Browse Source

intial implementation of vxlan plugin for fuel

Change-Id: If2290ca2ea4e947a98f5818ab54ada30e247f42b
sbartel 3 years ago
parent
commit
ccff8066a8
100 changed files with 10952 additions and 0 deletions
  1. 202
    0
      LICENSE
  2. 100
    0
      README.md
  3. 2
    0
      deployment_scripts/puppet/manifests/site-compute-post.pp
  4. 2
    0
      deployment_scripts/puppet/manifests/site-controller-post.pp
  5. 3
    0
      deployment_scripts/puppet/modules/firewall/.fixtures.yml
  6. 9
    0
      deployment_scripts/puppet/modules/firewall/.gitignore
  7. 31
    0
      deployment_scripts/puppet/modules/firewall/.nodeset.yml
  8. 29
    0
      deployment_scripts/puppet/modules/firewall/.travis.yml
  9. 390
    0
      deployment_scripts/puppet/modules/firewall/CHANGELOG.md
  10. 292
    0
      deployment_scripts/puppet/modules/firewall/CONTRIBUTING.md
  11. 257
    0
      deployment_scripts/puppet/modules/firewall/Changelog
  12. 18
    0
      deployment_scripts/puppet/modules/firewall/Gemfile
  13. 25
    0
      deployment_scripts/puppet/modules/firewall/LICENSE
  14. 8
    0
      deployment_scripts/puppet/modules/firewall/Modulefile
  15. 429
    0
      deployment_scripts/puppet/modules/firewall/README.markdown
  16. 14
    0
      deployment_scripts/puppet/modules/firewall/Rakefile
  17. 11
    0
      deployment_scripts/puppet/modules/firewall/lib/facter/ip6tables_version.rb
  18. 15
    0
      deployment_scripts/puppet/modules/firewall/lib/facter/iptables_persistent_version.rb
  19. 11
    0
      deployment_scripts/puppet/modules/firewall/lib/facter/iptables_version.rb
  20. 34
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall.rb
  21. 131
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb
  22. 499
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall/iptables.rb
  23. 178
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb
  24. 1029
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/type/firewall.rb
  25. 222
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/type/firewallchain.rb
  26. 220
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/util/firewall.rb
  27. 42
    0
      deployment_scripts/puppet/modules/firewall/lib/puppet/util/ipcidr.rb
  28. 36
    0
      deployment_scripts/puppet/modules/firewall/manifests/init.pp
  29. 51
    0
      deployment_scripts/puppet/modules/firewall/manifests/linux.pp
  30. 41
    0
      deployment_scripts/puppet/modules/firewall/manifests/linux/archlinux.pp
  31. 44
    0
      deployment_scripts/puppet/modules/firewall/manifests/linux/debian.pp
  32. 24
    0
      deployment_scripts/puppet/modules/firewall/manifests/linux/redhat.pp
  33. 77
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/change_source_spec.rb
  34. 27
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/class_spec.rb
  35. 1617
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/firewall_spec.rb
  36. 125
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/firewallchain_spec.rb
  37. 114
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/ip6_fragment_spec.rb
  38. 92
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/isfragment_spec.rb
  39. 12
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/centos-59-x64-pe.yml
  40. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml
  41. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml
  42. 12
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml
  43. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml
  44. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml
  45. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml
  46. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/default.yml
  47. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml
  48. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml
  49. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml
  50. 10
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml
  51. 154
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/params_spec.rb
  52. 124
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/purge_spec.rb
  53. 93
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/resource_cmd_spec.rb
  54. 252
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/rules_spec.rb
  55. 97
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/socket_spec.rb
  56. 55
    0
      deployment_scripts/puppet/modules/firewall/spec/acceptance/standard_usage_spec.rb
  57. 107
    0
      deployment_scripts/puppet/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb
  58. 871
    0
      deployment_scripts/puppet/modules/firewall/spec/fixtures/iptables/conversion_hash.rb
  59. 1
    0
      deployment_scripts/puppet/modules/firewall/spec/fixtures/modules/firewall/lib
  60. 1
    0
      deployment_scripts/puppet/modules/firewall/spec/fixtures/modules/firewall/manifests
  61. 29
    0
      deployment_scripts/puppet/modules/firewall/spec/spec_helper.rb
  62. 44
    0
      deployment_scripts/puppet/modules/firewall/spec/spec_helper_acceptance.rb
  63. 49
    0
      deployment_scripts/puppet/modules/firewall/spec/spec_helper_system.rb
  64. 13
    0
      deployment_scripts/puppet/modules/firewall/spec/system/basic_spec.rb
  65. 23
    0
      deployment_scripts/puppet/modules/firewall/spec/system/class_spec.rb
  66. 48
    0
      deployment_scripts/puppet/modules/firewall/spec/system/params_spec.rb
  67. 25
    0
      deployment_scripts/puppet/modules/firewall/spec/system/purge_spec.rb
  68. 25
    0
      deployment_scripts/puppet/modules/firewall/spec/system/resource_cmd_spec.rb
  69. 65
    0
      deployment_scripts/puppet/modules/firewall/spec/system/stanard_usage_spec.rb
  70. 32
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/classes/firewall_linux_archlinux_spec.rb
  71. 19
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/classes/firewall_linux_debian_spec.rb
  72. 22
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/classes/firewall_linux_redhat_spec.rb
  73. 24
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/classes/firewall_linux_spec.rb
  74. 25
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/classes/firewall_spec.rb
  75. 35
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb
  76. 23
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/facter/iptables_spec.rb
  77. 227
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb
  78. 410
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb
  79. 650
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/type/firewall_spec.rb
  80. 185
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb
  81. 186
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/util/firewall_spec.rb
  82. 67
    0
      deployment_scripts/puppet/modules/firewall/spec/unit/puppet/util/ipcidr_spec.rb
  83. 7
    0
      deployment_scripts/puppet/modules/vxlan/Gemfile
  84. 18
    0
      deployment_scripts/puppet/modules/vxlan/Rakefile
  85. 22
    0
      deployment_scripts/puppet/modules/vxlan/lib/puppet/provider/ml2_config/ini_setting.rb
  86. 42
    0
      deployment_scripts/puppet/modules/vxlan/lib/puppet/type/ml2_config.rb
  87. 89
    0
      deployment_scripts/puppet/modules/vxlan/manifests/compute.pp
  88. 77
    0
      deployment_scripts/puppet/modules/vxlan/manifests/controller.pp
  89. 68
    0
      deployment_scripts/puppet/modules/vxlan/manifests/neutron_services.pp
  90. 3
    0
      deployment_scripts/puppet/modules/vxlan/manifests/params.pp
  91. 14
    0
      deployment_scripts/puppet/modules/vxlan/metadata.json
  92. 7
    0
      deployment_scripts/puppet/modules/vxlan/spec/classes/init_spec.rb
  93. 1
    0
      deployment_scripts/puppet/modules/vxlan/spec/spec_helper.rb
  94. 12
    0
      deployment_scripts/puppet/modules/vxlan/tests/init.pp
  95. 6
    0
      environment_config.yaml
  96. 25
    0
      metadata.yaml
  97. 5
    0
      pre_build_hook
  98. 0
    0
      repositories/centos/.gitkeep
  99. 0
    0
      repositories/ubuntu/.gitkeep
  100. 0
    0
      tasks.yaml

