Skip to content

Commit

Permalink
MODULES-1469 MODULES-1470 Support alias (eth0:0), negation for inifac…
Browse files Browse the repository at this point in the history
…e, outiface
  • Loading branch information
hesco authored and Morgan Haskel committed Dec 3, 2014
1 parent 6b30817 commit b6e58ba
Show file tree
Hide file tree
Showing 6 changed files with 96 additions and 11 deletions.
14 changes: 10 additions & 4 deletions README.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,13 @@ The rules in the `pre` and `post` classes are fairly general. These two classes
iniface => 'lo',
action => 'accept',
}->
firewall { '002 accept related established rules':
firewall { "002 reject local traffic not on loopback interface":
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
Expand Down Expand Up @@ -201,7 +207,7 @@ class profile::apache {
###Rule inversion
Firewall rules may be inverted by prefixing the value of a parameter by "! ". If the value is an array, then every item in the array must be prefixed as iptables does not understand inverting a single value.

Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, port, proto, source, sport, src\_range, src\_type, and state.
Parameters that understand inversion are: connmark, ctstate, destination, dport, dst\_range, dst\_type, iniface, outiface, port, proto, source, sport, src\_range, src\_type, and state.

Examples:

Expand Down Expand Up @@ -440,7 +446,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov

* `icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Requires the `icmp_match` feature.

* `iniface`: Input interface to filter on. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'. Requires the `interface_match` feature.
* `iniface`: Input interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.

* `ipsec_dir`: Sets the ipsec policy direction. Valid values are 'in', 'out'. Requires the `ipsec_dir` feature.

Expand Down Expand Up @@ -485,7 +491,7 @@ firewall { '999 this runs last':

Depending on the provider, the name of the rule can be stored using the comment feature of the underlying firewall subsystem. Values must match '/^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/'.

* `outiface`: Output interface to filter on. Values must match '/^[a-zA-Z0-9\-\._\+]+$/'. Requires the `interface_match` feature.
* `outiface`: Output interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.

* `pkttype`: Sets the packet type to match. Valid values are: 'unicast', 'broadcast', and'multicast'. Requires the `pkttype` feature.

Expand Down
16 changes: 12 additions & 4 deletions lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -428,16 +428,24 @@ def should_to_s(value)
# Interface specific matching properties
newproperty(:iniface, :required_features => :interface_match) do
desc <<-EOS
Input interface to filter on.
Input interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
iniface => '! lo',
EOS
newvalues(/^[a-zA-Z0-9\-\._\+]+$/)
newvalues(/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/)
end

newproperty(:outiface, :required_features => :interface_match) do
desc <<-EOS
Output interface to filter on.
Output interface to filter on. Supports interface alias like eth0:0.
To negate the match try this:
outiface => '! lo',
EOS
newvalues(/^[a-zA-Z0-9\-\._\+]+$/)
newvalues(/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/)
end

# NAT specific properties
Expand Down
26 changes: 24 additions & 2 deletions spec/acceptance/rules_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,12 @@ class { '::firewall': }
action => 'accept',
before => Firewallchain['INPUT:filter:IPv4'],
}
firewall { "011 reject local traffic not on loopback interface":
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}
firewall { '012 accept loopback':
iniface => 'lo',
action => 'accept',
Expand All @@ -158,7 +164,14 @@ class { '::firewall': }
action => 'accept',
before => Firewallchain['INPUT:filter:IPv4'],
}
firewall { '025 smtp':
outiface => '! eth0:2',
chain => 'OUTPUT',
proto => 'tcp',
dport => '25',
state => 'NEW',
action => 'accept',
}
firewall { '013 icmp echo-request':
proto => 'icmp',
icmp => 'echo-request',
Expand All @@ -175,12 +188,18 @@ class { '::firewall': }
icmp => 'time-exceeded',
action => 'accept',
}
firewall { '443 ssl on aliased interface':
proto => 'tcp',
dport => '443',
state => 'NEW',
action => 'accept',
iniface => 'eth0:3',
}
firewall { '999 reject':
action => 'reject',
reject => 'icmp-host-prohibited',
}
firewallchain { 'LOCAL_INPUT_PRE:filter:IPv4': }
firewall { '001 LOCAL_INPUT_PRE':
jump => 'LOCAL_INPUT_PRE',
Expand Down Expand Up @@ -238,11 +257,14 @@ class { '::firewall': }
/LOCAL_INPUT_PRE/,
/-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/,
/-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,
/-A INPUT -d 127.0.0.0\/8 ! -i lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/,
/-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,
/-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,
/-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
/-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/,
/-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/,
/-A OUTPUT ! -o eth0:2 -p tcp -m multiport --dports 25 -m comment --comment \"025 smtp\" -m state --state NEW -j ACCEPT/,
/-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m comment --comment \"443 ssl on aliased interface\" -m state --state NEW -j ACCEPT/,
/-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/,
/-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited/,
/-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/
Expand Down
7 changes: 6 additions & 1 deletion spec/acceptance/standard_usage_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,12 @@ class my_fw::pre {
iniface => 'lo',
action => 'accept',
}->
firewall { '002 accept related established rules':
firewall { "0002 reject local traffic not on loopback interface":
iniface => '! lo',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
ctstate => ['RELATED', 'ESTABLISHED'],
action => 'accept',
Expand Down
36 changes: 36 additions & 0 deletions spec/fixtures/iptables/conversion_hash.rb
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,24 @@
:iniface => 'eth0',
},
},
'iniface_1_negated' => {
:line => '-A INPUT ! -i eth0 -m comment --comment "060 iniface" -j DROP',
:table => 'filter',
:params => {
:action => 'drop',
:chain => 'INPUT',
:iniface => '! eth0',
},
},
'iniface_1_aliased' => {
:line => '-A INPUT -i eth0:1 -m comment --comment "060 iniface" -j DROP',
:table => 'filter',
:params => {
:action => 'drop',
:chain => 'INPUT',
:iniface => 'eth0:1',
},
},
'iniface_with_vlans_1' => {
:line => '-A INPUT -i eth0.234 -m comment --comment "060 iniface" -j DROP',
:table => 'filter',
Expand Down Expand Up @@ -355,6 +373,24 @@
:outiface => 'eth0',
},
},
'outiface_1_negated' => {
:line => '-A OUTPUT ! -o eth0 -m comment --comment "060 outiface" -j DROP',
:table => 'filter',
:params => {
:action => 'drop',
:chain => 'OUTPUT',
:outiface => '! eth0',
},
},
'outiface_1_aliased' => {
:line => '-A OUTPUT -o eth0:2 -m comment --comment "060 outiface" -j DROP',
:table => 'filter',
:params => {
:action => 'drop',
:chain => 'OUTPUT',
:outiface => 'eth0:2',
},
},
'outiface_with_vlans_1' => {
:line => '-A OUTPUT -o eth0.234 -m comment --comment "060 outiface" -j DROP',
:table => 'filter',
Expand Down
8 changes: 8 additions & 0 deletions spec/unit/puppet/type/firewall_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,14 @@
@resource[iface] = 'eth1'
@resource[iface].should == 'eth1'
end
it "should accept a negated #{iface} value as a string" do
@resource[iface] = '! eth1'
@resource[iface].should == '! eth1'
end
it "should accept an interface alias for the #{iface} value as a string" do
@resource[iface] = 'eth1:2'
@resource[iface].should == 'eth1:2'
end
end
end

Expand Down

0 comments on commit b6e58ba

Please sign in to comment.