
- data/modules/mysql/manifests/client.pp +0 -7
- data/modules/mysql/manifests/server/root_password.pp +0 -2
- data/modules/mysql/manifests/server.pp +0 -6
- data/modules/mysql/metadata.json +79 -81
- data/modules/mysql/spec/classes/mysql_server_spec.rb +0 -74
- data/modules/mysql/spec/system/mysql_server_root_password_spec.rb +1 -7
- data/modules/mysql/spec/system/mysql_server_spec.rb +3 -6
- data/modules/mysql/spec/system/types/mysql_grant_spec.rb +0 -27
- data/modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb +1 -1
- data/modules/mysql/spec/unit/puppet/provider/database/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/database_grant/mysql_spec.rb +15 -15
- data/modules/mysql/spec/unit/puppet/provider/database_user/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/mysql_database/mysql_spec.rb +3 -3
- data/modules/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +3 -3
- data/modules/mysql/templates/my.cnf.erb +2 -4
- data/modules/mysql/tests/mysql_grant.pp +1 -1
- data/modules/postgresql/Changelog +31 -0
- data/modules/postgresql/Gemfile +4 -2
- data/modules/postgresql/Modulefile +1 -1
- data/modules/postgresql/README.md +10 -4
- data/modules/postgresql/Rakefile +0 -1
- data/modules/postgresql/lib/puppet/provider/postgresql_psql/ruby.rb +25 -3
- data/modules/postgresql/manifests/globals.pp +2 -0
- data/modules/postgresql/manifests/params.pp +21 -0
- data/modules/postgresql/manifests/server/config.pp +0 -5
- data/modules/postgresql/manifests/server/config_entry.pp +1 -1
- data/modules/postgresql/manifests/server/database.pp +2 -1
- data/modules/postgresql/manifests/server/db.pp +2 -0
- data/modules/postgresql/manifests/server/grant.pp +20 -16
- data/modules/postgresql/manifests/server/initdb.pp +27 -3
- data/modules/postgresql/manifests/server/pg_hba_rule.pp +2 -4
- data/modules/postgresql/manifests/server/role.pp +8 -2
- data/modules/postgresql/manifests/server/service.pp +5 -0
- data/modules/postgresql/manifests/server.pp +2 -0
- data/modules/postgresql/metadata.json +88 -65
- data/modules/postgresql/spec/acceptance/client_spec.rb +18 -0
- data/modules/postgresql/spec/{system → acceptance}/common_patterns_spec.rb +8 -14
- data/modules/postgresql/spec/{system → acceptance}/contrib_spec.rb +4 -9
- data/modules/postgresql/spec/acceptance/lib/devel_spec.rb +17 -0
- data/modules/postgresql/spec/acceptance/lib/java_spec.rb +20 -0
- data/modules/postgresql/spec/acceptance/lib/python_spec.rb +19 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-510-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-73-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/postgresql/spec/{system → acceptance}/postgresql_psql_spec.rb +6 -14
- data/modules/postgresql/spec/{system → acceptance}/server/config_entry_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/db_spec.rb +47 -42
- data/modules/postgresql/spec/{system → acceptance}/server/grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/pg_hba_rule_spec.rb +10 -23
- data/modules/postgresql/spec/{system → acceptance}/server/plperl_spec.rb +6 -10
- data/modules/postgresql/spec/{system → acceptance}/server/role_spec.rb +13 -28
- data/modules/postgresql/spec/acceptance/server/table_grant_spec.rb +124 -0
- data/modules/postgresql/spec/{system → acceptance}/server/tablespace_spec.rb +8 -22
- data/modules/postgresql/spec/{system → acceptance}/server_spec.rb +38 -61
- data/modules/postgresql/spec/{system → acceptance}/validate_db_connection_spec.rb +8 -20
- data/modules/postgresql/spec/spec_helper_acceptance.rb +70 -0
- data/modules/postgresql/spec/unit/classes/globals_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/lib/devel_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/params_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/repo_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/server/initdb_spec.rb +2 -1
- data/modules/postgresql/spec/unit/classes/server/plperl_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/server_spec.rb +9 -2
- data/modules/postgresql/spec/unit/puppet/provider/postgresql_psql/ruby_spec.rb +15 -17
- data/modules/rbenv/bin/autospec +0 -0
- data/modules/rbenv/bin/facter +0 -0
- data/modules/rbenv/bin/filebucket +0 -0