+ 202
- 0
LICENSE View File

@@ -0,0 +1,202 @@
1
+Apache License
2
+                           Version 2.0, January 2004
3
+                        http://www.apache.org/licenses/
4
+
5
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+   1. Definitions.
8
+
9
+      "License" shall mean the terms and conditions for use, reproduction,
10
+      and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+      "Licensor" shall mean the copyright owner or entity authorized by
13
+      the copyright owner that is granting the License.
14
+
15
+      "Legal Entity" shall mean the union of the acting entity and all
16
+      other entities that control, are controlled by, or are under common
17
+      control with that entity. For the purposes of this definition,
18
+      "control" means (i) the power, direct or indirect, to cause the
19
+      direction or management of such entity, whether by contract or
20
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+      outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+      "You" (or "Your") shall mean an individual or Legal Entity
24
+      exercising permissions granted by this License.
25
+
26
+      "Source" form shall mean the preferred form for making modifications,
27
+      including but not limited to software source code, documentation
28
+      source, and configuration files.
29
+
30
+      "Object" form shall mean any form resulting from mechanical
31
+      transformation or translation of a Source form, including but
32
+      not limited to compiled object code, generated documentation,
33
+      and conversions to other media types.
34
+
35
+      "Work" shall mean the work of authorship, whether in Source or
36
+      Object form, made available under the License, as indicated by a
37
+      copyright notice that is included in or attached to the work
38
+      (an example is provided in the Appendix below).
39
+
40
+      "Derivative Works" shall mean any work, whether in Source or Object
41
+      form, that is based on (or derived from) the Work and for which the
42
+      editorial revisions, annotations, elaborations, or other modifications
43
+      represent, as a whole, an original work of authorship. For the purposes
44
+      of this License, Derivative Works shall not include works that remain
45
+      separable from, or merely link (or bind by name) to the interfaces of,
46
+      the Work and Derivative Works thereof.
47
+
48
+      "Contribution" shall mean any work of authorship, including
49
+      the original version of the Work and any modifications or additions
50
+      to that Work or Derivative Works thereof, that is intentionally
51
+      submitted to Licensor for inclusion in the Work by the copyright owner
52
+      or by an individual or Legal Entity authorized to submit on behalf of
53
+      the copyright owner. For the purposes of this definition, "submitted"
54
+      means any form of electronic, verbal, or written communication sent
55
+      to the Licensor or its representatives, including but not limited to
56
+      communication on electronic mailing lists, source code control systems,
57
+      and issue tracking systems that are managed by, or on behalf of, the
58
+      Licensor for the purpose of discussing and improving the Work, but
59
+      excluding communication that is conspicuously marked or otherwise
60
+      designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+      "Contributor" shall mean Licensor and any individual or Legal Entity
63
+      on behalf of whom a Contribution has been received by Licensor and
64
+      subsequently incorporated within the Work.
65
+
66
+   2. Grant of Copyright License. Subject to the terms and conditions of
67
+      this License, each Contributor hereby grants to You a perpetual,
68
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+      copyright license to reproduce, prepare Derivative Works of,
70
+      publicly display, publicly perform, sublicense, and distribute the
71
+      Work and such Derivative Works in Source or Object form.
72
+
73
+   3. Grant of Patent License. Subject to the terms and conditions of
74
+      this License, each Contributor hereby grants to You a perpetual,
75
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+      (except as stated in this section) patent license to make, have made,
77
+      use, offer to sell, sell, import, and otherwise transfer the Work,
78
+      where such license applies only to those patent claims licensable
79
+      by such Contributor that are necessarily infringed by their
80
+      Contribution(s) alone or by combination of their Contribution(s)
81
+      with the Work to which such Contribution(s) was submitted. If You
82
+      institute patent litigation against any entity (including a
83
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+      or a Contribution incorporated within the Work constitutes direct
85
+      or contributory patent infringement, then any patent licenses
86
+      granted to You under this License for that Work shall terminate
87
+      as of the date such litigation is filed.
88
+
89
+   4. Redistribution. You may reproduce and distribute copies of the
90
+      Work or Derivative Works thereof in any medium, with or without
91
+      modifications, and in Source or Object form, provided that You
92
+      meet the following conditions:
93
+
94
+      (a) You must give any other recipients of the Work or
95
+          Derivative Works a copy of this License; and
96
+
97
+      (b) You must cause any modified files to carry prominent notices
98
+          stating that You changed the files; and
99
+
100
+      (c) You must retain, in the Source form of any Derivative Works
101
+          that You distribute, all copyright, patent, trademark, and
102
+          attribution notices from the Source form of the Work,
103
+          excluding those notices that do not pertain to any part of
104
+          the Derivative Works; and
105
+
106
+      (d) If the Work includes a "NOTICE" text file as part of its
107
+          distribution, then any Derivative Works that You distribute must
108
+          include a readable copy of the attribution notices contained
109
+          within such NOTICE file, excluding those notices that do not
110
+          pertain to any part of the Derivative Works, in at least one
111
+          of the following places: within a NOTICE text file distributed
112
+          as part of the Derivative Works; within the Source form or
113
+          documentation, if provided along with the Derivative Works; or,
114
+          within a display generated by the Derivative Works, if and
115
+          wherever such third-party notices normally appear. The contents
116
+          of the NOTICE file are for informational purposes only and
117
+          do not modify the License. You may add Your own attribution
118
+          notices within Derivative Works that You distribute, alongside
119
+          or as an addendum to the NOTICE text from the Work, provided
120
+          that such additional attribution notices cannot be construed
121
+          as modifying the License.
122
+
123
+      You may add Your own copyright statement to Your modifications and
124
+      may provide additional or different license terms and conditions
125
+      for use, reproduction, or distribution of Your modifications, or
126
+      for any such Derivative Works as a whole, provided Your use,
127
+      reproduction, and distribution of the Work otherwise complies with
128
+      the conditions stated in this License.
129
+
130
+   5. Submission of Contributions. Unless You explicitly state otherwise,
131
+      any Contribution intentionally submitted for inclusion in the Work
132
+      by You to the Licensor shall be under the terms and conditions of
133
+      this License, without any additional terms or conditions.
134
+      Notwithstanding the above, nothing herein shall supersede or modify
135
+      the terms of any separate license agreement you may have executed
136
+      with Licensor regarding such Contributions.
137
+
138
+   6. Trademarks. This License does not grant permission to use the trade
139
+      names, trademarks, service marks, or product names of the Licensor,
140
+      except as required for reasonable and customary use in describing the
141
+      origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+   7. Disclaimer of Warranty. Unless required by applicable law or
144
+      agreed to in writing, Licensor provides the Work (and each
145
+      Contributor provides its Contributions) on an "AS IS" BASIS,
146
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+      implied, including, without limitation, any warranties or conditions
148
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+      PARTICULAR PURPOSE. You are solely responsible for determining the
150
+      appropriateness of using or redistributing the Work and assume any
151
+      risks associated with Your exercise of permissions under this License.
152
+
153
+   8. Limitation of Liability. In no event and under no legal theory,
154
+      whether in tort (including negligence), contract, or otherwise,
155
+      unless required by applicable law (such as deliberate and grossly
156
+      negligent acts) or agreed to in writing, shall any Contributor be
157
+      liable to You for damages, including any direct, indirect, special,
158
+      incidental, or consequential damages of any character arising as a
159
+      result of this License or out of the use or inability to use the
160
+      Work (including but not limited to damages for loss of goodwill,
161
+      work stoppage, computer failure or malfunction, or any and all
162
+      other commercial damages or losses), even if such Contributor
163
+      has been advised of the possibility of such damages.
164
+
165
+   9. Accepting Warranty or Additional Liability. While redistributing
166
+      the Work or Derivative Works thereof, You may choose to offer,
167
+      and charge a fee for, acceptance of support, warranty, indemnity,
168
+      or other liability obligations and/or rights consistent with this
169
+      License. However, in accepting such obligations, You may act only
170
+      on Your own behalf and on Your sole responsibility, not on behalf
171
+      of any other Contributor, and only if You agree to indemnify,
172
+      defend, and hold each Contributor harmless for any liability
173
+      incurred by, or claims asserted against, such Contributor by reason
174
+      of your accepting any such warranty or additional liability.
175
+
176
+   END OF TERMS AND CONDITIONS
177
+
178
+   APPENDIX: How to apply the Apache License to your work.
179
+
180
+      To apply the Apache License to your work, attach the following
181
+      boilerplate notice, with the fields enclosed by brackets "{}"
182
+      replaced with your own identifying information. (Don't include
183
+      the brackets!)  The text should be enclosed in the appropriate
184
+      comment syntax for the file format. We also recommend that a
185
+      file or class name and description of purpose be included on the
186
+      same "printed page" as the copyright notice for easier
187
+      identification within third-party archives.
188
+
189
+   Copyright {yyyy} {name of copyright owner}
190
+
191
+   Licensed under the Apache License, Version 2.0 (the "License");
192
+   you may not use this file except in compliance with the License.
193
+   You may obtain a copy of the License at
194
+
195
+       http://www.apache.org/licenses/LICENSE-2.0
196
+
197
+   Unless required by applicable law or agreed to in writing, software
198
+   distributed under the License is distributed on an "AS IS" BASIS,
199
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200
+   See the License for the specific language governing permissions and
201
+   limitations under the License.
202
+

+ 100
- 0
README.md View File

@@ -0,0 +1,100 @@
1
+VXLAN plugin for Fuel
2
+===================
3
+
4
+VXLAN plugin
5
+---------------
6
+
7
+Overview
8
+--------
9
+By default the openstack environment is configured with gre or vlan segmentation type. This plugin allows to create vxlan private network.
10
+
11
+This repo contains all necessary files to build vxlan Fuel plugin.
12
+
13
+Requirements
14
+------------
15
+
16
+| Requirement                      | Version/Comment                                         |
17
+|----------------------------------|---------------------------------------------------------|
18
+| Mirantis Openstack compatibility | 6.0                                                     |
19
+|----------------------------------|---------------------------------------------------------|
20
+
21
+
22
+Recommendations
23
+---------------
24
+
25
+None.
26
+
27
+Limitations
28
+-----------
29
+
30
+None.
31
+
32
+Installation Guide
33
+==================
34
+
35
+Vxlan plugin installation
36
+----------------------------
37
+
38
+1. Clone the fuel-plugin repo from: https://github.com/stackforge/fuel-plugin-vxlan.git
39
+
40
+    ``git clone``
41
+
42
+2. Install the Fuel Plugin Builder:
43
+
44
+    ``pip install fuel-plugin-builder``
45
+
46
+3. Build vxlan Fuel plugin:
47
+
48
+   ``fpb --build fuel-plugin-vxlan/``
49
+
50
+4. The vxlan-<x.x.x>.fp file will be created in the plugin folder (fuel-plugin-vxlan)
51
+
52
+5. Move this file to the Fuel Master node with secure copy (scp):
53
+
54
+   ``scp vxlan-<x.x.x>.fp root@:<the_Fuel_Master_node_IP address>:/tmp``
55
+   ``cd /tmp``
56
+
57
+6. Install the vxlan plugin:
58
+
59
+   ``fuel plugins --install vxlan-<x.x.x>.fp``
60
+
61
+6. Plugin is ready to use and can be enabled on the Settings tab of the Fuel web UI.
62
+
63
+User Guide
64
+==========
65
+
66
+https plugin configuration
67
+-----------------------------
68
+
69
+1. Create a new environment with the Fuel UI wizard with gre segmentation type selected
70
+
71
+2. Add a node with the "Compute" role.
72
+
73
+3. Click on the settings tab of the Fuel web UI
74
+
75
+4. Scroll down the page, select the "vxlan plugin" checkbox
76
+
77
+
78
+
79
+Deployment details
80
+------------------
81
+
82
+Configure neutron/ml2plugin to use vxlan as default segmentation type 
83
+Configureboth controller and compute neutron/ml2plugin  to create vxlan tunneling
84
+Restart neutron services
85
+
86
+
87
+Known issues
88
+------------
89
+
90
+None.
91
+
92
+Release Notes
93
+-------------
94
+
95
+**1.0.0**
96
+
97
+* Initial release of the plugin
98
+
99
+
100
+

