freighthop 0.3.3 → 0.4.0

data/modules/firewall/lib/puppet/provider/firewall/iptables.rb

@@ -8,6 +8,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
   has_feature :iptables
   has_feature :rate_limiting
+  has_feature :recent_limiting
   has_feature :snat
   has_feature :dnat
   has_feature :interface_match
@@ -24,6 +25,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   has_feature :socket
   has_feature :address_type
   has_feature :iprange
+  has_feature :ipsec_dir
+  has_feature :ipsec_policy
 
   optional_commands({
     :iptables => 'iptables',
@@ -43,10 +46,11 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
   @resource_map = {
     :burst => "--limit-burst",
+    :ctstate => "-m conntrack --ctstate",
     :destination => "-d",
     :dst_type => "-m addrtype --dst-type",
     :dst_range => "-m iprange --dst-range",
-    :dport => ["-m multiport --dports", "-m (udp|tcp) --dport"],
+    :dport => ["-m multiport --dports", "--dport"],
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
@@ -58,13 +62,22 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :outiface => "-o",
     :port => '-m multiport --ports',
     :proto => "-p",
+    :random => "--random",
+    :rdest => "--rdest",
+    :reap => "--reap",
+    :recent => "-m recent",
     :reject => "--reject-with",
+    :rhitcount => "--hitcount",
+    :rname => "--name",
+    :rseconds => "--seconds",
+    :rsource => "--rsource",
+    :rttl => "--rttl",
     :set_mark => mark_flag,
     :socket => "-m socket",
     :source => "-s",
     :src_type => "-m addrtype --src-type",
     :src_range => "-m iprange --src-range",
-    :sport => ["-m multiport --sports", "-m (udp|tcp) --sport"],
+    :sport => ["-m multiport --sports", "--sport"],
     :state => "-m state --state",
     :table => "-t",
     :tcp_flags => "-m tcp --tcp-flags",
@@ -74,16 +87,47 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :uid => "-m owner --uid-owner",
     :pkttype => "-m pkttype --pkt-type",
     :isfragment => "-f",
+    :ipsec_dir => "-m policy --dir",
+    :ipsec_policy => "--pol",
   }
 
+  # These are known booleans that do not take a value, but we want to munge
+  # to true if they exist.
+  @known_booleans = [
+    :isfragment,
+    :random,
+    :rdest,
+    :reap,
+    :rsource,
+    :rttl,
+    :socket
+  ]
+
+
   # Create property methods dynamically
   (@resource_map.keys << :chain << :table << :action).each do |property|
-    define_method "#{property}" do
-      @property_hash[property.to_sym]
+    if @known_booleans.include?(property) then
+      # The boolean properties default to '' which should be read as false
+      define_method "#{property}" do
+        @property_hash[property] = :false if @property_hash[property] == nil
+        @property_hash[property.to_sym]
+      end
+    else
+      define_method "#{property}" do
+        @property_hash[property.to_sym]
+      end
     end
 
-    define_method "#{property}=" do |value|
-      @property_hash[:needs_change] = true
+    if property == :chain
+      define_method "#{property}=" do |value|
+        if @property_hash[:chain] != value
+          raise ArgumentError, "Modifying the chain for existing rules is not supported."
+        end
+      end
+    else
+      define_method "#{property}=" do |value|
+        @property_hash[:needs_change] = true
+      end
     end
   end
 
@@ -91,11 +135,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   # we need it to properly parse and apply rules, if the order of resource
   # changes between puppet runs, the changed rules will be re-applied again.
   # This order can be determined by going through iptables source code or just tweaking and trying manually
-  @resource_list = [:table, :source, :src_range, :destination, :dst_range, :iniface, :outiface,
-    :proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port,
-    :dst_type, :src_type, :socket, :pkttype, :name, :state, :icmp,
-    :limit, :burst, :jump, :todest, :tosource, :toports, :log_prefix,
-    :log_level, :reject, :set_mark]
+  @resource_list = [
+    :table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
+    :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
+    :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
+    :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
+    :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
+    :toports, :random, :log_prefix, :log_level, :reject, :set_mark
+  ]
 
   def insert
     debug 'Inserting rule %s' % resource[:name]
@@ -154,10 +201,6 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     keys = []
     values = line.dup
 