- data/modules/rbenv/bin/hiera +0 -0
- data/modules/rbenv/bin/htmldiff +0 -0
- data/modules/rbenv/bin/ldiff +0 -0
- data/modules/rbenv/bin/pi +0 -0
- data/modules/rbenv/bin/puppet +0 -0
- data/modules/rbenv/bin/puppet-lint +0 -0
- data/modules/rbenv/bin/puppet-module +0 -0
- data/modules/rbenv/bin/puppetca +0 -0
- data/modules/rbenv/bin/puppetd +0 -0
- data/modules/rbenv/bin/puppetdoc +0 -0
- data/modules/rbenv/bin/puppetmasterd +0 -0
- data/modules/rbenv/bin/puppetqd +0 -0
- data/modules/rbenv/bin/puppetrun +0 -0
- data/modules/rbenv/bin/rake +0 -0
- data/modules/rbenv/bin/ralsh +0 -0
- data/modules/rbenv/bin/rspec +0 -0
- data/modules/rbenv/bin/rspec-puppet-init +0 -0
- data/modules/stdlib/spec/monkey_patches/alias_should_to_must.rb +0 -0
- data/modules/stdlib/spec/monkey_patches/publicize_methods.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/abs_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/bool2num_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/capitalize_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chomp_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chop_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_at_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/dirname_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/downcase_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/empty_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/flatten_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/grep_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_interface_with_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_address_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_network_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/max_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/min_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/reject_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/to_bytes_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/validate_slength_spec.rb +0 -0
- metadata +92 -77
- data/modules/apt/manifests/unattended_upgrades.pp +0 -68
- data/modules/apt/spec/classes/unattended_upgrades_spec.rb +0 -204
- data/modules/apt/spec/system/apt_builddep_spec.rb +0 -38
- data/modules/apt/spec/system/apt_key_spec.rb +0 -53
- data/modules/apt/spec/system/apt_ppa_spec.rb +0 -59
- data/modules/apt/spec/system/apt_source_spec.rb +0 -51
- data/modules/apt/spec/system/basic_spec.rb +0 -10
- data/modules/apt/spec/system/class_spec.rb +0 -20
- data/modules/apt/templates/10periodic.erb +0 -12
- data/modules/apt/templates/50unattended-upgrades.erb +0 -53
- data/modules/apt/tests/unattended-upgrades.pp +0 -1
- data/modules/concat/README.markdown +0 -150
- data/modules/concat/spec/defines/init_spec.rb +0 -115
- data/modules/concat/spec/fixtures/manifests/site.pp +0 -0
- data/modules/firewall/spec/spec_helper_system.rb +0 -49
- data/modules/firewall/spec/system/class_spec.rb +0 -39
- data/modules/firewall/spec/system/purge_spec.rb +0 -29
- data/modules/firewall/spec/system/resource_cmd_spec.rb +0 -53
- data/modules/mysql/manifests/server/providers.pp +0 -8
- data/modules/mysql/tests/bindings.pp +0 -3
- data/modules/postgresql/Gemfile.lock +0 -74
- data/modules/postgresql/spec/spec_helper_system.rb +0 -66
- data/modules/postgresql/spec/system/client_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/devel_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/java_spec.rb +0 -25
- data/modules/postgresql/spec/system/lib/python_spec.rb +0 -24
- data/modules/postgresql/spec/system/server/table_grant_spec.rb +0 -72
data/modules/firewall/Changelog
CHANGED
@@ -4,6 +4,44 @@ Release notes for puppetlabs-firewall module.
|
|
4
4
|
|
5
5
|
---------------------------------------
|
6
6
|
|
7
|
+
#### 1.0.0 - 2014-02-11
|
8
|
+
|
9
|
+
No changes, just renumbering to 1.0.0.
|
10
|
+
|
11
|
+
#### 0.5.0 - 2014-02-10
|
12
|
+
|
13
|
+
##### Summary:
|
14
|
+
This is a bigger release that brings in "recent" connection limiting (think
|
15
|
+
"port knocking"), firewall chain purging on a per-chain/per-table basis, and
|
16
|
+
support for a few other use cases. This release also fixes a major bug which
|
17
|
+
could cause modifications to the wrong rules when unmanaged rules are present.