+ 2
- 0
deployment_scripts/puppet/manifests/site-compute-post.pp View File

@@ -0,0 +1,2 @@
1
+$fuel_settings = parseyaml($astute_settings_yaml)
2
+class {'vxlan::compute':}

+ 2
- 0
deployment_scripts/puppet/manifests/site-controller-post.pp View File

@@ -0,0 +1,2 @@
1
+$fuel_settings = parseyaml($astute_settings_yaml)
2
+class {'vxlan::controller':}

+ 3
- 0
deployment_scripts/puppet/modules/firewall/.fixtures.yml View File

@@ -0,0 +1,3 @@
1
+fixtures:
2
+  symlinks:
3
+    "firewall": "#{source_dir}"

+ 9
- 0
deployment_scripts/puppet/modules/firewall/.gitignore View File

@@ -0,0 +1,9 @@
1
+pkg/
2
+Gemfile.lock
3
+# TODO: Ignore this for now until we decide what to do with it
4
+spec/fixtures/manifests/
5
+.ruby-version
6
+.rspec_system
7
+.bundle
8
+.vagrant
9
+vendor/

+ 31
- 0
deployment_scripts/puppet/modules/firewall/.nodeset.yml View File

@@ -0,0 +1,31 @@
1
+---
2
+default_set: 'centos-64-x64'
3
+sets:
4
+  'centos-59-x64':
5
+    nodes:
6
+      "main.foo.vm":
7
+        prefab: 'centos-59-x64'
8
+  'centos-64-x64':
9
+    nodes:
10
+      "main.foo.vm":
11
+        prefab: 'centos-64-x64'
12
+  'fedora-18-x64':
13
+    nodes:
14
+      "main.foo.vm":
15
+        prefab: 'fedora-18-x64'
16
+  'debian-607-x64':
17
+    nodes:
18
+      "main.foo.vm":
19
+        prefab: 'debian-607-x64'
20
+  'debian-70rc1-x64':
21
+    nodes:
22
+      "main.foo.vm":
23
+        prefab: 'debian-70rc1-x64'
24
+  'ubuntu-server-10044-x64':
25
+    nodes:
26
+      "main.foo.vm":
27
+        prefab: 'ubuntu-server-10044-x64'
28
+  'ubuntu-server-12042-x64':
29
+    nodes:
30
+      "main.foo.vm":
31
+        prefab: 'ubuntu-server-12042-x64'

+ 29
- 0
deployment_scripts/puppet/modules/firewall/.travis.yml View File

@@ -0,0 +1,29 @@
1
+---
2
+language: ruby
3
+bundler_args: --without development
4
+script: "bundle exec rake ci SPEC_OPTS='--format documentation'"
5
+rvm:
6
+  - 1.8.7
7
+  - 1.9.3
8
+  - 2.0.0
9
+env:
10
+  - PUPPET_GEM_VERSION="~> 2.7.0"
11
+  - PUPPET_GEM_VERSION="~> 3.0.0"
12
+  - PUPPET_GEM_VERSION="~> 3.1.0"
13
+  - PUPPET_GEM_VERSION="~> 3.2.0"
14
+  - PUPPET_GEM_VERSION="~> 3.4.0"
15
+matrix:
16
+  fast_finish: true
17
+  exclude:
18
+    - rvm: 1.9.3
19
+      env: PUPPET_GEM_VERSION="~> 2.7.0"
20
+    - rvm: 2.0.0
21
+      env: PUPPET_GEM_VERSION="~> 2.7.0"
22
+    - rvm: 2.0.0
23
+      env: PUPPET_GEM_VERSION="~> 3.0.0"
24
+    - rvm: 2.0.0
25
+      env: PUPPET_GEM_VERSION="~> 3.1.0"
26
+    - rvm: 1.8.7
27
+      env: PUPPET_GEM_VERSION="~> 3.2.0"
28
+notifications:
29
+  email: false

