Implement Advanced Firewalling support
* Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
This commit is contained in:
parent
a077eaf307
commit
d091e46dc0
|
@ -0,0 +1,6 @@
|
||||||
|
fixtures:
|
||||||
|
repositories:
|
||||||
|
'firewall': 'git://github.com/puppetlabs/puppetlabs-firewall.git'
|
||||||
|
'stdlib': 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
|
||||||
|
symlinks:
|
||||||
|
"tripleo": "#{source_dir}"
|
|
@ -0,0 +1,51 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# == Class: tripleo::firewall::post
|
||||||
|
#
|
||||||
|
# Firewall rules during 'post' Puppet stage
|
||||||
|
#
|
||||||
|
# === Parameters:
|
||||||
|
#
|
||||||
|
# [*debug*]
|
||||||
|
# (optional) Set log output to debug output
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# [*firewall_settings*]
|
||||||
|
# (optional) Allow to add custom parameters to firewall rules
|
||||||
|
# Should be an hash.
|
||||||
|
# Default to {}
|
||||||
|
#
|
||||||
|
class tripleo::firewall::post(
|
||||||
|
$debug = false,
|
||||||
|
$firewall_settings = {},
|
||||||
|
){
|
||||||
|
|
||||||
|
if $debug {
|
||||||
|
warning('debug is enabled, the traffic is not blocked.')
|
||||||
|
} else {
|
||||||
|
firewall { '998 log all':
|
||||||
|
proto => 'all',
|
||||||
|
jump => 'LOG',
|
||||||
|
}
|
||||||
|
tripleo::firewall::rule{ '999 drop all':
|
||||||
|
proto => 'all',
|
||||||
|
action => 'drop',
|
||||||
|
extras => $firewall_settings,
|
||||||
|
}
|
||||||
|
notice('At this stage, all network traffic is blocked.')
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,57 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# == Class: tripleo::firewall::pre
|
||||||
|
#
|
||||||
|
# Firewall rules during 'pre' Puppet stage
|
||||||
|
#
|
||||||
|
# === Parameters:
|
||||||
|
#
|
||||||
|
# [*firewall_settings*]
|
||||||
|
# (optional) Allow to add custom parameters to firewall rules
|
||||||
|
# Should be an hash.
|
||||||
|
# Default to {}
|
||||||
|
#
|
||||||
|
class tripleo::firewall::pre(
|
||||||
|
$firewall_settings = {},
|
||||||
|
){
|
||||||
|
|
||||||
|
# ensure the correct packages are installed
|
||||||
|
include ::firewall
|
||||||
|
|
||||||
|
# defaults 'pre' rules
|
||||||
|
tripleo::firewall::rule{ '000 accept related established rules':
|
||||||
|
proto => 'all',
|
||||||
|
state => ['RELATED', 'ESTABLISHED'],
|
||||||
|
extras => $firewall_settings,
|
||||||
|
}
|
||||||
|
|
||||||
|
tripleo::firewall::rule{ '001 accept all icmp':
|
||||||
|
proto => 'icmp',
|
||||||
|
extras => $firewall_settings,
|
||||||
|
}
|
||||||
|
|
||||||
|
tripleo::firewall::rule{ '002 accept all to lo interface':
|
||||||
|
proto => 'all',
|
||||||
|
iniface => 'lo',
|
||||||
|
extras => $firewall_settings,
|
||||||
|
}
|
||||||
|
|
||||||
|
tripleo::firewall::rule{ '003 accept ssh':
|
||||||
|
port => '22',
|
||||||
|
extras => $firewall_settings,
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,80 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# == Define: tripleo::firewall::rule