|
18
|
+
|
19
|
+
##### New Features:
|
20
|
+
* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
|
21
|
+
`rname`, `rseconds`, `rsource`, and `rttl`
|
22
|
+
* Add negation support for source and destination
|
23
|
+
* Add per-chain/table purging support to `firewallchain`
|
24
|
+
* IPv4 specific
|
25
|
+
* Add random port forwarding support
|
26
|
+
* Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
|
27
|
+
* IPv6 specific
|
28
|
+
* Add support for hop limiting via `hop_limit` parameter
|
29
|
+
* Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
|
30
|
+
* Add support for conntrack stateful firewall matching via `ctstate`
|
31
|
+
|
32
|
+
##### Bugfixes:
|
33
|
+
- Boolean fixups allowing false values
|
34
|
+
- Better detection of unmanaged rules
|
35
|
+
- Fix multiport rule detection
|
36
|
+
- Fix sport/dport rule detection
|
37
|
+
- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
|
38
|
+
- Allow INPUT with the nat table
|
39
|
+
- Fix `src_range` & `dst_range` order detection
|
40
|
+
- Documentation clarifications
|
41
|
+
- Fixes to spec tests
|
42
|
+
|
43
|
+
---------------------------------------
|
44
|
+
|
7
45
|
#### 0.4.2 - 2013-09-10
|
8
46
|
|
9
47
|
Another attempt to fix the packaging issue. We think we understand exactly
|
data/modules/firewall/Gemfile
CHANGED
@@ -2,8 +2,11 @@ source 'https://rubygems.org'
|
|
2
2
|
|
3
3
|
group :development, :test do
|
4
4
|
gem 'puppetlabs_spec_helper', :require => false
|
5
|
-
gem 'rspec-
|
6
|
-
gem '
|
5
|
+
gem 'rspec-puppet', :require => false
|
6
|
+
gem 'serverspec', :require => false
|
7
|
+
gem 'beaker-rspec', :require => false
|
8
|
+
gem 'puppet-lint', :require => false
|
9
|
+
gem 'pry', :require => false
|
7
10
|
end
|
8
11
|
|
9
12
|
if puppetversion = ENV['PUPPET_GEM_VERSION']
|
@@ -1,21 +1,67 @@
|
|
1
1
|
GEM
|
2
2
|
remote: https://rubygems.org/
|
3
3
|
specs:
|
4
|
+
CFPropertyList (2.2.6)
|
5
|
+
beaker (1.6.2)
|
6
|
+
blimpy (~> 0.6)
|
7
|
+
fission (~> 0.4)
|
8
|
+
inifile (~> 2.0)
|
9
|
+
json (~> 1.8)
|
10
|
+
mime-types (~> 1.25)
|
11
|
+
net-scp (~> 1.1)
|
12
|
+
net-ssh (~> 2.6)
|
13
|
+
nokogiri (= 1.5.10)
|
14
|
+
rbvmomi (= 1.8.1)
|
15
|
+
unf (~> 0.1)
|
16
|
+
beaker-rspec (2.1.1)
|
17
|
+
beaker (~> 1.3)
|
18
|
+
rspec (~> 2.14)
|
19
|
+
serverspec (~> 0.14)
|
20
|
+
specinfra (~> 0.3)
|
21
|
+
blimpy (0.6.7)
|
22
|
+
fog
|
23
|
+
minitar
|
24
|
+
thor
|
4
25
|
builder (3.2.2)
|
5
|
-
|
6
|
-
|
7
|
-
|
26
|
+
coderay (1.1.0)
|
27
|
+
diff-lcs (1.2.5)
|
28
|
+
excon (0.31.0)
|
29
|
+
facter (1.7.4)
|
30
|
+
fission (0.5.0)
|
31
|
+
CFPropertyList (~> 2.2)
|
32
|
+
fog (1.19.0)
|
33
|
+
builder
|
34
|
+
excon (~> 0.31.0)
|
35
|
+
formatador (~> 0.2.0)
|
36
|
+
mime-types
|
37
|
+
multi_json (~> 1.0)
|
38
|
+
net-scp (~> 1.1)
|
39
|
+
net-ssh (>= 2.1.3)
|
40
|
+
nokogiri (~> 1.5)
|
41
|
+
ruby-hmac
|
42
|
+
formatador (0.2.4)
|
43
|
+
hiera (1.3.0)
|
8
44
|
json_pure
|
9
|
-
|
10
|
-
|
45
|
+
highline (1.6.20)
|
46
|
+
inifile (2.0.2)
|
47
|
+
json (1.8.1)
|
48
|
+
json_pure (1.8.1)
|
11
49
|
metaclass (0.0.1)
|
50
|
+
method_source (0.8.2)
|
51
|
+
mime-types (1.25.1)
|
52
|
+
minitar (0.5.4)
|
12
53
|
mocha (0.14.0)
|
13
54
|
metaclass (~> 0.0.1)
|
55
|
+
multi_json (1.8.4)
|
14
56
|
net-scp (1.1.2)
|
15
57
|
net-ssh (>= 2.6.5)
|
16
|
-
net-ssh (2.