+ 390
- 0
deployment_scripts/puppet/modules/firewall/CHANGELOG.md View File

@@ -0,0 +1,390 @@
1
+## 2014-03-04 Supported Release 1.0.2
2
+###Summary
3
+
4
+This is a supported release.  This release removes a testing symlink that can
5
+cause trouble on systems where /var is on a seperate filesystem from the
6
+modulepath.
7
+
8
+####Features
9
+####Bugfixes
10
+####Known Bugs
11
+
12
+* For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README.
13
+
14
+### Supported release - 2014-03-04 1.0.1
15
+
16
+####Summary
17
+
18
+An important bugfix was made to the offset calculation for unmanaged rules
19
+to handle rules with 9000+ in the name.
20
+
21
+####Features
22
+
23
+####Bugfixes
24
+- Offset calculations assumed unmanaged rules were numbered 9000+.
25
+- Gracefully fail to manage ip6tables on iptables 1.3.x
26
+
27
+####Known Bugs
28
+
29
+* For Oracle, the `owner` and `socket` parameters require a workaround to function. Please see the Limitations section of the README.
30
+
31
+---
32
+### 1.0.0 - 2014-02-11
33
+
34
+No changes, just renumbering to 1.0.0.
35
+
36
+---
37
+### 0.5.0 - 2014-02-10
38
+
39
+##### Summary:
40
+This is a bigger release that brings in "recent" connection limiting (think
41
+"port knocking"), firewall chain purging on a per-chain/per-table basis, and
42
+support for a few other use cases. This release also fixes a major bug which
43
+could cause modifications to the wrong rules when unmanaged rules are present.
44
+
45
+##### New Features:
46
+* Add "recent" limiting via parameters `rdest`, `reap`, `recent`, `rhitcount`,
47
+  `rname`, `rseconds`, `rsource`, and `rttl`
48
+* Add negation support for source and destination
49
+* Add per-chain/table purging support to `firewallchain`
50
+* IPv4 specific
51
+  * Add random port forwarding support
52
+  * Add ipsec policy matching via `ipsec_dir` and `ipsec_policy`
53
+* IPv6 specific
54
+  * Add support for hop limiting via `hop_limit` parameter
55
+  * Add fragmentation matchers via `ishasmorefrags`, `islastfrag`, and `isfirstfrag`
56
+  * Add support for conntrack stateful firewall matching via `ctstate`
57
+
58
+##### Bugfixes:
59
+- Boolean fixups allowing false values
60
+- Better detection of unmanaged rules
61
+- Fix multiport rule detection
62
+- Fix sport/dport rule detection
63
+- Make INPUT, OUTPUT, and FORWARD not autorequired for firewall chain filter
64
+- Allow INPUT with the nat table
65
+- Fix `src_range` & `dst_range` order detection
66
+- Documentation clarifications
67
+- Fixes to spec tests
68
+
69
+---------------------------------------
70
+
71
+### 0.4.2 - 2013-09-10
72
+
73
+Another attempt to fix the packaging issue.  We think we understand exactly
74
+what is failing and this should work properly for the first time.
75
+
76
+---------------------------------------
77
+
78
+### 0.4.1 - 2013-08-09
79
+
80
+Bugfix release to fix a packaging issue that may have caused puppet module
81
+install commands to fail.
82
+
83
+---------------------------------------
84
+
85
+### 0.4.0 - 2013-07-11
86
+
87
+This release adds support for address type, src/dest ip ranges, and adds
88
+additional testing and bugfixes.
89
+
90
+#### Features
91
+* Add `src_type` and `dst_type` attributes (Nick Stenning)
92
+* Add `src_range` and `dst_range` attributes (Lei Zhang)
93
+* Add SL and SLC operatingsystems as supported (Steve Traylen)
94
+
95
+#### Bugfixes
96
+* Fix parser for bursts other than 5 (Chris Rutter)
97
+* Fix parser for -f in --comment (Georg Koester)
98
+* Add doc headers to class files (Dan Carley)
99
+* Fix lint warnings/errors (Wolf Noble)
100
+
101
+---------------------------------------
102
+
103
+### 0.3.1 - 2013/6/10
104
+
105
+This minor release provides some bugfixes and additional tests.
106
+
107
+#### Changes
108
+
109
+* Update tests for rspec-system-puppet 2 (Ken Barber)
110
+* Update rspec-system tests for rspec-system-puppet 1.5 (Ken Barber)
111
+* Ensure all services have 'hasstatus => true' for Puppet 2.6 (Ken Barber)
112
+* Accept pre-existing rule with invalid name (Joe Julian)
113
+* Swap log_prefix and log_level order to match the way it's saved (Ken Barber)
114
+* Fix log test to replicate bug #182 (Ken Barber)
115
+* Split argments while maintaining quoted strings (Joe Julian)
116
+* Add more log param tests (Ken Barber)
117
+* Add extra tests for logging parameters (Ken Barber)
118
+* Clarify OS support (Ken Barber)
119
+
120
+---------------------------------------
121
+
122
+### 0.3.0 - 2013/4/25
123
+
124
+This release introduces support for Arch Linux and extends support for Fedora 15 and up. There are also lots of bugs fixed and improved testing to prevent regressions.
125
+
126
+##### Changes
127
+
128
+* Fix error reporting for insane hostnames (Tomas Doran)
129
+* Support systemd on Fedora 15 and up (Eduardo Gutierrez)
130
+* Move examples to docs (Ken Barber)
131
+* Add support for Arch Linux platform (Ingmar Steen)
132
+* Add match rule for fragments (Georg Koester)
133
+* Fix boolean rules being recognized as changed (Georg Koester)
134
+* Same rules now get deleted (Anastasis Andronidis)
135
+* Socket params test (Ken Barber)
136
+* Ensure parameter can disable firewall (Marc Tardif)
137
+
138
+---------------------------------------
139
+
140
+### 0.2.1 - 2012/3/13
141
+
142
+This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version.
143
+
144
+##### Changes
145
+
146
+* (GH-139) Throw away STDERR from dpkg-query in Fact
147
+* Update README to be consistent with module documentation template
148
+* Fix failing spec tests due to dpkg change in iptables_persistent_version
149
+
150
+---------------------------------------
151
+
152
+### 0.2.0 - 2012/3/3
153
+
154
+This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file.
155
+
156
+Previously you would have required the following in your site.pp (or some other global location):
157
+
158
+    # Always persist firewall rules
159
+    exec { 'persist-firewall':
160
+      command     => $operatingsystem ? {
161
+        'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
162
+        /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
163
+      },
164
+      refreshonly => true,
165
+    }
166
+    Firewall {
167
+      notify  => Exec['persist-firewall'],
168
+      before  => Class['my_fw::post'],
169
+      require => Class['my_fw::pre'],
170
+    }
171
+    Firewallchain {
172
+      notify  => Exec['persist-firewall'],
173
+    }
174
+    resources { "firewall":
175
+      purge => true
176
+    }
177
+
178
+You only need:
179
+
180
+    class { 'firewall': }
181
+    Firewall {
182
+      before  => Class['my_fw::post'],
183
+      require => Class['my_fw::pre'],
184
+    }
185
+
186
+To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information.
187
+
188
+##### Changes
189
+
190
+* Firewall class manifests (Dan Carley)
191
+* Firewall and firewallchain persistence (Dan Carley)
192
+* (GH-134) Autorequire iptables related packages (Dan Carley)
193
+* Typo in #persist_iptables OS normalisation (Dan Carley)
194
+* Tests for #persist_iptables (Dan Carley)
195
+* (GH-129) Replace errant return in autoreq block (Dan Carley)
196
+
197
+---------------------------------------
198
+
199
+### 0.1.1 - 2012/2/28
200
+
201
+This release primarily fixes changing parameters in 3.x
202
+
203
+##### Changes
204
+
205
+* (GH-128) Change method_missing usage to define_method for 3.x compatibility
206
+* Update travis.yml gem specifications to actually test 2.6
207
+* Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility
208
+
209
+---------------------------------------
210
+
211
+### 0.1.0 - 2012/2/24
212
+
213
+This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-).
214
+
215
+##### Changes
216
+
217
+* Add support for MARK target and set-mark property (Johan Huysmans)
218
+* Fix broken call to super for ruby-1.9.2 in munge (Ken Barber)
219
+* simple fix of the error message for allowed values of the jump property (Daniel Black)
220
+* Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer)
221
+* Display multi-value: port, sport, dport and state command seperated (Daniel Black)
222
+* Require jump=>LOG for log params (Daniel Black)
223
+* Reject and document icmp => "any" (Dan Carley)
224
+* add firewallchain type and iptables_chain provider (Daniel Black)
225
+* Various fixes for firewallchain resource (Ken Barber)
226
+* Modify firewallchain name to be chain:table:protocol (Ken Barber)
227
+* Fix allvalidchain iteration (Ken Barber)
228
+* Firewall autorequire Firewallchains (Dan Carley)
229
+* Tests and docstring for chain autorequire (Dan Carley)
230
+* Fix README so setup instructions actually work (Ken Barber)
231
+* Support vlan interfaces (interface containing ".") (Johan Huysmans)
232
+* Add tests for VLAN support for iniface/outiface (Ken Barber)
233
+* Add the table when deleting rules (Johan Huysmans)
234
+* Fix tests since we are now prefixing -t)
235
+* Changed 'jump' to 'action', commands to lower case (Jason Short)
236
+* Support interface names containing "+" (Simon Deziel)
237
+* Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar)
238
+* Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu)
239
+* Document Util::Firewall.host_to_ip (Dan Carley)
240
+* Nullify addresses with zero prefixlen (Dan Carley)
241
+* Add support for --tcp-flags (Thomas Vander Stichele)
242
+* Make tcp_flags support a feature (Ken Barber)
243
+* OUTPUT is a valid chain for the mangle table (Adam Gibbins)
244
+* Enable travis-ci support (Ken Barber)
245
+* Convert an existing test to CIDR (Dan Carley)
246
+* Normalise iptables-save to CIDR (Dan Carley)
247
+* be clearer about what distributions we support (Ken Barber)
248
+* add gre protocol to list of acceptable protocols (Jason Hancock)
249
+* Added pkttype property (Ashley Penney)
250
+* Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar)
251
+* Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber)
252
+* Stub iptables facts for set_mark tests (Dan Carley)
253
+* Update formatting of README to meet Puppet Labs best practices (Will Hopper)
254
+* Support for ICMP6 type code resolutions (Dan Carley)
255
+* Insert order hash included chains from different tables (Ken Barber)
256
+* rspec 2.11 compatibility (Jonathan Boyett)
257
+* Add missing class declaration in README (sfozz)
258
+* array_matching is contraindicated (Sharif Nassar)
259
+* Convert port Fixnum into strings (Sharif Nassar)
260
+* Update test framework to the modern age (Ken Barber)
261
+* working with ip6tables support (wuwx)
262
+* Remove gemfile.lock and add to gitignore (William Van Hevelingen)
263
+* Update travis and gemfile to be like stdlib travis files (William Van Hevelingen)
264
+* Add support for -m socket option (Ken Barber)
265
+* Add support for single --sport and --dport parsing (Ken Barber)
266
+* Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley)
267
+* Mock Resolv.getaddress in #host_to_ip (Dan Carley)
268
+* Update docs for source and dest - they are not arrays (Ken Barber)
269
+
270
+---------------------------------------
271
+
272
+### 0.0.4 - 2011/12/05
273
+
274
+This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match:
275
+
276
+    firewall { '497 match uid':
277
+      port => '123',
278
+      proto => 'mangle',
279
+      chain => 'OUTPUT',
280
+      action => 'drop'
281
+      uid => '123'
282
+    }
283
+
284
+This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames:
285
+
286
+    firewall { '498 accept from puppetlabs.com':
287
+      port => '123',
288
+      proto => 'tcp',
289
+      source => 'puppetlabs.com',
290
+      action => 'accept'
291
+    }
292
+
293
+
294
+The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic':
295
+
296
+    firewall { '499 logging':
297
+      port => '123',
298
+      proto => 'udp',
299
+      log_level => 'debug',
300
+      action => 'drop'
301
+    }
302
+
303
+Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests.
304
+
305
+##### Changes
306
+
307
+* (#10957) add iptables_version and ip6tables_version facts
308
+* (#11093) Improve log_level property so it converts names to numbers
309
+* (#10723) Munge hostnames and IPs to IPs with CIDR
310
+* (#10718) Add owner-match support
311
+* (#10997) Add fixtures for ipencap
312
+* (#11034) Whitespace cleanup
313
+* (#10690) add port property support to ip6tables
314
+
315
+---------------------------------------
316
+
317
+### 0.0.3 - 2011/11/12
318
+
319
+This release introduces a new parameter 'port' which allows you to set both
320
+source and destination ports for a match:
321
+
322
+    firewall { "500 allow NTP requests":
323
+      port => "123",
324
+      proto => "udp",
325
+      action => "accept",
326
+    }
327
+
328
+We also have the limit parameter finally working:
329
+
330
+    firewall { "500 limit HTTP requests":
331
+      dport => 80,
332
+      proto => tcp,
333
+      limit => "60/sec",
334
+      burst => 30,
335
+      action => accept,
336
+    }
337
+
338
+State ordering has been fixed now, and more characters are allowed in the
339
+namevar:
340
+
341
+* Alphabetical
342
+* Numbers
343
+* Punctuation
344
+* Whitespace
345
+
346
+##### Changes
347
+
348
+* (#10693) Ensure -m limit is added for iptables when using 'limit' param
349
+* (#10690) Create new port property
350
+* (#10700) allow additional characters in comment string
351
+* (#9082) Sort iptables --state option values internally to keep it consistent across runs
352
+* (#10324) Remove extraneous whitespace from iptables rule line in spec tests
353
+
354
+---------------------------------------
355
+
356
+### 0.0.2 - 2011/10/26
357
+
358
+This is largely a maintanence and cleanup release, but includes the ability to
359
+specify ranges of ports in the sport/dport parameter:
360
+
361
+    firewall { "500 allow port range":
362
+      dport => ["3000-3030","5000-5050"],
363
+      sport => ["1024-65535"],
364
+      action => "accept",
365
+    }
366
+
367
+##### Changes
368
+
369
+* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
370
+* (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
371
+* (#10263) Fix tests on Puppet 2.6.x
372
+* (#10163) Cleanup some of the inline documentation and README file to align with general forge usage
373
+
374
+---------------------------------------
375
+
376
+### 0.0.1 - 2011/10/18
377
+
378
+Initial release.
379
+
380
+##### Changes
381
+
382
+* (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter
383
+* (#10088) Provide a customised version of CONTRIBUTING.md
384
+* (#10026) Re-arrange provider and type spec files to align with Puppet
385
+* (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default
386
+* (#9439) fix parsing and deleting existing rules
387
+* (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider
388
+* (#9576) Stub provider so it works properly outside of Linux
389
+* (#9576) Align spec framework with Puppet core
390
+* and lots of other earlier development tasks ...

