Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Multiple Foodcritic fixes

  • Loading branch information...
commit e26dc229efdc1631082db5193da8d6a38f8bfcc5 1 parent 25b70fd
Julien Vehent authored
View
28 attributes/default.rb
@@ -1,16 +1,16 @@
-default[:afw][:enable] = true
-default[:afw][:enable_input_drop] = true
-default[:afw][:enable_output_drop] = true
-default[:afw][:enable_input_drop_log] = true
-default[:afw][:enable_output_drop_log] = true
+default['afw']['enable'] = true
+default['afw']['enable_input_drop'] = true
+default['afw']['enable_output_drop'] = false
+default['afw']['enable_input_drop_log'] = true
+default['afw']['enable_output_drop_log'] = true
# Default attributes, do not modify
-default[:afw][:missing_user] = false
-default[:afw][:tables][:filter][:rules] = []
-default[:afw][:tables][:filter][:chains] = []
-default[:afw][:tables][:raw][:rules] = []
-default[:afw][:tables][:raw][:chains] = []
-default[:afw][:tables][:mangle][:rules] = []
-default[:afw][:tables][:mangle][:chains] = []
-default[:afw][:tables][:nat][:rules] = []
-default[:afw][:tables][:nat][:chains] = []
+default['afw']['missing_user'] = false
+default['afw']['tables']['filter']['rules'] = []
+default['afw']['tables']['filter']['chains'] = []
+default['afw']['tables']['raw']['rules'] = []
+default['afw']['tables']['raw']['chains'] = []
+default['afw']['tables']['mangle']['rules'] = []
+default['afw']['tables']['mangle']['chains'] = []
+default['afw']['tables']['nat']['rules'] = []
+default['afw']['tables']['nat']['chains'] = []
View
10 recipes/cloudstack-agent.rb
@@ -2,14 +2,14 @@
# Cookbook Name:: afw
# Recipe:: cloudstack-agent
#
-# Copyright 2012, AWeber, Julien Vehent
+# Copyright 2012, AWeber
#
-# See LICENSE in README file
+# All rights reserved - Do Not Redistribute
#
def insert_rule_into_table(rule, nftable)
if rule =~ /^-(A|I)/ and rule =~ /-j/
- node[:afw][:tables][nftable][:rules] << rule.chomp
+ node['afw']['tables'][nftable]['rules'] << rule.chomp
log("AFW::Cloudstack-agent: Preserving rule '#{rule.chomp}'")
end
end
@@ -41,9 +41,9 @@ def insert_rule_into_table(rule, nftable)
chain_str = line.split.first
chain = chain_str[1,30]
log("AFW::Cloudstack-agent: Evaluating chain '#{chain}'")
- if not (nftable.eql?('filter') and node[:afw][:chains].include?(chain)) \
+ if not (nftable.eql?('filter') and node['afw']['chains'].include?(chain)) \
and not (chain =~ /INPUT|OUTPUT|FORWARD|PREROUTING|POSTROUTING/)
- node[:afw][:tables][nftable][:chains] << line.chomp
+ node['afw']['tables'][nftable]['chains'] << line.chomp
log("AFW::Cloudstack-agent: Preserving chain '#{chain}' in table #{nftable}")
getchain = Chef::ShellOut.new("iptables -S #{chain} -t #{nftable}")
getchain_ret = getchain.run_command
View
23 recipes/default.rb
@@ -9,15 +9,15 @@
#
# flush all stored compiled rules at chef-run, and regenerate them
-node[:afw][:chains] = {}
-node[:afw][:tables][:filter][:rules] = []
-node[:afw][:tables][:filter][:chains] = []
-node[:afw][:tables][:raw][:rules] = []
-node[:afw][:tables][:raw][:chains] = []
-node[:afw][:tables][:mangle][:rules] = []
-node[:afw][:tables][:mangle][:chains] = []
-node[:afw][:tables][:nat][:rules] = []
-node[:afw][:tables][:nat][:chains] = []
+node['afw']['chains'] = {}
+node['afw']['tables']['filter']['rules'] = []
+node['afw']['tables']['filter']['chains'] = []
+node['afw']['tables']['raw']['rules'] = []
+node['afw']['tables']['raw']['chains'] = []
+node['afw']['tables']['mangle']['rules'] = []
+node['afw']['tables']['mangle']['chains'] = []
+node['afw']['tables']['nat']['rules'] = []
+node['afw']['tables']['nat']['chains'] = []
IP_CIDR_VALID_REGEX = /\b(?:\d{1,3}\.){3}\d{1,3}\b(\/[0-3]?[0-9])?/
FQDN_VALID_REGEX = /^(?:(?:[0-9a-zA-Z_\-]+)\.){2,}(?:[0-9a-zA-Z_\-]+)$/
@@ -373,7 +373,6 @@ def build_rule_array(iptables_header, sources, destinations)
action :create
end
-
template "/etc/firewall/rules.iptables" do