|
58
|
+
net-ssh (2.8.0)
|
17
59
|
nokogiri (1.5.10)
|
18
|
-
|
60
|
+
pry (0.9.12.6)
|
61
|
+
coderay (~> 1.0)
|
62
|
+
method_source (~> 0.8)
|
63
|
+
slop (~> 3.4)
|
64
|
+
puppet (3.4.0)
|
19
65
|
facter (~> 1.6)
|
20
66
|
hiera (~> 1.0)
|
21
67
|
rgen (~> 0.6.5)
|
@@ -25,40 +71,44 @@ GEM
|
|
25
71
|
rake
|
26
72
|
rspec (>= 2.9.0)
|
27
73
|
rspec-puppet (>= 0.1.1)
|
28
|
-
rake (10.1.
|
29
|
-
rbvmomi (1.
|
74
|
+
rake (10.1.1)
|
75
|
+
rbvmomi (1.8.1)
|
30
76
|
builder
|
31
77
|
nokogiri (>= 1.4.1)
|
32
78
|
trollop
|
33
|
-
rgen (0.6.
|
79
|
+
rgen (0.6.6)
|
34
80
|
rspec (2.14.1)
|
35
81
|
rspec-core (~> 2.14.0)
|
36
82
|
rspec-expectations (~> 2.14.0)
|
37
83
|
rspec-mocks (~> 2.14.0)
|
38
|
-
rspec-core (2.14.
|
39
|
-
rspec-expectations (2.14.
|
84
|
+
rspec-core (2.14.7)
|
85
|
+
rspec-expectations (2.14.4)
|
40
86
|
diff-lcs (>= 1.1.3, < 2.0)
|
41
|
-
rspec-mocks (2.14.
|
42
|
-
rspec-puppet (0.1
|
87
|
+
rspec-mocks (2.14.4)
|
88
|
+
rspec-puppet (1.0.1)
|
43
89
|
rspec
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
net-ssh
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
rspec-system (~> 2.0)
|
54
|
-
systemu (2.5.2)
|
90
|
+
ruby-hmac (0.4.0)
|
91
|
+
serverspec (0.15.2)
|
92
|
+
highline
|
93
|
+
net-ssh
|
94
|
+
rspec (>= 2.13.0)
|
95
|
+
specinfra (>= 0.5.6)
|
96
|
+
slop (3.4.7)
|
97
|
+
specinfra (0.5.7)
|
98
|
+
thor (0.18.1)
|
55
99
|
trollop (2.0)
|
100
|
+
unf (0.1.3)
|
101
|
+
unf_ext
|
102
|
+
unf_ext (0.0.6)
|
56
103
|
|
57
104
|
PLATFORMS
|
58
105
|
ruby
|
59
106
|
|
60
107
|
DEPENDENCIES
|
108
|
+
beaker-rspec
|
109
|
+
pry
|
61
110
|
puppet
|
62
111
|
puppet-lint
|
63
112
|
puppetlabs_spec_helper
|
64
|
-
rspec-
|
113
|
+
rspec-puppet
|
114
|
+
serverspec
|
data/modules/firewall/Modulefile
CHANGED
@@ -92,7 +92,7 @@ The `pre` class should be located in `my_fw/manifests/pre.pp` and should contain
|
|
92
92
|
}->
|
93
93
|
firewall { '002 accept related established rules':
|
94
94
|
proto => 'all',
|
95
|
-
|
95
|
+
ctstate => ['RELATED', 'ESTABLISHED'],
|
96
96
|
action => 'accept',
|
97
97
|
}
|
98
98
|
}
|
@@ -109,7 +109,7 @@ The `post` class should be located in `my_fw/manifests/post.pp` and include any
|
|
109
109
|
}
|
110
110
|
}
|
111
111
|
|
112
|
-
To put it all together: the `
|
112
|
+
To put it all together: the `require` parameter in `Firewall {}` ensures `my_fw::pre` is run before any other rules and the `before` parameter ensures `my_fw::post` is run after any other rules. So the run order is:
|
113
113
|
|
114
114
|
* run the rules in `my_fw::pre`
|
115
115
|
* run your rules (defined in code)
|
@@ -197,24 +197,56 @@ Drop all:
|
|
197
197
|
|
198
198
|
###Application-specific rules
|
199
199
|
|
200
|
-
|
200
|
+
Puppet doesn't care where you define rules, and this means that you can place
|
201
|
+
your firewall resources as close to the applications and services that you
|
202
|
+
manage as you wish. If you use the [roles and profiles
|
203
|
+
pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
|
204
|
+
would make sense to create your firewall rules in the profiles, so that they
|
205
|
+
remain close to the services managed by the profile.