+ 292
- 0
deployment_scripts/puppet/modules/firewall/CONTRIBUTING.md View File

@@ -0,0 +1,292 @@
1
+Checklist (and a short version for the impatient)
2
+=================================================
3
+
4
+  * Commits:
5
+
6
+    - Make commits of logical units.
7
+
8
+    - Check for unnecessary whitespace with "git diff --check" before
9
+      committing.
10
+
11
+    - Commit using Unix line endings (check the settings around "crlf" in
12
+      git-config(1)).
13
+
14
+    - Do not check in commented out code or unneeded files.
15
+
16
+    - The first line of the commit message should be a short
17
+      description (50 characters is the soft limit, excluding ticket
18
+      number(s)), and should skip the full stop.
19
+
20
+    - Associated the Redmine ticket in the message. The first line
21
+      should include the ticket number in the form "(#XXXX) Rest of
22
+      message".
23
+
24
+    - The body should provide a meaningful commit message, which:
25
+
26
+      - uses the imperative, present tense: "change", not "changed" or
27
+        "changes".
28
+
29
+      - includes motivation for the change, and contrasts its
30
+        implementation with the previous behavior.
31
+
32
+    - Make sure that you have tests for the bug you are fixing, or
33
+      feature you are adding.
34
+
35
+    - Make sure the test suite passes after your commit (rake spec unit).
36
+
37
+  * Submission:
38
+
39
+    * Pre-requisites:
40
+
41
+      - Make sure you have a [Redmine account](http://projects.puppetlabs.com)
42
+
43
+      - Sign the [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)
44
+
45
+      - [Create a ticket](http://projects.puppetlabs.com/projects/modules/issues/new), or [watch the ticket](http://projects.puppetlabs.com/projects/modules/issues) you are patching for.
46
+
47
+    * Preferred method:
48
+
49
+      - Fork the repository on GitHub.
50
+
51
+      - Push your changes to a topic branch in your fork of the
52
+        repository. (the format ticket/1234-short_description_of_change is
53
+        usually preferred for this project).
54
+
55
+      - Submit a pull request to the repository in the puppetlabs
56
+        organization.
57
+
58
+The long version
59
+================
60
+
61
+  0.  Decide what to base your work on.
62
+
63
+      In general, you should always base your work on the oldest
64
+      branch that your change is relevant to.
65
+
66
+      - A bug fix should be based on the current stable series. If the
67
+        bug is not present in the current stable release, then base it on
68
+        `master`.
69
+
70
+      - A new feature should be based on `master`.
71
+
72
+      - Security fixes should be based on the current maintenance series
73
+        (that is, the previous stable series).  If the security issue
74
+        was not present in the maintenance series, then it should be
75
+        based on the current stable series if it was introduced there,
76
+        or on `master` if it is not yet present in a stable release.
77
+
78
+  1.  Make separate commits for logically separate changes.
79
+
80
+      Please break your commits down into logically consistent units
81
+      which include new or changed tests relevent to the rest of the
82
+      change.  The goal of doing this is to make the diff easier to
83
+      read for whoever is reviewing your code.  In general, the easier
84
+      your diff is to read, the more likely someone will be happy to
85
+      review it and get it into the code base.
86
+
87
+      If you're going to refactor a piece of code, please do so as a
88
+      separate commit from your feature or bug fix changes.
89
+
90
+      We also really appreciate changes that include tests to make
91
+      sure the bug isn't re-introduced, and that the feature isn't
92
+      accidentally broken.
93
+
94
+      Describe the technical detail of the change(s).  If your
95
+      description starts to get too long, that's a good sign that you
96
+      probably need to split up your commit into more finely grained
97
+      pieces.
98
+
99
+      Commits which plainly describe the things which help
100
+      reviewers check the patch and future developers understand the
101
+      code are much more likely to be merged in with a minimum of
102
+      bike-shedding or requested changes.  Ideally, the commit message
103
+      would include information, and be in a form suitable for
104
+      inclusion in the release notes for the version of Puppet that
105
+      includes them.
106
+
107
+      Please also check that you are not introducing any trailing
108
+      whitespaces or other "whitespace errors".  You can do this by
109
+      running "git diff --check" on your changes before you commit.
110
+
111
+  2.  Sign the Contributor License Agreement
112
+
113
+      Before we can accept your changes, we do need a signed Puppet
114
+      Labs Contributor License Agreement (CLA).
115
+
116
+      You can access the CLA via the
117
+      [Contributor License Agreement link](https://projects.puppetlabs.com/contributor_licenses/sign)
118
+      in the top menu bar of our Redmine instance.  Once you've signed
119
+      the CLA, a badge will show up next to your name on the
120
+      [Puppet Project Overview Page](http://projects.puppetlabs.com/projects/modules?jump=welcome),
121
+      and your name will be listed under "Contributor License Signers"
122
+      section.
123
+
124
+      If you have any questions about the CLA, please feel free to
125
+      contact Puppet Labs via email at cla-submissions@puppetlabs.com.
126
+
127
+  3.  Sending your patches
128
+
129
+      We accept multiple ways of submitting your changes for
130
+      inclusion.  They are listed below in order of preference.
131
+
132
+      Please keep in mind that any method that involves sending email
133
+      to the mailing list directly requires you to be subscribed to
134
+      the mailing list, and that your first post to the list will be
135
+      held in a moderation queue.
136
+
137
+      * GitHub Pull Requests
138
+
139
+        To submit your changes via a GitHub pull request, we _highly_
140
+        recommend that you have them on a topic branch, instead of
141
+        directly on "master" or one of the release, or RC branches.
142
+        It makes things much easier to keep track of, especially if
143
+        you decide to work on another thing before your first change
144
+        is merged in.
145
+
146
+        GitHub has some pretty good
147
+        [general documentation](http://help.github.com/) on using
148
+        their site.  They also have documentation on
149
+        [creating pull requests](http://help.github.com/send-pull-requests/).
150
+
151
+        In general, after pushing your topic branch up to your
152
+        repository on GitHub, you'll switch to the branch in the
153
+        GitHub UI and click "Pull Request" towards the top of the page
154
+        in order to open a pull request.
155
+
156
+        You'll want to make sure that you have the appropriate
157
+        destination branch in the repository under the puppetlabs
158
+        organization.  This should be the same branch that you based
159
+        your changes off of.
160
+
161
+      * Other pull requests
162
+
163
+        If you already have a publicly accessible version of the
164
+        repository hosted elsewhere, and don't wish to or cannot use
165
+        GitHub, you can submit your change by requesting that we pull
166
+        the changes from your repository by sending an email to the
167
+        puppet-dev Google Groups mailing list.
168
+
169
+        `git-request-pull(1)` provides a handy way to generate the text
170
+        for the email requesting that we pull your changes (and does
171
+        some helpful sanity checks in the process).
172
+
173
+      * Mailing patches to the mailing list
174
+
175
+        If neither of the previous methods works for you, then you can
176
+        also mail the patches inline to the puppet-dev Google Group
177
+        using either `rake mail_patches`, or by using
178
+        `git-format-patch(1)`, and `git-send-email(1)` directly.
179
+
180
+        `rake mail_patches` handles setting the appropriate flags to
181
+        `git-format-patch(1)` and `git-send-email(1)` for you, but
182
+        doesn't allow adding any commentary between the '---', and the
183
+        diffstat in the resulting email.  It also requires that you
184
+        have created your topic branch in the form
185
+        `<type>/<parent>/<name>`.
186
+
187
+        If you decide to use `git-format-patch(1)` and
188
+        `git-send-email(1)` directly, please be sure to use the
189
+        following flags for `git-format-patch(1)`: -C -M -s -n
190
+        --subject-prefix='PATCH/puppet'
191
+
192
+      * Attaching patches to Redmine
193
+
194
+        As a method of last resort you can also directly attach the
195
+        output of `git-format-patch(1)`, or `git-diff(1)` to a Redmine
196
+        ticket.
197
+
198
+        If you are generating the diff outside of Git, please be sure
199
+        to generate a unified diff.
200
+
201
+  4.  Update the related Redmine ticket.
202
+
203
+      If there's a Redmine ticket associated with the change you
204
+      submitted, then you should update the ticket to include the
205
+      location of your branch, and change the status to "In Topic
206
+      Branch Pending Merge", along with any other commentary you may
207
+      wish to make.
208
+
209
+How to track the status of your change after it's been submitted
210
+================================================================
211
+
212
+Shortly after opening a pull request on GitHub, there should be an
213
+automatic message sent to the puppet-dev Google Groups mailing list
214
+notifying people of this.  This notification is used to let the Puppet
215
+development community know about your requested change to give them a
216
+chance to review, test, and comment on the change(s).
217
+
218
+If you submitted your change via manually sending a pull request or
219
+mailing the patches, then we keep track of these using
220
+[patchwork](https://patchwork.puppetlabs.com).  When code is merged
221
+into the project it is automatically removed from patchwork, and the
222
+Redmine ticket is manually updated with the commit SHA1.  In addition,
223
+the ticket status must be updated by the person who merges the topic
224
+branch to a status of "Merged - Pending Release"
225
+
226
+We do our best to comment on or merge submitted changes within a week.
227
+However, if there hasn't been any commentary on the pull request or
228
+mailed patches, and it hasn't been merged in after a week, then feel
229
+free to ask for an update by replying on the mailing list to the
230
+automatic notification or mailed patches. It probably wasn't
231
+intentional, and probably just slipped through the cracks.
232
+
233
+Additional Resources
234
+====================
235
+
236
+* [Getting additional help](http://projects.puppetlabs.com/projects/puppet/wiki/Getting_Help)
237
+
238
+* [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests)
239
+
240
+* [Bug tracker (Redmine)](http://projects.puppetlabs.com/projects/modules)
241
+
242
+* [Patchwork](https://patchwork.puppetlabs.com)
243
+
244
+* [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)
245
+
246
+* [General GitHub documentation](http://help.github.com/)
247
+
248
+* [GitHub pull request documentation](http://help.github.com/send-pull-requests/)
249
+
250
+If you have commit access to the repository
251
+===========================================
252
+
253
+Even if you have commit access to the repository, you'll still need to
254
+go through the process above, and have someone else review and merge
255
+in your changes.  The rule is that all changes must be reviewed by a
256
+developer on the project (that didn't write the code) to ensure that
257
+all changes go through a code review process.
258
+
259
+Having someone other than the author of the topic branch recorded as
260
+performing the merge is the record that they performed the code
261
+review.
262
+
263
+  * Merging topic branches
264
+
265
+    When merging code from a topic branch into the integration branch
266
+    (Ex: master, 2.7.x, 1.6.x, etc.), there should always be a merge
267
+    commit.  You can accomplish this by always providing the `--no-ff`
268
+    flag to `git merge`.
269
+
270
+        git merge --no-ff --log ticket/1234-fix-something-broken
271
+
272
+    The reason for always forcing this merge commit is that it
273
+    provides a consistent way to look up what changes & commits were
274
+    in a topic branch, whether that topic branch had one, or 500
275
+    commits.  For example, if the merge commit had an abbreviated
276
+    SHA-1 of `coffeebad`, then you could use the following `git log`
277
+    invocation to show you which commits it brought in:
278
+
279
+        git log coffeebad^1..coffeebad^2
280
+
281
+    The following would show you which changes were made on the topic
282
+    branch:
283
+
284
+        git diff coffeebad^1...coffeebad^2
285
+
286
+    Because we _always_ merge the topic branch into the integration
287
+    branch the first parent (`^1`) of a merge commit will be the most
288
+    recent commit on the integration branch from just before we merged
289
+    in the topic, and the second parent (`^2`) will always be the most
290
+    recent commit that was made in the topic branch.  This also serves
291
+    as the record of who performed the code review, as mentioned
292
+    above.

