- Overview
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with the fluffy module
- Reference - Types reference and additional functionalities
- Hiera integration
- Contact
This module implements native types and providers to manage Fluffy. The providers are fully idempotent.
The fluffy module allows to automate the configuration and deployment of Fluffy interfaces, chains, services, addressbook, rules and rollback checks.
The module requires the fluffy-ruby rubygem. It also requires Puppet >= 4.10.0.
The providers make use of some language features only available in Ruby 2.x. By default, Puppet Server uses a version of the JRuby 1.7 series which conforms to MRI/Ruby language 1.9. However, you will need to configure Puppet Server to instead use the JRuby 9k series in order to support Ruby 2.x. For more information, read here.
The include the main class as follows:
include fluffy
fluffy
include fluffy
Fluffy options in the form of {'option' => 'value'}.
Defaults to:
fluffy::opts:
max_sessions: 10
Fluffy logging options in the form of {'option' => 'value'}.
Defaults to:
fluffy::logging_opts:
version: 1
disable_existing_loggers: false
formatters:
standard:
format: "%{literal('%')}(asctime)s [%{literal('%')}(levelname)s] %{literal('%')}(name)s: %{literal('%')}(message)s"
handlers:
console:
formatter: "standard"
class: "logging.StreamHandler"
stream: "ext://sys.stdout"
loggers:
"fluffy":
handlers:
- "console"
level: "INFO"
propagate: true
"werkzeug":
handlers:
- "console"
level: "ERROR"
Fluffy interfaces in the form of {'interface' => { .. }}
Defaults to:
fluffy::interfaces:
loopback:
interface: 'lo'
Fluffy addressbook in the form of {'address' => { .. }}
Defaults to:
fluffy::addressbook:
admins:
address: '0.0.0.0/0'
loopback_net:
address: '127.0.0.0/8'
Fluffy services in the form of {'service' => { .. }}
Defaults to:
fluffy::services:
dhcp:
src_port:
- '67:68'
dst_port:
- '67:68'
protocol: 'udp'
fluffy_api:
dst_port:
- 8676
protocol: 'tcp'
smtp:
dst_port:
- 25
protocol: 'tcp'
ssh:
dst_port:
- 22
protocol: 'tcp'
Fluffy chains in the form of {'table:chain' => { .. }}
Defaults to:
fluffy::chains:
"filter:FORWARD":
policy: 'DROP'
"filter:FORWARD_LOGGING":
policy: 'ACCEPT'
"filter:INPUT":
policy: 'DROP'
"filter:INPUT_LOGGING":
policy: 'ACCEPT'
"filter:OUTPUT":
policy: 'ACCEPT'
Fluffy rules in the form of {'table:chain:rule' => { .. }}.
Defaults to:
"filter:INPUT:invalid_state":
order: 0
ctstate:
- 'INVALID'
in_interface: 'any'
jump: 'INPUT_LOGGING'
"filter:FORWARD:invalid_state":
order: 0
ctstate:
- 'INVALID'
in_interface: 'any'
jump: 'FORWARD_LOGGING'
out_interface: 'any'
"filter:INPUT:established":
order: 10
action: 'ACCEPT'
ctstate:
- 'ESTABLISHED'
- 'RELATED'
in_interface: 'any'
"filter:FORWARD:established":
order: 10
action: 'ACCEPT'
ctstate:
- 'ESTABLISHED'
- 'RELATED'
in_interface: 'any'
"filter:INPUT:antispoof":
order: 20
action: 'DROP'
in_interface: 'loopback'
negate_src_address: true
src_address:
- 'loopback_net'
"filter:INPUT:loopback":
order: 30
action: 'ACCEPT'
in_interface: 'loopback'
"filter:INPUT:ssh_admins":
order: 50
action: 'ACCEPT'
comment: 'Allow SSH in'
dst_service:
- 'ssh'
in_interface: 'any'
src_address:
- 'admins'
"filter:INPUT:fluffy_api":
order: 50
action: 'ACCEPT'
comment: 'Allow access to Fluffy REST API'
dst_service:
- 'fluffy_api'
in_interface: 'any'
src_address:
- 'admins'
"filter:FORWARD:logging":
order: 900
in_interface: 'any'
jump: 'FORWARD_LOGGING'
out_interface: 'any'
"filter:INPUT:logging":
order: 900
in_interface: 'any'
jump: 'INPUT_LOGGING'
"filter:FORWARD_LOGGING:logging_log":
order: 999
action: 'LOG'
in_interface: 'any'
limit: '2/min'
log_level: 'warning'
log_prefix: 'Fluffy CHAIN=FORWARD '
out_interface: 'any'
"filter:INPUT_LOGGING:logging_log":
order: 999
action: 'LOG'
in_interface: 'any'
limit: '2/min'
log_level: 'warning'
log_prefix: 'Fluffy CHAIN=INPUT '
Rule ordering can be specified by using the order
parameter.