|
201
206
|
|
202
|
-
|
207
|
+
An example of this might be:
|
203
208
|
|
204
|
-
|
209
|
+
```puppet
|
210
|
+
class profile::apache {
|
211
|
+
include apache
|
212
|
+
apache::vhost { 'mysite': ensure => present }
|
205
213
|
|
206
|
-
|
207
|
-
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
+
firewall { '100 allow http and https access':
|
215
|
+
port => [80, 443],
|
216
|
+
proto => tcp,
|
217
|
+
action => accept,
|
218
|
+
}
|
219
|
+
}
|
220
|
+
```
|
221
|
+
|
222
|
+
|
223
|
+
However, if you're not using that pattern then you can place them directly into
|
224
|
+
the individual module that manages a service, such as:
|
225
|
+
|
226
|
+
```puppet
|
227
|
+
class apache {
|
228
|
+
firewall { '100 allow http and https access':
|
229
|
+
port => [80, 443],
|
230
|
+
proto => tcp,
|
231
|
+
action => accept,
|
232
|
+
}
|
233
|
+
# ... the rest of your code ...
|
234
|
+
}
|
235
|
+
```
|
236
|
+
|
237
|
+
This means if someone includes either the profile:
|
238
|
+
|
239
|
+
```puppet
|
240
|
+
include profile::apache
|
241
|
+
```
|
242
|
+
|
243
|
+
Or the module, if you're not using roles and profiles:
|
214
244
|
|
215
|
-
|
245
|
+
```puppet
|
246
|
+
include ::apache
|
247
|
+
```
|
216
248
|
|
217
|
-
|
249
|
+
Then they would automatically get appropriate firewall rules.
|
218
250
|
|
219
251
|
###Other rules
|
220
252
|
|
data/modules/firewall/Rakefile
CHANGED
@@ -1,11 +1,4 @@
|
|
1
|
-
require 'rubygems'
|
2
|
-
require 'bundler/setup'
|
3
|
-
|
4
|
-
Bundler.require :default
|
5
|
-
|
6
|
-
require 'rspec/core/rake_task'
|
7
1
|
require 'puppetlabs_spec_helper/rake_tasks'
|
8
|
-
require 'rspec-system/rake_task'
|
9
2
|
|
10
3
|
require 'puppet-lint/tasks/puppet-lint'
|
11
4
|
PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp']
|
@@ -2,7 +2,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
2
2
|
@doc = "Ip6tables type provider"
|
3
3
|
|
4
4
|
has_feature :iptables
|
5
|
+
has_feature :hop_limiting
|
5
6
|
has_feature :rate_limiting
|
7
|
+
has_feature :recent_limiting
|
6
8
|
has_feature :snat
|
7
9
|
has_feature :dnat
|
8
10
|
has_feature :interface_match
|
@@ -15,6 +17,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
15
17
|
has_feature :mark
|
16
18
|
has_feature :tcp_flags
|
17
19
|
has_feature :pkttype
|
20
|
+
has_feature :ishasmorefrags
|
21
|
+
has_feature :islastfrag
|
22
|
+
has_feature :isfirstfrag
|
18
23
|
|
19
24
|
optional_commands({
|
20
25
|
:ip6tables => 'ip6tables',
|
@@ -33,12 +38,14 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
33
38
|
|
34
39
|
@resource_map = {
|
35
40
|
:burst => "--limit-burst",
|
41
|
+
:ctstate => "-m conntrack --ctstate",
|
36
42
|
:destination => "-d",
|
37
43
|
:dport => "-m multiport --dports",
|
38
44
|
:gid => "-m owner --gid-owner",
|
39
45
|
:icmp => "-m icmp6 --icmpv6-type",
|
40
46
|
:iniface => "-i",
|
41
47
|
:jump => "-j",
|
48
|
+
:hop_limit => "-m hl --hl-eq",
|
42
49
|
:limit => "-m limit --limit",
|
43
50
|
:log_level => "--log-level",
|
44
51
|
:log_prefix => "--log-prefix",
|
@@ -46,7 +53,15 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
46
53
|
:outiface => "-o",
|
47
54
|