+ 257
- 0
deployment_scripts/puppet/modules/firewall/Changelog View File

@@ -0,0 +1,257 @@
1
+## puppetlabs-firewall changelog
2
+
3
+Release notes for puppetlabs-firewall module.
4
+
5
+---------------------------------------
6
+
7
+#### 0.2.1 - 2012/3/13
8
+
9
+This maintenance release introduces the new README layout, and fixes a bug with iptables_persistent_version.
10
+
11
+##### Changes
12
+
13
+* (GH-139) Throw away STDERR from dpkg-query in Fact
14
+* Update README to be consistent with module documentation template
15
+* Fix failing spec tests due to dpkg change in iptables_persistent_version
16
+
17
+---------------------------------------
18
+
19
+#### 0.2.0 - 2012/3/3
20
+
21
+This release introduces automatic persistence, removing the need for the previous manual dependency requirement for persistent the running rules to the OS persistence file.
22
+
23
+Previously you would have required the following in your site.pp (or some other global location):
24
+
25
+    # Always persist firewall rules
26
+    exec { 'persist-firewall':
27
+      command     => $operatingsystem ? {
28
+        'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
29
+        /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
30
+      },
31
+      refreshonly => true,
32
+    }
33
+    Firewall {
34
+      notify  => Exec['persist-firewall'],
35
+      before  => Class['my_fw::post'],
36
+      require => Class['my_fw::pre'],
37
+    }
38
+    Firewallchain {
39
+      notify  => Exec['persist-firewall'],
40
+    }
41
+    resources { "firewall":
42
+      purge => true
43
+    }
44
+
45
+You only need:
46
+
47
+    class { 'firewall': }
48
+    Firewall {
49
+      before  => Class['my_fw::post'],
50
+      require => Class['my_fw::pre'],
51
+    }
52
+
53
+To install pre-requisites and to create dependencies on your pre & post rules. Consult the README for more information.
54
+
55
+##### Changes
56
+
57
+* Firewall class manifests (Dan Carley)
58
+* Firewall and firewallchain persistence (Dan Carley)
59
+* (GH-134) Autorequire iptables related packages (Dan Carley)
60
+* Typo in #persist_iptables OS normalisation (Dan Carley)
61
+* Tests for #persist_iptables (Dan Carley)
62
+* (GH-129) Replace errant return in autoreq block (Dan Carley)
63
+
64
+---------------------------------------
65
+
66
+#### 0.1.1 - 2012/2/28
67
+
68
+This release primarily fixes changing parameters in 3.x
69
+
70
+##### Changes
71
+
72
+* (GH-128) Change method_missing usage to define_method for 3.x compatibility
73
+* Update travis.yml gem specifications to actually test 2.6
74
+* Change source in Gemfile to use a specific URL for Ruby 2.0.0 compatibility
75
+
76
+---------------------------------------
77
+
78
+#### 0.1.0 - 2012/2/24
79
+
80
+This release is somewhat belated, so no summary as there are far too many changes this time around. Hopefully we won't fall this far behind again :-).
81
+
82
+##### Changes
83
+
84
+* Add support for MARK target and set-mark property (Johan Huysmans)
85
+* Fix broken call to super for ruby-1.9.2 in munge (Ken Barber)
86
+* simple fix of the error message for allowed values of the jump property (Daniel Black)
87
+* Adding OSPF(v3) protocol to puppetlabs-firewall (Arnoud Vermeer)
88
+* Display multi-value: port, sport, dport and state command seperated (Daniel Black)
89
+* Require jump=>LOG for log params (Daniel Black)
90
+* Reject and document icmp => "any" (Dan Carley)
91
+* add firewallchain type and iptables_chain provider (Daniel Black)
92
+* Various fixes for firewallchain resource (Ken Barber)
93
+* Modify firewallchain name to be chain:table:protocol (Ken Barber)
94
+* Fix allvalidchain iteration (Ken Barber)
95
+* Firewall autorequire Firewallchains (Dan Carley)
96
+* Tests and docstring for chain autorequire (Dan Carley)
97
+* Fix README so setup instructions actually work (Ken Barber)
98
+* Support vlan interfaces (interface containing ".") (Johan Huysmans)
99
+* Add tests for VLAN support for iniface/outiface (Ken Barber)
100
+* Add the table when deleting rules (Johan Huysmans)
101
+* Fix tests since we are now prefixing -t)
102
+* Changed 'jump' to 'action', commands to lower case (Jason Short)
103
+* Support interface names containing "+" (Simon Deziel)
104
+* Fix for when iptables-save spews out "FATAL" errors (Sharif Nassar)
105
+* Fix for incorrect limit command arguments for ip6tables provider (Michael Hsu)
106
+* Document Util::Firewall.host_to_ip (Dan Carley)
107
+* Nullify addresses with zero prefixlen (Dan Carley)
108
+* Add support for --tcp-flags (Thomas Vander Stichele)
109
+* Make tcp_flags support a feature (Ken Barber)
110
+* OUTPUT is a valid chain for the mangle table (Adam Gibbins)
111
+* Enable travis-ci support (Ken Barber)
112
+* Convert an existing test to CIDR (Dan Carley)
113
+* Normalise iptables-save to CIDR (Dan Carley)
114
+* be clearer about what distributions we support (Ken Barber)
115
+* add gre protocol to list of acceptable protocols (Jason Hancock)
116
+* Added pkttype property (Ashley Penney)
117
+* Fix mark to not repeat rules with iptables 1.4.1+ (Sharif Nassar)
118
+* Stub iptables_version for now so tests run on non-Linux hosts (Ken Barber)
119
+* Stub iptables facts for set_mark tests (Dan Carley)
120
+* Update formatting of README to meet Puppet Labs best practices (Will Hopper)
121
+* Support for ICMP6 type code resolutions (Dan Carley)
122
+* Insert order hash included chains from different tables (Ken Barber)
123
+* rspec 2.11 compatibility (Jonathan Boyett)
124
+* Add missing class declaration in README (sfozz)
125
+* array_matching is contraindicated (Sharif Nassar)
126
+* Convert port Fixnum into strings (Sharif Nassar)
127
+* Update test framework to the modern age (Ken Barber)
128
+* working with ip6tables support (wuwx)
129
+* Remove gemfile.lock and add to gitignore (William Van Hevelingen)
130
+* Update travis and gemfile to be like stdlib travis files (William Van Hevelingen)
131
+* Add support for -m socket option (Ken Barber)
132
+* Add support for single --sport and --dport parsing (Ken Barber)
133
+* Fix tests for Ruby 1.9.3 from 3e13bf3 (Dan Carley)
134
+* Mock Resolv.getaddress in #host_to_ip (Dan Carley)
135
+* Update docs for source and dest - they are not arrays (Ken Barber)
136
+
137
+---------------------------------------
138
+
139
+#### 0.0.4 - 2011/12/05
140
+
141
+This release adds two new parameters, 'uid' and 'gid'. As a part of the owner module, these params allow you to specify a uid, username, gid, or group got a match:
142
+
143
+    firewall { '497 match uid':
144
+      port => '123',
145
+      proto => 'mangle',
146
+      chain => 'OUTPUT',
147
+      action => 'drop'
148
+      uid => '123'
149
+    }
150
+
151
+This release also adds value munging for the 'log_level', 'source', and 'destination' parameters. The 'source' and 'destination' now support hostnames:
152
+
153
+    firewall { '498 accept from puppetlabs.com':
154
+      port => '123',
155
+      proto => 'tcp',
156
+      source => 'puppetlabs.com',
157
+      action => 'accept'
158
+    }
159
+
160
+
161
+The 'log_level' parameter now supports using log level names, such as 'warn', 'debug', and 'panic':
162
+
163
+    firewall { '499 logging':
164
+      port => '123',
165
+      proto => 'udp',
166
+      log_level => 'debug',
167
+      action => 'drop'
168
+    }
169
+
170
+Additional changes include iptables and ip6tables version facts, general whitespace cleanup, and adding additional unit tests.
171
+
172
+##### Changes
173
+
174
+* (#10957) add iptables_version and ip6tables_version facts
175
+* (#11093) Improve log_level property so it converts names to numbers
176
+* (#10723) Munge hostnames and IPs to IPs with CIDR
177
+* (#10718) Add owner-match support
178
+* (#10997) Add fixtures for ipencap
179
+* (#11034) Whitespace cleanup
180
+* (#10690) add port property support to ip6tables
181
+
182
+---------------------------------------
183
+
184
+#### 0.0.3 - 2011/11/12
185
+
186
+This release introduces a new parameter 'port' which allows you to set both
187
+source and destination ports for a match:
188
+
189
+    firewall { "500 allow NTP requests":
190
+      port => "123",
191
+      proto => "udp",
192
+      action => "accept",
193
+    }
194
+
195
+We also have the limit parameter finally working:
196
+
197
+    firewall { "500 limit HTTP requests":
198
+      dport => 80,
199
+      proto => tcp,
200
+      limit => "60/sec",
201
+      burst => 30,
202
+      action => accept,
203
+    }
204
+
205
+State ordering has been fixed now, and more characters are allowed in the
206
+namevar:
207
+
208
+* Alphabetical
209
+* Numbers
210
+* Punctuation
211
+* Whitespace
212
+
213
+##### Changes
214
+
215
+* (#10693) Ensure -m limit is added for iptables when using 'limit' param
216
+* (#10690) Create new port property
217
+* (#10700) allow additional characters in comment string
218
+* (#9082) Sort iptables --state option values internally to keep it consistent across runs
219
+* (#10324) Remove extraneous whitespace from iptables rule line in spec tests
220
+
221
+---------------------------------------
222
+
223
+#### 0.0.2 - 2011/10/26
224
+
225
+This is largely a maintanence and cleanup release, but includes the ability to
226
+specify ranges of ports in the sport/dport parameter:
227
+
228
+    firewall { "500 allow port range":
229
+      dport => ["3000-3030","5000-5050"],
230
+      sport => ["1024-65535"],
231
+      action => "accept",
232
+    }
233
+
234
+##### Changes
235
+
236
+* (#10295) Work around bug #4248 whereby the puppet/util paths are not being loaded correctly on the puppetmaster
237
+* (#10002) Change to dport and sport to handle ranges, and fix handling of name to name to port
238
+* (#10263) Fix tests on Puppet 2.6.x
239
+* (#10163) Cleanup some of the inline documentation and README file to align with general forge usage
240
+
241
+---------------------------------------
242
+
243
+#### 0.0.1 - 2011/10/18
244
+
245
+Initial release.
246
+
247
+##### Changes
248
+
249
+* (#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter
250
+* (#10088) Provide a customised version of CONTRIBUTING.md
251
+* (#10026) Re-arrange provider and type spec files to align with Puppet
252
+* (#10026) Add aliases for test,specs,tests to Rakefile and provide -T as default
253
+* (#9439) fix parsing and deleting existing rules
254
+* (#9583) Fix provider detection for gentoo and unsupported linuxes for the iptables provider
255
+* (#9576) Stub provider so it works properly outside of Linux
256
+* (#9576) Align spec framework with Puppet core
257
+* and lots of other earlier development tasks ...