Fluffy rollback checks in the form of {'check' => { .. }}
Defaults to:
fluffy::checks:
ssh:
type: tcp
port: 22
fluffy_api:
type: tcp
port: 8676
Purge unmanaged rules. Defaults to true
.
Path to the Fluffy data directory. Defaults to /var/lib/fluffy
.
Path to the Fluffy configuration directory. Defaults to /etc/fluffy
.
Path to the Fluffy configuration file. Defaults to $config_dir/fluffy.yaml
.
Whether we should manage Fluffy's configuration file or not. Defaults to true
.
Path to the Fluffy logging file. Defaults to $config_dir/logging.yaml
.
Whether we should manage Fluffy's logging file or not. Defaults to true
.
Rubygems dependencies for Fluffy
Defaults to:
fluffy::gem_dependencies:
"fluffy-ruby": {}
Installation packages for Fluffy
Defaults to:
fluffy::packages:
"fluffy": {}
Fluffy service provider. Can be either default
or docker
. Defaults to default
.
Fluffy service options when using docker
as a provider.
Fluffy service name. Defaults to fluffy
.
Whether we should manage the service runtime or not. Defaults to true
.
Whether the resource is running or not. Valid values are running
, stopped
. Defaults to running
.
Whether the service is onboot enabled or not. Defaults to true
.
fluffy_chain
manages Fluffy chains
fluffy_chain {"<table>:<chain>": }
Chain name
Packet filtering table. Valid values are: filter
, nat
, mangle
, raw
, security
.
Default policy. Valid values are: ACCEPT
, DROP
, RETURN
. Defaults to ACCEPT
.
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
fluffy_interface
manages Fluffy interfaces
fluffy_interface {"interface": }
Interface name
The actual network interface
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
fluffy_address
manages the Fluffy addressbook
fluffy_address {"address": }
Address name
List of one or more addresses. It can be a reference to another address in the addressbook, a valid CIDR or an IP range.
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
fluffy_service
manages the Fluffy services
fluffy_service {"service": }
Service name
Source port(s). Ports must be between 1-65535 or a valid port range.
Destination port(s). Ports must be between 1-65535 or a valid port range.
Network protocol. Valid values are: ip
, tcp
, udp
, icmp
, ipv6-icmp
, esp
, ah
, vrrp
, igmp
, ipencap
, ipv4
, ipv6
, ospf
, gre
, cbt
, sctp
, pim
, all
. Defaults to all
.
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
fluffy_rule {"table:chain:rule": }
Rule name
Rule packet filtering table
Rule chain name
Specify the rule position by index. Avoid using it in favour of the order
parameter in Hiera.
Specify that the rule should precede the given rule. Avoid using it in favour of the order
parameter in Hiera.
Specify that the rule should proceed the given rule. Avoid using it in favour of the order
parameter in Hiera.
Rule action. Valid values are: absent
, ACCEPT
, DROP
, REJECT
, QUEUE
, RETURN
, DNAT
, SNAT
, LOG
, MASQUERADE
, REDIRECT
, MARK
, TCPMSS
. Defaults to absent
.
Rule jump target. Defaults to absent
.
Negate protocol. Defaults to false
.