:port => '-m multiport --ports',
|
48
55
|
:proto => "-p",
|
56
|
+
:rdest => "--rdest",
|
57
|
+
:reap => "--reap",
|
58
|
+
:recent => "-m recent",
|
49
59
|
:reject => "--reject-with",
|
60
|
+
:rhitcount => "--hitcount",
|
61
|
+
:rname => "--name",
|
62
|
+
:rseconds => "--seconds",
|
63
|
+
:rsource => "--rsource",
|
64
|
+
:rttl => "--rttl",
|
50
65
|
:source => "-s",
|
51
66
|
:state => "-m state --state",
|
52
67
|
:sport => "-m multiport --sports",
|
@@ -55,17 +70,40 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
55
70
|
:toports => "--to-ports",
|
56
71
|
:tosource => "--to-source",
|
57
72
|
:uid => "-m owner --uid-owner",
|
58
|
-
:pkttype => "-m pkttype --pkt-type"
|
73
|
+
:pkttype => "-m pkttype --pkt-type",
|
74
|
+
:ishasmorefrags => "-m frag --fragid 0 --fragmore",
|
75
|
+
:islastfrag => "-m frag --fragid 0 --fraglast",
|
76
|
+
:isfirstfrag => "-m frag --fragid 0 --fragfirst",
|
59
77
|
}
|
60
78
|
|
79
|
+
# These are known booleans that do not take a value, but we want to munge
|
80
|
+
# to true if they exist.
|
81
|
+
@known_booleans = [:ishasmorefrags, :islastfrag, :isfirstfrag, :rsource, :rdest, :reap, :rttl]
|
82
|
+
|
61
83
|
# Create property methods dynamically
|
62
84
|
(@resource_map.keys << :chain << :table << :action).each do |property|
|
63
|
-
|
64
|
-
|
85
|
+
if @known_booleans.include?(property) then
|
86
|
+
# The boolean properties default to '' which should be read as false
|
87
|
+
define_method "#{property}" do
|
88
|
+
@property_hash[property] = :false if @property_hash[property] == nil
|
89
|
+
@property_hash[property.to_sym]
|
90
|
+
end
|
91
|
+
else
|
92
|
+
define_method "#{property}" do
|
93
|
+
@property_hash[property.to_sym]
|
94
|
+
end
|
65
95
|
end
|
66
96
|
|
67
|
-
|
68
|
-
|
97
|
+
if property == :chain
|
98
|
+
define_method "#{property}=" do |value|
|
99
|
+
if @property_hash[:chain] != value
|
100
|
+
raise ArgumentError, "Modifying the chain for existing rules is not supported."
|
101
|
+
end
|
102
|
+
end
|
103
|
+
else
|
104
|
+
define_method "#{property}=" do |value|
|
105
|
+
@property_hash[:needs_change] = true
|
106
|
+
end
|
69
107
|
end
|
70
108
|
end
|
71
109
|
|
@@ -73,8 +111,13 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
|
|
73
111
|
# we need it to properly parse and apply rules, if the order of resource
|
74
112
|
# changes between puppet runs, the changed rules will be re-applied again.
|
75
113
|
# This order can be determined by going through iptables source code or just tweaking and trying manually
|
114
|
+
# (Note: on my CentOS 6.4 ip6tables-save returns -m frag on the place
|
115
|
+
# I put it when calling the command. So compability with manual changes
|
116
|
+
# not provided with current parser [georg.koester])
|
76
117
|
@resource_list = [:table, :source, :destination, :iniface, :outiface,
|
77
|
-
:proto, :
|
78
|
-
:
|
118
|
+
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
|
119
|
+
:port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
|
120
|
+
:recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
|
121
|
+
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
|
79
122
|
|
80
123
|
end
|