+ 18
- 0
deployment_scripts/puppet/modules/firewall/Gemfile View File

@@ -0,0 +1,18 @@
1
+source ENV['GEM_SOURCE'] || "https://rubygems.org"
2
+
3
+group :development, :test do
4
+  gem 'puppetlabs_spec_helper', :require => false
5
+  gem 'rspec-puppet',           :require => false
6
+  gem 'serverspec',             :require => false
7
+  gem 'beaker-rspec',           :require => false
8
+  gem 'puppet-lint',            :require => false
9
+  gem 'pry',                    :require => false
10
+end
11
+
12
+if puppetversion = ENV['PUPPET_GEM_VERSION']
13
+  gem 'puppet', puppetversion, :require => false
14
+else
15
+  gem 'puppet', :require => false
16
+end
17
+
18
+# vim:ft=ruby

+ 25
- 0
deployment_scripts/puppet/modules/firewall/LICENSE View File

@@ -0,0 +1,25 @@
1
+Puppet Firewall Module - Puppet module for managing Firewalls
2
+
3
+Copyright (C) 2011-2013 Puppet Labs, Inc.
4
+Copyright (C) 2011 Jonathan Boyett
5
+Copyright (C) 2011 Media Temple, Inc.
6
+
7
+Some of the iptables code was taken from puppet-iptables which was:
8
+
9
+Copyright (C) 2011 Bob.sh Limited
10
+Copyright (C) 2008 Camptocamp Association
11
+Copyright (C) 2007 Dmitri Priimak
12
+
13
+Puppet Labs can be contacted at: info@puppetlabs.com
14
+
15
+Licensed under the Apache License, Version 2.0 (the "License");
16
+you may not use this file except in compliance with the License.
17
+You may obtain a copy of the License at
18
+
19
+    http://www.apache.org/licenses/LICENSE-2.0
20
+
21
+Unless required by applicable law or agreed to in writing, software
22
+distributed under the License is distributed on an "AS IS" BASIS,
23
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24
+See the License for the specific language governing permissions and
25
+limitations under the License.

+ 8
- 0
deployment_scripts/puppet/modules/firewall/Modulefile View File

@@ -0,0 +1,8 @@
1
+name 'puppetlabs-firewall'
2
+version '1.0.2'
3
+source 'git://github.com/puppetlabs/puppetlabs-firewall.git'
4
+author 'puppetlabs'
5
+license 'ASL 2.0'
6
+summary 'Firewall Module'
7
+description 'Manages Firewalls such as iptables'
8
+project_page 'http://forge.puppetlabs.com/puppetlabs/firewall'