|
||||||
|
#
|
||||||
|
# Define used to manage IPtables rules.
|
||||||
|
#
|
||||||
|
# === Parameters:
|
||||||
|
#
|
||||||
|
# [*port*]
|
||||||
|
# (optional) The port associated to the rule.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*proto*]
|
||||||
|
# (optional) The protocol associated to the rule.
|
||||||
|
# Defaults to 'tcp'
|
||||||
|
#
|
||||||
|
# [*action*]
|
||||||
|
# (optional) The action policy associated to the rule.
|
||||||
|
# Defaults to 'accept'
|
||||||
|
#
|
||||||
|
# [*state*]
|
||||||
|
# (optional) Array of states associated to the rule..
|
||||||
|
# Defaults to ['NEW']
|
||||||
|
#
|
||||||
|
# [*source*]
|
||||||
|
# (optional) The source IP address associated to the rule.
|
||||||
|
# Defaults to '0.0.0.0/0'
|
||||||
|
#
|
||||||
|
# [*iniface*]
|
||||||
|
# (optional) The network interface associated to the rule.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*chain*]
|
||||||
|
# (optional) The chain associated to the rule.
|
||||||
|
# Defaults to 'INPUT'
|
||||||
|
#
|
||||||
|
# [*extras*]
|
||||||
|
# (optional) Hash of any puppetlabs-firewall supported parameters.
|
||||||
|
# Defaults to {}
|
||||||
|
#
|
||||||
|
define tripleo::firewall::rule (
|
||||||
|
$port = undef,
|
||||||
|
$proto = 'tcp',
|
||||||
|
$action = 'accept',
|
||||||
|
$state = ['NEW'],
|
||||||
|
$source = '0.0.0.0/0',
|
||||||
|
$iniface = undef,
|
||||||
|
$chain = 'INPUT',
|
||||||
|
$extras = {},
|
||||||
|
) {
|
||||||
|
|
||||||
|
$basic = {
|
||||||
|
'port' => $port,
|
||||||
|
'proto' => $proto,
|
||||||
|
'action' => $action,
|
||||||
|
'state' => $state,
|
||||||
|
'source' => $source,
|
||||||
|
'iniface' => $iniface,
|
||||||
|
'chain' => $chain,
|
||||||
|
}
|
||||||
|
|
||||||
|
$rule = merge($basic, $extras)
|
||||||
|
validate_hash($rule)
|
||||||
|
|
||||||
|
create_resources('firewall', { "${title}" => $rule })
|
||||||
|
|
||||||
|
}
|
|
@ -17,7 +17,75 @@
|
||||||
#
|
#
|
||||||
# Installs the system requirements
|
# Installs the system requirements
|
||||||
#
|
#
|
||||||
|
# === Parameters:
|
||||||
|
#
|
||||||
|
# [*manage_firewall*]
|
||||||
|
# (optional) Completely enable or disable firewall settings
|
||||||
|
# (false means disabled, and true means enabled)
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# [*firewall_rules*]