-    # These are known booleans that do not take a value, but we want to munge
-    # to true if they exist.
-    known_booleans = [:socket, :isfragment]
-
     ####################
     # PRE-PARSE CLUDGING
     ####################
@@ -165,25 +208,47 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     # --tcp-flags takes two values; we cheat by adding " around it
     # so it behaves like --comment
     values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
+    # we do a similar thing for negated address masks (source and destination).
+    values = values.sub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
+    # the actual rule will have the ! mark before the option.
+    values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"')
+    # The match extension for tcp & udp are optional and throws off the @resource_map.
+    values = values.sub(/-m (tcp|udp) (--(s|d)port|-m multiport)/, '\2')
 
     # Trick the system for booleans
-    known_booleans.each do |bool|
-      if bool == :socket then
-        values = values.sub(/#{@resource_map[bool]}/, '-m socket true')
-      end
+    @known_booleans.each do |bool|
+      # append "true" because all params are expected to have values
       if bool == :isfragment then
+        # -f requires special matching:
         # only replace those -f that are not followed by an l to
         # distinguish between -f and the '-f' inside of --tcp-flags.
         values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
+      else
+        values = values.sub(/#{@resource_map[bool]}/, "#{@resource_map[bool]} true")
       end
     end
 
+    ############
+    # Populate parser_list with used value, in the correct order
+    ############
+    map_index={}
+    @resource_map.each_pair do |map_k,map_v|
+      [map_v].flatten.each do |v|
+        ind=values.index(/\s#{v}/)
+        next unless ind
+        map_index[map_k]=ind
+     end
+    end
+    # Generate parser_list based on the index of the found option
+    parser_list=[]
+    map_index.sort_by{|k,v| v}.each{|mapi| parser_list << mapi.first }
+
     ############
     # MAIN PARSE
     ############
 
     # Here we iterate across our values to generate an array of keys
-    @resource_list.reverse.each do |k|
+    parser_list.reverse.each do |k|
       resource_map_key = @resource_map[k]
       [resource_map_key].flatten.each do |opt|
         if values.slice!(/\s#{opt}/)
@@ -206,17 +271,20 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # Normalise all rules to CIDR notation.
     [:source, :destination].each do |prop|
-      hash[prop] = Puppet::Util::IPCidr.new(hash[prop]).cidr unless hash[prop].nil?
+      next if hash[prop].nil?
+      m = hash[prop].match(/(!?)\s?(.*)/)
+      neg = "! " if m[1] == "!"
+      hash[prop] = "#{neg}#{Puppet::Util::IPCidr.new(m[2]).cidr}"
     end
 
-    [:dport, :sport, :port, :state].each do |prop|
+    [:dport, :sport, :port, :state, :ctstate].each do |prop|
       hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
     end
 
     # Convert booleans removing the previous cludge we did
-    known_booleans.each do |bool|
+    @known_booleans.each do |bool|
       if hash[bool] != nil then
-        unless hash[bool] == "true" then
+        if hash[bool] != "true" then
           raise "Parser error: #{bool} was meant to be a boolean but received value: #{hash[bool]}."
         end
       end
@@ -234,7 +302,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # States should always be sorted. This ensures that the output from
     # iptables-save and user supplied resources is consistent.
-    hash[:state] = hash[:state].sort unless hash[:state].nil?
+    hash[:state]   = hash[:state].sort   unless hash[:state].nil?
+    hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
 
     # This forces all existing, commentless rules or rules with invalid comments to be moved 
     # to the bottom of the stack.
@@ -309,17 +378,21 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     args = []
     resource_list = self.class.instance_variable_get('@resource_list')
     resource_map = self.class.instance_variable_get('@resource_map')
+    known_booleans = self.class.instance_variable_get('@known_booleans')
 
     resource_list.each do |res|
       resource_value = nil
       if (resource[res]) then
         resource_value = resource[res]
         # If socket is true then do not add the value as -m socket is standalone
-        if res == :socket then
-          resource_value = nil
-        end
-        if res == :isfragment then
-          resource_value = nil
+        if known_booleans.include?(res) then
+          if resource[res] == :true then
+            resource_value = nil
+          else
+            # If the property is not :true then we don't want to add the value
+            # to the args list
+            next
+          end
         end
       elsif res == :jump and resource[:action] then
         # In this case, we are substituting jump for action
@@ -330,6 +403,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
       args << [resource_map[res]].flatten.first.split(' ')
 
