556 changes: 1 addition & 555 deletions README.markdown
View file

Large diffs are not rendered by default.

1,237 changes: 1,237 additions & 0 deletions REFERENCE.md
View file

Large diffs are not rendered by default.

140 changes: 122 additions & 18 deletions lib/puppet/type/firewall.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@
include Puppet::Util::Firewall

@doc = <<-PUPPETCODE
This type provides the capability to manage firewall rules within
puppet.
@summary
This type provides the capability to manage firewall rules within puppet.
**Autorequires:**
Expand All @@ -26,6 +26,109 @@
and the provider is iptables or ip6tables, the firewall resource will
autorequire those packages to ensure that any required binaries are
installed.
#### Providers
Note: Not all features are available with all providers.
* ip6tables: Ip6tables type provider
* Required binaries: ip6tables-save, ip6tables.
* Supported features: address_type, connection_limiting, dnat, hop_limiting, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
* iptables: Iptables type provider
* Required binaries: iptables-save, iptables.
* Default for kernel == linux.
* Supported features: address_type, clusterip, connection_limiting, dnat, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
#### Features
* address_type: The ability to match on source or destination address type.
* clusterip: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
* connection_limiting: Connection limiting features.
* dnat: Destination NATing.
* hop_limiting: Hop limiting features.
* icmp_match: The ability to match ICMP types.
* interface_match: Interface matching.
* iprange: The ability to match on source or destination IP range.
* ipsec_dir: The ability to match IPsec policy direction.
* ipsec_policy: The ability to match IPsec policy.
* iptables: The provider provides iptables features.
* isfirstfrag: The ability to match the first fragment of a fragmented ipv6 packet.
* isfragment: The ability to match fragments.
* ishasmorefrags: The ability to match a non-last fragment of a fragmented ipv6 packet.
* islastfrag: The ability to match the last fragment of an ipv6 packet.
* length: The ability to match the length of the layer-3 payload.
* log_level: The ability to control the log level.
* log_prefix: The ability to add prefixes to log messages.
* log_uid: The ability to log the userid of the process which generated the packet.
* mark: The ability to match or set the netfilter mark value associated with the packet.
* mask: The ability to match recent rules based on the ipv4 mask.
* nflog_group: The ability to set the group number for NFLOG.
* nflog_prefix: The ability to set a prefix for nflog messages.
* nflog_range: The ability to set nflog_range.
* nflog_threshold: The ability to set nflog_threshold.
* owner: The ability to match owners.
* pkttype: The ability to match a packet type.
* rate_limiting: Rate limiting features.
* recent_limiting: The netfilter recent module.
* reject_type: The ability to control reject messages.
* set_mss: Set the TCP MSS of a packet.
* snat: Source NATing.
* socket: The ability to match open sockets.
* state_match: The ability to match stateful firewall states.
* string_matching: The ability to match a given string by using some pattern matching strategy.
* tcp_flags: The ability to match on particular TCP flag settings.
* netmap: The ability to map entire subnets via source or destination nat rules.
* hashlimit: The ability to use the hashlimit-module.
* bpf: The ability to use Berkeley Paket Filter rules.
* ipvs: The ability to match IP Virtual Server packets.
PUPPETCODE

feature :connection_limiting, 'Connection limiting features.'
Expand Down Expand Up @@ -76,7 +179,7 @@

ensurable do
desc <<-PUPPETCODE
Manage the state of this rule. The default action is *present*.
Manage the state of this rule.
PUPPETCODE

newvalue(:present) do
Expand Down Expand Up @@ -298,7 +401,7 @@ def should_to_s(value)

newproperty(:port, array_matching: :all) do
desc <<-PUPPETCODE
DEPRECATED
*note* This property has been DEPRECATED
The destination or source port to match for this filter (if the protocol
supports ports). Will accept a single element or an array.
Expand Down Expand Up @@ -424,8 +527,7 @@ def should_to_s(value)

newproperty(:proto) do
desc <<-PUPPETCODE
The specific protocol to match for this rule. By default this is
*tcp*.
The specific protocol to match for this rule.
PUPPETCODE

newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
Expand All @@ -451,8 +553,8 @@ def should_to_s(value)
Note that you specify them in the order that iptables --list-rules
would list them to avoid having puppet think you changed the flags.
Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
ACK,RST and FIN bits cleared. Such packets are used to request
TCP connection initiation.
ACK,RST and FIN bits cleared. Such packets are used to request
TCP connection initiation.
PUPPETCODE
end