mode 0400
owner "root"
@@ -385,11 +384,11 @@ def build_rule_array(iptables_header, sources, destinations)
execute "restore firewall" do
command "iptables-restore < /etc/firewall/rules.iptables"
action :nothing
- if node[:afw][:enable]
+ if node['afw']['enable']
subscribes :run,
resources(:template => "/etc/firewall/rules.iptables"),
:delayed
else
- Chef::Log.error "AFW: firewall will not be loaded. enable='#{node[:afw][:enable]}'"
+ Chef::Log.error "AFW: is disabled. enable='#{node['afw']['enable']}'"
end
end
View
34 templates/default/rules.iptables.erb
@@ -6,10 +6,10 @@
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o lo -j NOTRACK
-A PREROUTING -i lo -j NOTRACK
-<% node[:afw][:tables][:raw][:chains].sort_by{|k| k}.each do |chain| -%>
+<% node['afw']['tables']['raw']['chains'].sort_by{|k| k}.each do |chain| -%>
<%=chain%>
<% end -%>
-<% node[:afw][:tables][:raw][:rules].each do |rule| -%>
+<% node['afw']['tables']['raw']['rules'].each do |rule| -%>
<%=rule%>
<% end -%>
COMMIT
@@ -20,10 +20,10 @@ COMMIT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-<% node[:afw][:tables][:mangle][:chains].sort_by{|k| k}.each do |chain| -%>
+<% node['afw']['tables']['mangle']['chains'].sort_by{|k| k}.each do |chain| -%>
<%=chain%>
<% end -%>
-<% node[:afw][:tables][:mangle][:rules].each do |rule| -%>
+<% node['afw']['tables']['mangle']['rules'].each do |rule| -%>
<%=rule%>
<% end -%>
COMMIT
@@ -32,10 +32,10 @@ COMMIT
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-<% node[:afw][:tables][:nat][:chains].sort_by{|k| k}.each do |chain| -%>
+<% node['afw']['tables']['nat']['chains'].sort_by{|k| k}.each do |chain| -%>
<%=chain%>
<% end -%>
-<% node[:afw][:tables][:nat][:rules].each do |rule| -%>
+<% node['afw']['tables']['nat']['rules'].each do |rule| -%>
<%=rule%>
<% end -%>
COMMIT
@@ -52,45 +52,45 @@ COMMIT
-A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT
-A INPUT -p tcp --dport 22 -s 172.30.0.0/16 -j ACCEPT
-A OUTPUT -p udp --dport 53 -d 10.0.0.0/8 -j ACCEPT
-<% node[:afw][:tables][:filter][:chains].sort_by{|k| k}.each do |chain| -%>
+<% node['afw']['tables']['filter']['chains'].sort_by{|k| k}.each do |chain| -%>
<%=chain%>
<% end -%>
<% #build the list of chains, one per user
-node[:afw][:chains].sort_by{|k,v| k}.each do |user,params| -%>
+node['afw']['chains'].sort_by{|k,v| k}.each do |user,params| -%>
:<%=user%> - [0:0]
--A OUTPUT -m owner --uid-owner <%=params[:uid]%> -m state --state NEW -j <%=user%>
+-A OUTPUT -m owner --uid-owner <%=params['uid']%> -m state --state NEW -j <%=user%>
<%
- node[:afw][:chains][user][:rules].sort_by{|k| k}.each do |rule|
+ node['afw']['chains'][user]['rules'].sort_by{|k| k}.each do |rule|
-%>
<%=rule%>
<%end
- if node[:afw][:enable_output_drop_log]
+ if node['afw']['enable_output_drop_log']
# log-prefix must be < 30 characters total -%>
-A <%=user%> -j LOG --log-prefix "DROP_AFW_OUTPUT_<%=user[0,11]%> " --log-uid --log-tcp-sequence
<% end
- if node[:afw][:enable_output_drop] -%>
+ if node['afw']['enable_output_drop'] -%>
-A <%=user%> -j DROP
<% end -%>
<%
end
-%>
-<% node[:afw][:tables][:filter][:rules].each do |rule| -%>
+<% node['afw']['tables']['filter']['rules'].each do |rule| -%>
<%=rule%>
<% end -%>
-<% if node[:afw][:enable_input_drop_log] -%>
+<% if node['afw']['enable_input_drop_log'] -%>
-A INPUT -j LOG --log-prefix "DROP_AFW_INPUT " --log-uid --log-tcp-sequence
<% end -%>
-<% if node[:afw][:enable_input_drop] -%>
+<% if node['afw']['enable_input_drop'] -%>
-A INPUT -j DROP
<% end -%>
-<% if node[:afw][:enable_output_drop_log] -%>
+<% if node['afw']['enable_output_drop_log'] -%>
-A OUTPUT -j LOG --log-prefix "DROP_AFW_OUTPUT " --log-uid --log-tcp-sequence
<% end -%>
-<% if node[:afw][:enable_output_drop] -%>
+<% if node['afw']['enable_output_drop'] -%>
-A OUTPUT -j DROP
<% end -%>
Please sign in to comment.
Something went wrong with that request. Please try again.