+      # On negations, the '!' has to be before the option (eg: "! -d 1.2.3.4")
+      if resource_value.is_a?(String) and resource_value.sub!(/^!\s*/, '') then
+        # we do this after adding the 'dash' argument because of ones like "-m multiport --dports", where we want it before the "--dports" but after "-m multiport".
+        # so we insert before whatever the last argument is
+        args.insert(-2, '!')
+      end
+
+
       # For sport and dport, convert hyphens to colons since the type
       # expects hyphens for ranges of ports.
       if [:sport, :dport, :port].include?(res) then
@@ -369,8 +450,43 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     # No rules at all? Just bail now.
     return 1 if rules.empty?
 
+    # Add our rule to the end of the array of known rules
     my_rule = resource[:name].to_s
     rules << my_rule
-    rules.sort.index(my_rule) + 1
+
+    unmanaged_rule_regex = /^9[0-9]{3}\s[a-f0-9]{32}$/
+    # Find if this is a new rule or an existing rule, then find how many
+    # unmanaged rules preceed it.
+    if rules.length == rules.uniq.length
+      # This is a new rule so find its ordered location.
+      new_rule_location = rules.sort.uniq.index(my_rule)
+      if new_rule_location == 0
+        # The rule will be the first rule in the chain because nothing came
+        # before it.
+        offset_rule = rules[0]
+      else
+        # This rule will come after other managed rules, so find the rule
+        # immediately preceeding it.
+        offset_rule = rules.sort.uniq[new_rule_location - 1]
+      end
+    else
+      # This is a pre-existing rule, so find the offset from the original
+      # ordering.
+      offset_rule = my_rule
+    end
+    # Count how many unmanaged rules are ahead of the target rule so we know
+    # how much to add to the insert order
+    unnamed_offset = rules[0..rules.index(offset_rule)].inject(0) do |sum,rule|
+      # This regex matches the names given to unmanaged rules (a number
+      # 9000-9999 followed by an MD5 hash).
+      sum + (rule.match(unmanaged_rule_regex) ? 1 : 0)
+    end
+
+    # We want our rules to come before unmanaged rules
+    unnamed_offset -= 1 if offset_rule.match(unmanaged_rule_regex)
+
+    # Insert our new or updated rule in the correct order of named rules, but
+    # offset for unnamed rules.
+    rules.sort.index(my_rule) + 1 + unnamed_offset
   end
 end

data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb

@@ -41,11 +41,11 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
   Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/
 
   def create
-    # can't create internal chains
-    if @resource[:name] =~ InternalChains
-      self.warn "Attempting to create internal chain #{@resource[:name]}"
-    end
     allvalidchains do |t, chain, table, protocol|
+      if chain =~ InternalChains
+        # can't create internal chains
+        warning "Attempting to create internal chain #{@resource[:name]}"
+      end
       if properties[:ensure] == protocol
         debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists"
       else
@@ -59,17 +59,28 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
   end
 
   def destroy
-    # can't delete internal chains
-    if @resource[:name] =~ InternalChains
-      self.warn "Attempting to destroy internal chain #{@resource[:name]}"
-    end
     allvalidchains do |t, chain, table|
+      if chain =~ InternalChains
+        # can't delete internal chains
+        warning "Attempting to destroy internal chain #{@resource[:name]}"
+      end
       debug "Deleting chain #{chain} on table #{table}"
       t.call ['-t',table,'-X',chain]
     end
   end
 
   def exists?
+    allvalidchains do |t, chain|
+      if chain =~ InternalChains
+        # If the chain isn't present, it's likely because the module isn't loaded.
+        # If this is true, then we fall into 2 cases
+        # 1) It'll be loaded on demand
+        # 2) It won't be loaded on demand, and we throw an error
+        #    This is the intended behavior as it's not the provider's job to load kernel modules
+        # So we pretend it exists...
+        return true
+      end
+    end
     properties[:ensure] == :present
   end
 

