Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make firewalld_service autorequire the custom_service #30

Merged
merged 1 commit into from
Dec 9, 2015
Merged

Make firewalld_service autorequire the custom_service #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

## Description

This module manages firewalld, the userland interface that replaces iptables and ships with RHEL7. The module manages firewalld itself as well as providing types and providers for managing firewalld zones, ports, and rich rules.
This module manages firewalld, the userland interface that replaces iptables and ships with RHEL7. The module manages firewalld itself as well as providing types and providers for managing firewalld zones, ports, and rich rules.

## Usage

Expand Down Expand Up @@ -32,12 +32,12 @@ _Example_:
* `purge_rich_rules`: Optional, and defaulted to false. When true any configured rich rules found in the zone that do not match what is in the Puppet catalog will be purged.
* `purge_services`: Optional, and defaulted to false. When true any configured services found in the zone that do not match what is in the Puppet catalog will be purged. *Warning:* This includes the default ssh service, if you need SSH to access the box, make sure you add the service through either a rich firewall rule, port, or service (see below) or you will lock yourself out!
* `purge_ports`: Optional, and defaulted to false. When true any configured ports found in the zone that do not match what is in the Puppet catalog will be purged. *Warning:* As with services, this includes the default ssh port. If you fail to specify the appropriate port, rich rule, or service, you will lock yourself out.
*

### Firewalld rich rules

Firewalld rich rules are managed using the `firewalld_rich_rule` resource type

firewalld_rich_rules will `autorequire` the firewalld_zone specified in the `zone` parameter so there is no need to add dependencies for this
firewalld_rich_rules will `autorequire` the firewalld_zone specified in the `zone` parameter so there is no need to add dependencies for this

_Example_:

Expand Down Expand Up @@ -67,28 +67,28 @@ _Example_:
* `dest`: Source address information. This can be a hash containing the keys `address` and `invert`, or a string containing just the IP address
```puppet
dest => '192.168.2.1',

dest => { 'address' => '192.168.1.1', 'invert' => true }
```

* `log`: When set to `true` will enable logging, optionally this can be hash with `prefix`, `level` and `limit`
```puppet
log => { 'level' => 'debug', 'prefix' => 'foo' },

log => true,
```

* `audit`: When set to `true` will enable auditing, optionally this can be hash with `limit`
```puppet
audit => { 'limit' => '3/s' },

audit => true,
```

* `action`: A string containing the action `accept`, `reject` or `drop`. For `reject` it can be optionally supplied as a hash containing `type`
```puppet
action => 'accept'

action => { 'action' => 'reject', 'type' => 'bad' }
```

Expand Down Expand Up @@ -170,27 +170,27 @@ and you will also see 'XZY' in the service list when you issue ```firewall-cmd -
* `port`: (Optional) The protocol / port definitions for this service. Specified as an array of hashes, where each hash defines a protocol and/or port associated with this service. Each hash requires both port and protocol keys, even if the value is an empty string. Specifying a port only works for TCP & UDP, otherwise leave it empty and the entire protocol will be allowed. Valid protocols are tcp, udp, or any protocol defined in /etc/protocols
```puppet
port => [{'port' => '1234', 'protocol' => 'tcp'}],

port => [{'port' => '4321', 'protocol' => 'udp'}, {'protocol' => 'rdp'}],
```

* `module`: (Optional) An array of strings specifying netfilter kernel helper modules associated with this service

* `destination`: (Optional) A hash specifying the destination network as a network IP address (optional with /mask), or a plain IP address. Valid hash keys are 'ipv4' and 'ipv6', with values corresponding to the IP / mask associated with each of those protocols. The use of hostnames is possible but not recommended, because these will only be resolved at service activation and transmitted to the kernel.
```puppet
destination => {'ipv4' => '127.0.0.1', 'ipv6' => '::1'},

destination => {'ipv4' => 192.168.0.0/24'},
```

* `config_dir`: The location where the service definition XML files will be stored. Defaults to /etc/firewalld/services

### Firewalld Service

The `firewalld_service` type is used to add or remove both built in and custom services from zones.

firewalld_service will `autorequire` the firewalld_zone specified in the `zone` parameter so there is no need to add dependencies for this

firewalld_service will `autorequire` the firewalld_zone specified in the `zone` parameter and the firewalld::custom_service
specified in the `service` parameter, so there is no need to add dependencies for this

_Example_:

Expand All @@ -212,7 +212,7 @@ _Example_:

Firewalld ports can be managed with the `firewalld_port` resource type.

firewalld_port will `autorequire` the firewalld_zone specified in the `zone` parameter so there is no need to add dependencies for this
firewalld_port will `autorequire` the firewalld_zone specified in the `zone` parameter so there is no need to add dependencies for this

_Example_:

Expand Down
22 changes: 14 additions & 8 deletions lib/puppet/type/firewalld_service.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,34 +3,40 @@
Puppet::Type.newtype(:firewalld_service) do

@doc =%q{Assigns a service to a specific firewalld zone.
firewalld_service will autorequire the firewalld_zone specified in the zone parameter so there is no need to add dependencies for this

firewalld_service will autorequire the firewalld_zone specified in the zone parameter and the firewalld::custom_service
specified in the service parameter, so there is no need to add dependencies for this

Example:

firewalld_service {'Allow SSH in the public Zone':
ensure => 'present',
zone => 'public',
service => 'ssh',
}

}

ensurable

newparam(:name, :namevar => :true) do
desc "Name of the service resource in Puppet"
end

newparam(:service) do
desc "Name of the service to add"
end

newparam(:zone) do
desc "Name of the zone to which you want to add the service"
end

autorequire(:firewalld_zone) do
self[:zone]
end

autorequire(:service) do
self.catalog.resources.select { |res|
res.title == "Firewalld::Custom_service[#{self[:service]}]"
}
end
end