Expand All @@ -468,8 +570,6 @@ def should_to_s(value)
* POSTROUTING
Or you can provide a user-based chain.
The default value is 'INPUT'.
PUPPETCODE

defaultto 'INPUT'
Expand All @@ -485,8 +585,6 @@ def should_to_s(value)
* filter
* raw
* rawpost
By default the setting is 'filter'.
PUPPETCODE

newvalues(:nat, :mangle, :filter, :raw, :rawpost)
Expand Down Expand Up @@ -1131,8 +1229,9 @@ def insync?(is)
Enable the recent module. Takes as an argument one of set, update,
rcheck or remove. For example:
```
# If anyone's appeared on the 'badguy' blacklist within
# the last 60 seconds, drop their traffic, and update the timestamp.
# the last 60 seconds, drop their traffic, and update the timestamp.
firewall { '100 Drop badguy traffic':
recent => 'update',
rseconds => 60,
Expand All @@ -1141,8 +1240,12 @@ def insync?(is)
action => 'DROP',
chain => 'FORWARD',
}
# No-one should be sending us traffic on eth0 from localhost
# Blacklist them
```
```
# No-one should be sending us traffic on eth0 from the
# localhost, Blacklist them
firewall { '101 blacklist strange traffic':
recent => 'set',
rsource => true,
Expand All @@ -1152,6 +1255,7 @@ def insync?(is)
action => 'DROP',
chain => 'FORWARD',
}
```
PUPPETCODE

newvalues(:set, :update, :rcheck, :remove)
Expand Down Expand Up @@ -1278,7 +1382,7 @@ def insync?(is)

newproperty(:stat_mode) do
desc <<-PUPPETCODE
Set the matching mode for statistic matching. Supported modes are `random` and `nth`.
Set the matching mode for statistic matching.
PUPPETCODE

newvalues(:nth, :random)
Expand Down Expand Up @@ -1492,7 +1596,7 @@ def should_to_s(value)

newproperty(:week_days, required_features: :iptables) do
desc <<-PUPPETCODE
Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Only match on the given weekdays.
PUPPETCODE

newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun)
Expand Down Expand Up @@ -1526,7 +1630,7 @@ def should_to_s(value)
newproperty(:clusterip_hashmode, required_features: :clusterip) do
desc <<-PUPPETCODE
Used with the CLUSTERIP jump target.
Specify the hashing mode. Valid values: sourceip, sourceip-sourceport, sourceip-sourceport-destport.
Specify the hashing mode.
PUPPETCODE

newvalues(:sourceip, :'sourceip-sourceport', :'sourceip-sourceport-destport')
Expand Down
12 changes: 11 additions & 1 deletion lib/puppet/type/firewallchain.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
include Puppet::Util::Firewall

@doc = <<-PUPPETCODE
This type provides the capability to manage rule chains for firewalls.
@summary
This type provides the capability to manage rule chains for firewalls.
Currently this supports only iptables, ip6tables and ebtables on Linux. And
provides support for setting the default policy on chains and tables that
Expand All @@ -21,6 +22,13 @@
If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
and the provider is iptables_chain, the firewall resource will autorequire
those packages to ensure that any required binaries are installed.
#### Providers
* iptables_chain is the only provider that supports firewallchain.
#### Features
* iptables_chain: The provider provides iptables chain features.
* policy: Default policy (inbuilt chains only).
PUPPETCODE

feature :iptables_chain, 'The provider provides iptables chain features.'
Expand Down Expand Up @@ -133,13 +141,15 @@
'(?i)foo' or '(?i:foo)'
Full example:
```
firewallchain { 'INPUT:filter:IPv4':
purge => true,
ignore => [
'-j fail2ban-ssh', # ignore the fail2ban jump rule
'--comment "[^"]*(?i:ignore)[^"]*"', # ignore any rules with "ignore" (case insensitive) in the comment in the rule
],
}
```
PUPPETCODE