data/modules/firewall/lib/puppet/type/firewall.rb

@@ -28,7 +28,9 @@ Puppet::Type.newtype(:firewall) do
     installed.
   EOS
 
+  feature :hop_limiting, "Hop limiting features."
   feature :rate_limiting, "Rate limiting features."
+  feature :recent_limiting, "The netfilter recent module"
   feature :snat, "Source NATing"
   feature :dnat, "Destination NATing"
   feature :interface_match, "Interface matching"
@@ -45,6 +47,11 @@ Puppet::Type.newtype(:firewall) do
   feature :isfragment, "Match fragments"
   feature :address_type, "The ability match on source or destination address type"
   feature :iprange, "The ability match on source or destination IP range "
+  feature :ishasmorefrags, "Match a non-last fragment of a fragmented ipv6 packet - might be first"
+  feature :islastfrag, "Match the last fragment of an ipv6 packet"
+  feature :isfirstfrag, "Match the first fragment of a fragmented ipv6 packet"
+  feature :ipsec_policy, "Match IPsec policy"
+  feature :ipsec_dir, "Match IPsec policy direction"
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -103,12 +110,16 @@ Puppet::Type.newtype(:firewall) do
 
           source => '192.168.2.0/24'
 
+      You can also negate a mask by putting ! in front. For example:
+
+          source => '! 192.168.2.0/24'
+
       The source can also be an IPv6 address if your provider supports it.
     EOS
 
     munge do |value|
       begin
-        @resource.host_to_ip(value)
+        @resource.host_to_mask(value)
       rescue Exception => e
         self.fail("host_to_ip failed for #{value}, exception #{e}")
       end
@@ -134,12 +145,16 @@ Puppet::Type.newtype(:firewall) do
 
           destination => '192.168.1.0/24'
 
+      You can also negate a mask by putting ! in front. For example:
+
+          destination  => '! 192.168.2.0/24'
+
       The destination can also be an IPv6 address if your provider supports it.
     EOS
 
     munge do |value|
       begin
-        @resource.host_to_ip(value)
+        @resource.host_to_mask(value)
       rescue Exception => e
         self.fail("host_to_ip failed for #{value}, exception #{e}")
       end
@@ -441,6 +456,15 @@ Puppet::Type.newtype(:firewall) do
     EOS
   end
 
+  newproperty(:random, :required_features => :dnat) do
+    desc <<-EOS
+      When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+      this boolean will enable randomized port mapping.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
   # Reject ICMP type
   newproperty(:reject, :required_features => :reject_type) do
     desc <<-EOS
@@ -549,6 +573,46 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:ctstate, :array_matching => :all, :required_features =>
+    :state_match) do
+
+    desc <<-EOS
+      Matches a packet based on its state in the firewall stateful inspection
+      table, using the conntrack module. Values can be:
+
+      * INVALID
+      * ESTABLISHED
+      * NEW
+      * RELATED
+    EOS
+
+    newvalues(:INVALID,:ESTABLISHED,:NEW,:RELATED)
+
+    # States should always be sorted. This normalizes the resource states to
+    # keep it consistent with the sorted result from iptables-save.
+    def should=(values)
+      @should = super(values).sort_by {|sym| sym.to_s}
+    end
+
+    def is_to_s(value)
+      should_to_s(value)
+    end
+
+    def should_to_s(value)
+      value = [value] unless value.is_a?(Array)
+      value.join(',')
+    end
+  end
+
+
+  # Hop limiting properties
+  newproperty(:hop_limit, :required_features => :hop_limiting) do
+    desc <<-EOS
+      Hop limiting value for matched packets.
+    EOS
+    newvalue(/^\d+$/)
+  end
+
   # Rate limiting properties
   newproperty(:limit, :required_features => :rate_limiting) do
     desc <<-EOS
@@ -640,6 +704,104 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:true, :false)
   end
 
