Ticket/10162 firewallchain support for merge #62
Conversation
Add firewallchain type and iptables_chain provider. This is required to support the firewall class and it is envisaged that an autorequire will be used to automatically require the user chain. This type can also set policies on inbuilt chains. Provider covers ebtables (optional), iptables, ip6tables.
|
nice. Needs fix to include small documentation bug that thomasvs found: thomasvs@1a4fcfc |
* Convert commands to optional_commands to avoid iptables installation chicken & egg scenarios. * Downcase tables to match the table names in xtables * Force fully qualifying the name as <table>:<chain>:<protocol>, we can add meaningful defaults later. * puppet resource <name> command wasn't working as expected, but stripping out some of the meaningful defaults I was able to get this to work. * Reformat some of the code to avoid overrunning 80 chars where possible * Remove trailing whitespace * Add flush to provider so that resource modifications immediately update the resource in reports and when using puppet resource. * Removed any commented out code * Improved documentation * Change policy so its undefined when not set, instead of being :empty * Fix test mocking so they will run on a Mac
|
@grooverdan done. |
|
Ah, one more in self.instances. The |
We've decided to change the ordering of the namevar so that it is now:
chain:table:protocol
So its closer to a linear hierachy ie. chain in table in protocol.
Previously this was table:chain:protocol which made less sense.
|
@chrisboulton: does that look better Chris? |
|
Should do. I'll test it out when I'm in the office tomorrow. |
|
Looks good - have the module in use now with no problems. |
|
@chrisboulton good to hear - thanks for the independent tests mate your efforts are very much appreciated. @dcarley, @saysjonathan if you can spend some time looking at this that would be sweet - if you are happy feel free to merge this in. |
|
Will do. I'll finish my review this evening. |
|
I'm happy. Any objections for @dcarley? |
|
Looks good! Tested on EL5 and EL6. Small fix to the README. One of the namevars is the wrong way round and there's a missing require param: diff --git a/README.markdown b/README.markdown
index b80d292..bbef110 100644
--- a/README.markdown
+++ b/README.markdown
@@ -105,7 +105,7 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
- require => Firewallchain["filter:MY_CHAIN:IPv4"],
+ require => Firewallchain["MY_CHAIN:filter:IPv4"],
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
@@ -116,6 +116,7 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
action => 'accept',
proto => 'tcp',
dport => 5000,
+ require => Firewallchain["MY_CHAIN:filter:IPv4"],
}
You can make firewall rules persistent with the following iptables example:On that topic, my only suggestion would be for any err: /Firewall[100 forward to MY_CHAIN]/ensure: change from absent to present failed: Execution of '/sbin/iptables -I INPUT 1 -t filter -p tcp -m comment --comment 100 forward to MY_CHAIN -j MY_CHAIN' returned 2: iptables v1.4.7: Couldn't load target `MY_CHAIN':/lib64/xtables/libipt_MY_CHAIN.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.I thought this might be easy to add, but of course a |
|
@dcarley I've fixed the README now. I think the autorequire should be done in another commit at this point. You shouldn't need to do a search, as the table & protocol should be known to the firewall resource (table is either set or defaulting to filter - protocol is based on the provider). |
|
Good point 👍 |
|
Can someone hit merge? :-) |
…t_for_merge Ticket/10162 firewallchain support for merge
This patch set provides the firewallchain resource from Daniel Black.
This is a patch on top of PR #59 to fix a number of problems I found during testing.