|
||||||
|
# (optional) Allow to add custom firewall rules
|
||||||
|
# Should be an hash.
|
||||||
|
# Default to {}
|
||||||
|
#
|
||||||
|
# [*purge_firewall_rules*]
|
||||||
|
# (optional) Boolean, purge all firewall resources
|
||||||
|
# Defaults to false
|
||||||
|
#
|
||||||
|
# [*firewall_pre_extras*]
|
||||||
|
# (optional) Allow to add custom parameters to firewall rules (pre stage)
|
||||||
|
# Should be an hash.
|
||||||
|
# Default to {}
|
||||||
|
#
|
||||||
|
# [*firewall_post_extras*]
|
||||||
|
# (optional) Allow to add custom parameters to firewall rules (post stage)
|
||||||
|
# Should be an hash.
|
||||||
|
# Default to {}
|
||||||
|
#
|
||||||
|
class tripleo(
|
||||||
|
$manage_firewall = false,
|
||||||
|
$firewall_rules = {},
|
||||||
|
$purge_firewall_rules = false,
|
||||||
|
$firewall_pre_extras = {},
|
||||||
|
$firewall_post_extras = {},
|
||||||
|
) {
|
||||||
|
|
||||||
class tripleo{
|
include ::stdlib
|
||||||
|
|
||||||
|
if $manage_firewall {
|
||||||
|
|
||||||
|
# Only purges IPv4 rules
|
||||||
|
if $purge_firewall_rules {
|
||||||
|
resources { 'firewall':
|
||||||
|
purge => true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# anyone can add your own rules
|
||||||
|
# example with Hiera:
|
||||||
|
#
|
||||||
|
# tripleo::firewall::rules:
|
||||||
|
# '300 allow custom application 1':
|
||||||
|
# port: 999
|
||||||
|
# proto: udp
|
||||||
|
# action: accept
|
||||||
|
# '301 allow custom application 2':
|
||||||
|
# port: 8081
|
||||||
|
# proto: tcp
|
||||||
|
# action: accept
|
||||||
|
#
|
||||||
|
create_resources('tripleo::firewall::rule', $firewall_rules)
|
||||||
|
|
||||||
|
ensure_resource('class', 'tripleo::firewall::pre', {
|
||||||
|
'firewall_settings' => $firewall_pre_extras,
|
||||||
|
'stage' => 'setup',
|
||||||
|
})
|
||||||
|
|
||||||
|
ensure_resource('class', 'tripleo::firewall::post', {
|
||||||
|
'stage' => 'runtime',
|
||||||
|
'firewall_settings' => $firewall_post_extras,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,114 @@
|
||||||
|
#
|
||||||
|
# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
#
|
||||||
|
# Unit tests for tripleo
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'tripleo' do
|
||||||
|
|
||||||
|
let :params do
|
||||||
|
{ }
|
||||||
|
end
|
||||||
|
|
||||||
|
shared_examples_for 'tripleo node' do
|
||||||
|
|
||||||
|
context 'with firewall enabled' do
|
||||||
|
before :each do
|
||||||
|
params.merge!(
|
||||||
|
:manage_firewall => true,
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configure basic pre firewall rules' do
|
||||||
|
is_expected.to contain_firewall('000 accept related established rules').with(
|
||||||
|
:proto => 'all',
|
||||||
|
:state => ['RELATED', 'ESTABLISHED'],
|
||||||
|
:action => 'accept',
|
||||||
|
)
|
||||||
|
is_expected.to contain_firewall('001 accept all icmp').with(
|
||||||
|
:proto => 'icmp',
|
||||||
|
:action => 'accept',
|
||||||
|
:state => ['NEW'],
|
||||||
|
)
|
||||||
|
is_expected.to contain_firewall('002 accept all to lo interface').with(
|
||||||
|
:proto => 'all',
|
||||||
|
:iniface => 'lo',
|
||||||
|
:action => 'accept',
|
||||||
|
:state => ['NEW'],
|
||||||
|
)
|
||||||
|
is_expected.to contain_firewall('003 accept ssh').with(
|
||||||
|
:port => '22',
|
||||||
|
:proto => 'tcp',
|
||||||
|
:action => 'accept',
|
||||||
|
:state => ['NEW'],
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configure basic post firewall rules' do
|
||||||
|
is_expected.to contain_firewall('999 drop all').with(
|
||||||
|
:proto => 'all',
|
||||||
|
:action => 'drop',
|
||||||
|
:source => '0.0.0.0/0',
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with custom firewall rules' do
|
||||||
|
before :each do
|
||||||
|
params.merge!(
|
||||||
|
:manage_firewall => true,
|
||||||
|
:firewall_rules => {
|
||||||
|
'300 add custom application 1' => {'port' => '999', 'proto' => 'udp', 'action' => 'accept'},
|
||||||
|
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
it 'configure custom firewall rules' do
|
||||||
|
is_expected.to contain_firewall('300 add custom application 1').with(
|
||||||
|
:port => '999',
|
||||||
|
:proto => 'udp',
|
||||||
|
:action => 'accept',
|
||||||
|
:state => ['NEW'],
|
||||||
|
)
|
||||||
|
is_expected.to contain_firewall('301 add custom application 2').with(
|
||||||
|
:port => '8081',
|
||||||
|
:proto => 'tcp',
|
||||||
|
:action => 'accept',
|
||||||
|
:state => ['NEW'],
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'on Debian platforms' do
|
||||||
|
let :facts do
|
||||||
|
{ :osfamily => 'Debian' }
|
||||||
|
end
|
||||||
|
|
||||||
|
it_configures 'tripleo node'
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'on RedHat platforms' do
|
||||||
|
let :facts do
|
||||||
|
{ :osfamily => 'RedHat' }
|
||||||
|
end
|
||||||
|
|
||||||
|
it_configures 'tripleo node'
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Loading…
Reference in New Issue