Network protocol. Valid values are: absent
, ip
, tcp
, udp
, icmp
, ipv6-icmp
, esp
, ah
, vrrp
, igmp
, ipencap
, ipv4
, ipv6
, ospf
, gre
, cbt
, sctp
, pim
, all
. Defaults to absent
.
Negate ICMP type. Defaults to false
.
ICMP type. Valid values are: absent
, any
, echo-reply
, destination-unreachable
, network-unreachable
, host-unreachable
, protocol-unreachable
, port-unreachable
, fragmentation-needed
, source-route-failed
, network-unknown
, host-unknown
, network-prohibited
, host-prohibited
, TOS-network-unreachable
, TOS-host-unreachable
, communication-prohibited
, host-precedence-violation
, precedence-cutoff
, source-quench
, redirect
, network-redirect
, host-redirect
, TOS-network-redirect
, TOS-host-redirect
, echo-request
, router-advertisement
, router-solicitation
, time-exceeded
, ttl-zero-during-transit
, ttl-zero-during-reassembly
, parameter-problem
, ip-header-bad
, required-option-missing
, timestamp-request
, timestamp-reply
, address-mask-request
, address-mask-reply
. Defaults to absent
.
Negate TCP flags. Defaults to false
.
TCP flags. Defaults to absent
.
Negate conntrack state(s). Defaults to false
.
Conntrack state(s). Defaults to []
.
Negate connection state(s). Defaults to false
.
Connection state(s). Defaults to []
.
Negate source range address(es). Defaults to false
.
Source range address(es). Addresses must be valid IP ranges. Defaults to []
.
Negate destination range address(es). Defaults to false
.
Destination range address(es). Addresses must be valid IP ranges. Defaults to []
.
Negate input interface. Defaults to false
.
Input interface(s). Defaults to []
.
Negate output interface. Defaults to false
.
Output interface(s). Defaults to []
.
Negate source address(es). Defaults to false
.
Source address(es). Address must be valid addressbook entries. Defaults to []
.
Negate destination range address(es). Defaults to false
.
Destination address(es). Addresses must be valid addressbook entries. Defaults to []
.
Negate source service(es). Defaults to false
.
Source service(es). Defaults to []
.
Negate destination service(es). Defaults to false
.
Destination service(es). Defaults to []
.
Reject with. Valid values are: absent
, icmp-net-unreachable
, icmp-host-unreachable
, icmp-port-unreachable
, icmp-proto-unreachable
, icmp-net-prohibited
, icmp-host-prohibited
, icmp-admin-prohibited
. Defaults to absent
.
Set maximum segment size (MSS). Defaults to absent
.
Clamp MSS to path MTU. Defaults to false
.
Source NAT. Defaults to absent
.
Destination NAT. Defaults to absent
.
Limit rate. Defaults to absent
.
Limit burst. Defaults to absent
.
Log level. Valid values are: absent
, emerg
, alert
, crit
, err
, warning
, notice
, info
, debug
. Defaults to absent
.
Comment. Defaults to absent
.
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
fluffy_test
manages the Fluffy test process. This will only run upon receiving refresh events.
fluffy_test {"session": }
The session name. The only valid value is puppet
.
fluffy_commit
manages the Fluffy commit process. This will only run upon receiving refresh events.
fluffy_commit {"session": }
The session name. The only valid value is puppet
.
Enable rollback. Defaults to false
.
Rollback configuration after a certain period of time unless confirmed. Defaults to 0
.
fluffy_confirm
manages the Fluffy commit-/confirm process. This will only run upon receiving refresh events.
fluffy_confirm {"session": }
The session name. The only valid value is puppet
.
fluffy_check
manages Fluffy rollback checks.
fluffy_check {"check": }
Check name
Check type. Valid values are tcp
, exec
.
Command to execute.
TCP host
TCP port
Check timeout in seconds. Defaults to 5
.
Whether the resource is present or not. Valid values are present
, absent
. Defaults to present
.
The entire module data is driven via Hiera.
Matteo Cerutti - matteo.cerutti@hotmail.co.uk