validate do |value|
Expand Down
35 changes: 27 additions & 8 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,34 @@
# = Class: firewall
# @summary
# Performs the basic setup tasks required for using the firewall resources.
#
# Manages packages and services required by the firewall type/provider.
# At the moment this takes care of:
#
# This class includes the appropriate sub-class for your operating system,
# where supported.
# iptables-persistent package installation
# Include the firewall class for nodes that need to use the resources in this module:
#
# == Parameters:
# @example
# class { 'firewall': }
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources.
# Default: running
# @param ensure
# Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'.
#
# @param ensure_v6
# Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'.
#
# @param pkg_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'.
#
# @param service_name
# Specify the name of the IPv4 iptables service.
#
# @param service_name_v6
# Specify the name of the IPv6 iptables service.
#
# @param package_name
# Specify the platform-specific package(s) to install.
#
# @param ebtables_manage
# Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
#
class firewall (
$ensure = running,
Expand Down
33 changes: 20 additions & 13 deletions manifests/linux.pp
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,27 @@
# = Class: firewall::linux
# @summary Main linux class, includes all other classes
#
# Installs the `iptables` package for Linux operating systems and includes
# the appropriate sub-class for any distribution specific services and
# additional packages.
# @param ensure
# Controls the state of the ipv4 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# == Parameters:
# @param ensure_v6
# Controls the state of the ipv6 iptables service on your system. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources. When `running` the
# service will be started on boot, and when `stopped` it will not.
# Default: running
# @param pkg_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
# [*ensure_v6*]
# Ensure parameter passed onto Service[] resources. When `running` the
# service will be started on boot, and when `stopped` it will not.
# Default: running
# @param service_name
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# @param service_name_v6
# Specify the name of the IPv6 iptables service. Defaults defined in firewall::params.
#
# @param package_name
# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
#
# @param ebtables_manage
# Controls whether puppet manages the ebtables package or not. If managed, the package will use the value of pkg_ensure.
#
# @api private
#
class firewall::linux (
$ensure = running,
Expand Down
25 changes: 15 additions & 10 deletions manifests/linux/archlinux.pp
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
# = Class: firewall::linux::archlinux
# @summary
# Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Arch Linux systems.
#
# Manages `iptables` and `ip6tables` services, and creates files used for
# persistence, on Arch Linux systems.
# @param ensure
# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# == Parameters:
# @param enable
# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources.
# Default: running
# @param service_name
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# [*enable*]
# Enable parameter passed onto Service[] resources.
# Default: true
# @param package_name
# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
#
# @param package_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
# @api private
#
class firewall::linux::archlinux (
$ensure = 'running',
Expand Down
25 changes: 15 additions & 10 deletions manifests/linux/debian.pp
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
# = Class: firewall::linux::debian
# @summary
# Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.
#
# Installs the `iptables-persistent` package for Debian-alike systems. This
# allows rules to be stored to file and restored on boot.
# @param ensure
# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# == Parameters:
# @param enable
# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources.
# Default: running
# @param service_name
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# [*enable*]
# Enable parameter passed onto Service[] resources.
# Default: true
# @param package_name
# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
#
# @param package_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
# @api private
#
class firewall::linux::debian (
$ensure = running,
Expand Down
25 changes: 15 additions & 10 deletions manifests/linux/gentoo.pp
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
# = Class: firewall::linux::gentoo
# @summary
# Manages `iptables` and `ip6tables` services, and creates files used for persistence, on Gentoo Linux systems.
#
# Manages `iptables` and `ip6tables` services, and creates files used for
# persistence, on Gentoo Linux systems.
# @param ensure
# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# == Parameters:
# @param enable
# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources.
# Default: running
# @param service_name
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# [*enable*]
# Enable parameter passed onto Service[] resources.
# Default: true
# @param package_name
# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
#
# @param package_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
# @api private
#
class firewall::linux::gentoo (
$ensure = 'running',
Expand Down
51 changes: 28 additions & 23 deletions manifests/linux/redhat.pp
View file
Original file line number Diff line number Diff line change
@@ -1,29 +1,34 @@
# = Class: firewall::linux::redhat
# @summary
# Manages the `iptables` service on RedHat-alike systems.
#
# Manages the `iptables` service on RedHat-alike systems.
# @param ensure
# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'running'.
#
# == Parameters:
# @param ensure_v6
# Ensure parameter passed onto Service[] resources. Valid options: 'running' or 'stopped'. Defaults to 'undef'.
#
# [*ensure*]
# Ensure parameter passed onto Service[] resources.
# Default: running
# @param enable
# Enable parameter passed onto Service[] resources. Defaults to 'true'.
#
# [*ensure_v6*]
# Ensure parameter passed onto Service[] resources.
# Default: undef
# @param enable_v6
# Enable parameter passed onto Service[] resources. Defaults to 'undef'.
#
# [*enable*]
# Enable parameter passed onto Service[] resources.
# Default: true
# @param service_name
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# [*enable_v6*]
# Enable parameter passed onto Service[] resources.
# Default: undef
# @param service_name_v6
# Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.
#
# [*sysconfig_manage*]
# Enable sysconfig configuration for iptables/ip6tables files. This is
# disabled for RedHat 8+ or CentOS 8+
# Default: true
# @param package_name
# Specify the platform-specific package(s) to install. Defaults defined in firewall::params.
#
# @param package_ensure
# Controls the state of the iptables package on your system. Valid options: 'present' or 'latest'. Defaults to 'latest'.
#
# @param sysconfig_manage
# Enable sysconfig configuration for iptables/ip6tables files. Defaults defined in firewall::params. This is disabled for RedHat/CentOS 8+.
#
# @api private
#
class firewall::linux::redhat (
$ensure = running,
Expand Down Expand Up @@ -59,10 +64,10 @@
}