+  newproperty(:recent, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Enable the recent module. Takes as an argument one of set, update,
+      rcheck or remove. For example:
+
+        # If anyone's appeared on the 'badguy' blacklist within
+        # the last 60 seconds, drop their traffic, and update the timestamp.
+        firewall { '100 Drop badguy traffic':
+          recent   => 'update',
+          rseconds => 60,
+          rsource  => true,
+          rname    => 'badguy',
+          action   => 'DROP',
+          chain    => 'FORWARD',
+        }
+        # No-one should be sending us traffic on eth0 from localhost
+        # Blacklist them
+        firewall { '101 blacklist strange traffic':
+          recent      => 'set',
+          rsource     => true,
+          rname       => 'badguy',
+          destination => '127.0.0.0/8',
+          iniface     => 'eth0',
+          action      => 'DROP',
+          chain       => 'FORWARD',
+        }
+    EOS
+
+    newvalues(:set, :update, :rcheck, :remove)
+    munge do |value|
+       value = "--" + value
+    end
+  end
+
+  newproperty(:rdest, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; add the destination IP address to the list.
+      Must be boolean true.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:rsource, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; add the source IP address to the list.
+      Must be boolean true.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:rname, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; The name of the list. Takes a string argument.
+    EOS
+  end
+
+  newproperty(:rseconds, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; used in conjunction with one of `recent => 'rcheck'` or
+      `recent => 'update'`. When used, this will narrow the match to only
+      happen when the address is in the list and was seen within the last given
+      number of seconds.
+    EOS
+  end
+
+  newproperty(:reap, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; can only be used in conjunction with the `rseconds`
+      attribute. When used, this will cause entries older than 'seconds' to be
+      purged.  Must be boolean true.
+    EOS
+  end
+
+  newproperty(:rhitcount, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; used in conjunction with `recent => 'update'` or `recent
+      => 'rcheck'. When used, this will narrow the match to only happen when
+      the address is in the list and packets had been received greater than or
+      equal to the given value.
+    EOS
+  end
+
+  newproperty(:rttl, :required_features => :recent_limiting) do
+    desc <<-EOS
+      Recent module; may only be used in conjunction with one of `recent =>
+      'rcheck'` or `recent => 'update'`. When used, this will narrow the match
+      to only happen when the address is in the list and the TTL of the current
+      packet matches that of the packet which hit the `recent => 'set'` rule.
+      This may be useful if you have problems with people faking their source
+      address in order to DoS you via this module by disallowing others access
+      to your site by sending bogus packets to you.  Must be boolean true.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
   newproperty(:socket, :required_features => :socket) do
     desc <<-EOS
       If true, matches if an open socket can be found by doing a coket lookup
@@ -649,6 +811,47 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:true, :false)
   end
 
+  newproperty(:ishasmorefrags, :required_features => :ishasmorefrags) do
+    desc <<-EOS
+      If true, matches if the packet has it's 'more fragments' bit set. ipv6.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:islastfrag, :required_features => :islastfrag) do
+    desc <<-EOS
+      If true, matches if the packet is the last fragment. ipv6.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:isfirstfrag, :required_features => :isfirstfrag) do
+    desc <<-EOS
+      If true, matches if the packet is the first fragment. 
+      Sadly cannot be negated. ipv6.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:ipsec_policy, :required_features => :ipsec_policy) do
+	  desc <<-EOS
+	  	 Sets the ipsec policy type
+	  EOS
+
+	  newvalues(:none, :ipsec)
+  end
+
+  newproperty(:ipsec_dir, :required_features => :ipsec_dir) do
+	  desc <<-EOS
+	  	 Sets the ipsec policy direction
+	  EOS
+
+	  newvalues(:in, :out)
+  end
+
   newparam(:line) do
     desc <<-EOS
       Read-only property for caching the rule line.
@@ -667,8 +870,9 @@ Puppet::Type.newtype(:firewall) do
     end
 
     unless protocol.nil?
+      table = value(:table)
       [value(:chain), value(:jump)].each do |chain|
-        reqs << "#{chain}:#{value(:table)}:#{protocol}" unless chain.nil?
+        reqs << "#{chain}:#{table}:#{protocol}" unless ( chain.nil? || (['INPUT', 'OUTPUT', 'FORWARD'].include?(chain) && table == :filter) )
       end
     end