if $package_name {
package { $package_name:
ensure => $package_ensure,
before => Service[$service_name],
}
ensure_packages($package_name, {
'ensure' => $package_ensure,
'before' => Service[$service_name]}
)
}

if ($::operatingsystem != 'Amazon')
Expand Down
11 changes: 7 additions & 4 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# Manifest containing module parameters
# @summary Provides defaults for the Apt module parameters.
#
# @api private
#
class firewall::params {
$package_ensure = 'present'
case $::osfamily {
Expand All @@ -22,9 +25,9 @@
}
default: {
if versioncmp($::operatingsystemrelease, '8.0') >= 0 {
$service_name = 'nftables'
$service_name_v6 = undef
$package_name = 'nftables'
$service_name = ['iptables', 'nftables']
$service_name_v6 = 'ip6tables'
$package_name = ['iptables-services', 'nftables']
$sysconfig_manage = false
} elsif versioncmp($::operatingsystemrelease, '7.0') >= 0 {
$service_name = 'iptables'
Expand Down
14 changes: 7 additions & 7 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-firewall",
"version": "1.15.3",
"version": "2.0.0",
"author": "puppetlabs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
Expand All @@ -10,7 +10,7 @@
"dependencies": [
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 4.0.0 < 6.0.0"
"version_requirement": ">= 4.0.0 < 7.0.0"
}
],
"operatingsystem_support": [
Expand Down Expand Up @@ -71,10 +71,10 @@
"requirements": [
{
"name": "puppet",
"version_requirement": ">= 4.7.0 < 7.0.0"
"version_requirement": ">= 5.5.10 < 7.0.0"
}
],
"template-url": "https://github.com/puppetlabs/pdk-templates",
"template-ref": "heads/master-0-gfde5699",
"pdk-version": "1.8.0"
}
"template-url": "https://github.com/puppetlabs/pdk-templates#master",
"template-ref": "heads/master-0-gf778803",
"pdk-version": "1.10.0"
}
22 changes: 19 additions & 3 deletions spec/unit/classes/firewall_linux_redhat_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,10 @@
ensure: 'running',
enable: 'true',
)
is_expected.not_to contain_service('iptables')
is_expected.to contain_service('iptables').with(
ensure: 'running',
enable: 'true',
)
}

context 'with ensure => stopped' do
Expand All @@ -175,6 +178,9 @@
is_expected.to contain_service('nftables').with(
ensure: 'stopped',
)
is_expected.to contain_service('iptables').with(
ensure: 'stopped',
)
}
end

Expand All @@ -185,21 +191,31 @@
is_expected.to contain_service('nftables').with(
enable: 'false',
)
is_expected.to contain_service('iptables').with(
enable: 'false',
)
}
end

it {
is_expected.to contain_service('firewalld').with(
ensure: 'stopped',
enable: false,
before: ['Package[nftables]', 'Service[nftables]'],
before: ['Package[iptables-services]', 'Package[nftables]', 'Service[iptables]', 'Service[nftables]'],
)
}

it {
is_expected.to contain_package('iptables-services').with(
ensure: 'present',
before: ['Service[iptables]', 'Service[nftables]'],
)
}

it {
is_expected.to contain_package('nftables').with(
ensure: 'present',
before: 'Service[nftables]',
before: ['Service[iptables]', 'Service[nftables]'],
)
}

Expand Down