+ 429
- 0
deployment_scripts/puppet/modules/firewall/README.markdown View File

@@ -0,0 +1,429 @@
1
+#firewall
2
+
3
+[![Build Status](https://travis-ci.org/puppetlabs/puppetlabs-firewall.png?branch=master)](https://travis-ci.org/puppetlabs/puppetlabs-firewall)
4
+
5
+####Table of Contents
6
+
7
+1. [Overview - What is the Firewall module?](#overview)
8
+2. [Module Description - What does the module do?](#module-description)
9
+3. [Setup - The basics of getting started with Firewall](#setup)
10
+    * [What Firewall affects](#what-firewall-affects)
11
+    * [Setup Requirements](#setup-requirements)
12
+    * [Beginning with Firewall](#beginning-with-firewall)
13
+    * [Upgrading](#upgrading)
14
+4. [Usage - Configuration and customization options](#usage)
15
+    * [Default rules - Setting up general configurations for all firewalls](#default-rules)
16
+    * [Application-specific rules - Options for configuring and managing firewalls across applications](#application-specific-rules)
17
+    * [Other Rules](#other-rules)
18
+5. [Reference - An under-the-hood peek at what the module is doing](#reference)
19
+6. [Limitations - OS compatibility, etc.](#limitations)
20
+7. [Development - Guide for contributing to the module](#development)
21
+    * [Tests - Testing your configuration](#tests)
22
+
23
+##Overview
24
+
25
+The Firewall module lets you manage firewall rules with Puppet.
26
+
27
+##Module Description
28
+
29
+PuppetLabs' Firewall introduces the resource `firewall`, which is used to manage and configure firewall rules from within the Puppet DSL. This module offers support for iptables, ip6tables, and ebtables.
30
+
31
+The module also introduces the resource `firewallchain`, which allows you to manage chains or firewall lists. At the moment, only iptables and ip6tables chains are supported.
32
+
33
+##Setup
34
+
35
+###What Firewall affects:
36
+
37
+* every node running a firewall
38
+* system's firewall settings
39
+* connection settings for managed nodes
40
+* unmanaged resources (get purged)
41
+* site.pp
42
+
43
+###Setup Requirements
44
+
45
+Firewall uses Ruby-based providers, so you must have [pluginsync enabled](http://docs.puppetlabs.com/guides/plugins_in_modules.html#enabling-pluginsync).
46
+
47
+###Beginning with Firewall
48
+
49
+To begin, you need to provide some initial top-scope configuration to ensure your firewall configurations are ordered properly and you do not lock yourself out of your box or lose any configuration.
50
+
51
+Persistence of rules between reboots is handled automatically, although there are known issues with ip6tables on older Debian/Ubuntu, as well as known issues with ebtables.
52
+
53
+In your `site.pp` (or some similarly top-scope file), set up a metatype to purge unmanaged firewall resources. This will clear any existing rules and make sure that only rules defined in Puppet exist on the machine.
54
+
55
+    resources { "firewall":
56
+      purge => true
57
+    }
58
+
59
+Next, set up the default parameters for all of the firewall rules you will be establishing later. These defaults will ensure that the pre and post classes (you will be setting up in just a moment) are run in the correct order to avoid locking you out of your box during the first puppet run.
60
+
61
+    Firewall {
62
+      before  => Class['my_fw::post'],
63
+      require => Class['my_fw::pre'],
64
+    }
65
+
66
+You also need to declare the `my_fw::pre` & `my_fw::post` classes so that dependencies are satisfied. This can be achieved using an External Node Classifier or the following
67
+
68
+    class { ['my_fw::pre', 'my_fw::post']: }
69
+
70
+Finally, you should include the `firewall` class to ensure the correct packages are installed.
71
+
72
+    class { 'firewall': }
73
+
74
+Now to create the `my_fw::pre` and `my_fw::post` classes. Firewall acts on your running firewall, making immediate changes as the catalog executes. Defining default pre and post rules allows you provide global defaults for your hosts before and after any custom rules; it is also required to avoid locking yourself out of your own boxes when Puppet runs. This approach employs a whitelist setup, so you can define what rules you want and everything else is ignored rather than removed.
75
+
76
+The `pre` class should be located in `my_fw/manifests/pre.pp` and should contain any default rules to be applied first.
77
+
78
+    class my_fw::pre {
79
+      Firewall {
80
+        require => undef,
81
+      }
82
+
83
+      # Default firewall rules
84
+      firewall { '000 accept all icmp':
85
+        proto   => 'icmp',
86
+        action  => 'accept',
87
+      }->
88
+      firewall { '001 accept all to lo interface':
89
+        proto   => 'all',
90
+        iniface => 'lo',
91
+        action  => 'accept',
92
+      }->
93
+      firewall { '002 accept related established rules':
94
+        proto   => 'all',
95
+        ctstate => ['RELATED', 'ESTABLISHED'],
96
+        action  => 'accept',
97
+      }
98
+    }
99
+
100
+The rules in `pre` should allow basic networking (such as ICMP and TCP), as well as ensure that existing connections are not closed.
101
+
102
+The `post` class should be located in `my_fw/manifests/post.pp` and include any default rules to be applied last.
103
+
104
+    class my_fw::post {
105
+      firewall { '999 drop all':
106
+        proto   => 'all',
107
+        action  => 'drop',
108
+        before  => undef,
109
+      }
110
+    }
111
+
112
+To put it all together: the `require` parameter in `Firewall {}` ensures `my_fw::pre` is run before any other rules and the `before` parameter ensures `my_fw::post` is run after any other rules. So the run order is:
113
+
114
+* run the rules in `my_fw::pre`
115
+* run your rules (defined in code)
116
+* run the rules in `my_fw::post`
117
+
118
+###Upgrading
119
+
120
+####Upgrading from version 0.2.0 and newer
121
+
122
+Upgrade the module with the puppet module tool as normal:
123
+
124
+    puppet module upgrade puppetlabs/firewall
125
+
126
+####Upgrading from version 0.1.1 and older
127
+
128
+Start by upgrading the module using the puppet module tool:
129
+
130
+    puppet module upgrade puppetlabs/firewall
131
+
132
+Previously, you would have required the following in your `site.pp` (or some other global location):
133
+
134
+    # Always persist firewall rules
135
+    exec { 'persist-firewall':
136
+      command     => $operatingsystem ? {
137
+        'debian'          => '/sbin/iptables-save > /etc/iptables/rules.v4',
138
+        /(RedHat|CentOS)/ => '/sbin/iptables-save > /etc/sysconfig/iptables',
139
+      },
140
+      refreshonly => true,
141
+    }
142
+    Firewall {
143
+      notify  => Exec['persist-firewall'],
144
+      before  => Class['my_fw::post'],
145
+      require => Class['my_fw::pre'],
146
+    }
147
+    Firewallchain {
148
+      notify  => Exec['persist-firewall'],
149
+    }
150
+    resources { "firewall":
151
+      purge => true
152
+    }
153
+
154
+With the latest version, we now have in-built persistence, so this is no longer needed. However, you will still need some basic setup to define pre & post rules.
155
+
156
+    resources { "firewall":
157
+      purge => true
158
+    }
159
+    Firewall {
160
+      before  => Class['my_fw::post'],
161
+      require => Class['my_fw::pre'],
162
+    }
163
+    class { ['my_fw::pre', 'my_fw::post']: }
164
+    class { 'firewall': }
165
+
166
+Consult the the documentation below for more details around the classes `my_fw::pre` and `my_fw::post`.
167
+
168
+##Usage
169
+
170
+There are two kinds of firewall rules you can use with Firewall: default rules and application-specific rules. Default rules apply to general firewall settings, whereas application-specific rules manage firewall settings of a specific application, node, etc.
171
+
172
+All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number.
173
+
174
+      000 this runs first
175
+      999 this runs last
176
+
177
+###Default rules
178
+
179
+You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, rules in the `post` class, last.
180
+
181
+Depending on the provider, the title of the rule can be stored using the comment feature of the underlying firewall subsystem. Values can match `/^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/`.
182
+
183
+####Examples of default rules
184
+
185
+Basic accept ICMP request example:
186
+
187
+    firewall { "000 accept all icmp requests":
188
+      proto  => "icmp",
189
+      action => "accept",
190
+    }
191
+
192
+Drop all:
193
+
194
+    firewall { "999 drop all other requests":
195
+      action => "drop",
196
+    }
197
+
198
+###Application-specific rules
199
+
200
+Puppet doesn't care where you define rules, and this means that you can place
201
+your firewall resources as close to the applications and services that you
202
+manage as you wish.  If you use the [roles and profiles
203
+pattern](https://puppetlabs.com/learn/roles-profiles-introduction) then it
204
+would make sense to create your firewall rules in the profiles, so that they
205
+remain close to the services managed by the profile.
206
+
207
+An example of this might be:
208
+
209
+```puppet
210
+class profile::apache {
211
+  include apache
212
+  apache::vhost { 'mysite': ensure => present }
213
+
214
+  firewall { '100 allow http and https access':
215
+    port   => [80, 443],
216
+    proto  => tcp,
217
+    action => accept,
218
+  }
219
+}
220
+```
221
+
222
+
223
+However, if you're not using that pattern then you can place them directly into
224
+the individual module that manages a service, such as:
225
+
226
+```puppet
227
+class apache {
228
+  firewall { '100 allow http and https access':
229
+    port   => [80, 443],
230
+    proto  => tcp,
231
+    action => accept,
232
+  }
233
+  # ... the rest of your code ...
234
+}
235
+```
236
+
237
+This means if someone includes either the profile:
238
+
239
+```puppet
240
+include profile::apache
241
+```
242
+
243
+Or the module, if you're not using roles and profiles:
244
+
245
+```puppet
246
+  include ::apache
247
+```
248
+
249
+Then they would automatically get appropriate firewall rules.
250
+
251
+###Other rules
252
+
253
+You can also apply firewall rules to specific nodes. Usually, you will want to put the firewall rule in another class and apply that class to a node. But you can apply a rule to a node.
254
+
255
+    node 'foo.bar.com' {
256
+      firewall { '111 open port 111':
257
+        dport => 111
258
+      }
259
+    }
260
+
261
+You can also do more complex things with the `firewall` resource. Here we are doing some NAT configuration.
262
+
263
+    firewall { '100 snat for network foo2':
264
+      chain    => 'POSTROUTING',
265
+      jump     => 'MASQUERADE',
266
+      proto    => 'all',
267
+      outiface => "eth0",
268
+      source   => '10.1.2.0/24',
269
+      table    => 'nat',
270
+    }
271
+
272
+In the below example, we are creating a new chain and forwarding any port 5000 access to it.
273
+
274
+    firewall { '100 forward to MY_CHAIN':
275
+      chain   => 'INPUT',
276
+      jump    => 'MY_CHAIN',
277
+    }
278
+    # The namevar here is in the format chain_name:table:protocol
279
+    firewallchain { 'MY_CHAIN:filter:IPv4':
280
+      ensure  => present,
281
+    }
282
+    firewall { '100 my rule':
283
+      chain   => 'MY_CHAIN',
284
+      action  => 'accept',
285
+      proto   => 'tcp',
286
+      dport   => 5000,
287
+    }
288
+
289
+###Additional Information
290
+
291
+You can access the inline documentation:
292
+
293
+    puppet describe firewall
294
+
295
+Or
296
+
297
+    puppet doc -r type
298
+    (and search for firewall)
299
+
300
+##Reference
301
+
302
+Classes:
303
+
304
+* [firewall](#class-firewall)
305
+
306
+Types:
307
+
308
+* [firewall](#type-firewall)
309
+* [firewallchain](#type-firewallchain)
310
+
311
+Facts:
312
+
313
+* [ip6tables_version](#fact-ip6tablesversion)
314
+* [iptables_version](#fact-iptablesversion)
315
+* [iptables_persistent_version](#fact-iptablespersistentversion)
316
+
317
+###Class: firewall
318
+
319
+This class is provided to do the basic setup tasks required for using the firewall resources.
320
+
321
+At the moment this takes care of:
322
+
323
+* iptables-persistent package installation
324
+
325
+You should include the class for nodes that need to use the resources in this module. For example
326
+
327
+    class { 'firewall': }
328
+
329
+####`ensure`
330
+
331
+Indicates the state of `iptables` on your system, allowing you to disable `iptables` if desired.
332
+
333
+Can either be `running` or `stopped`. Default to `running`.
334
+
335
+###Type: firewall
336
+
337
+This type provides the capability to manage firewall rules within puppet.
338
+
339
+For more documentation on the type, access the 'Types' tab on the Puppet Labs Forge:
340
+
341
+<http://forge.puppetlabs.com/puppetlabs/firewall#types>
342
+
343
+###Type:: firewallchain
344
+
345
+This type provides the capability to manage rule chains for firewalls.
346
+
347
+For more documentation on the type, access the 'Types' tab on the Puppet Labs Forge:
348
+
349
+<http://forge.puppetlabs.com/puppetlabs/firewall#types>
350
+
351
+###Fact: ip6tables_version
352
+
353
+The module provides a Facter fact that can be used to determine what the default version of ip6tables is for your operating system/distribution.
354
+
355
+###Fact: iptables_version
356
+
357
+The module provides a Facter fact that can be used to determine what the default version of iptables is for your operating system/distribution.
358
+
359
+###Fact: iptables_persistent_version
360
+
361
+Retrieves the version of iptables-persistent from your OS. This is a Debian/Ubuntu specific fact.
362
+
363
+##Limitations
364
+
365
+###SLES
366
+
367
+The `socket` parameter is not supported on SLES.  In this release it will cause
368
+the catalog to fail with iptables failures, rather than correctly warn you that
369
+the features are unusable.
370
+
371
+###Oracle Enterprise Linux
372
+
373
+The `socket` and `owner` parameters are unsupported on Oracle Enterprise Linux
374
+when the "Unbreakable" kernel is used. These may function correctly when using
375
+the stock RedHat kernel instead. Declaring either of these parameters on an
376
+unsupported system will result in iptable rules failing to apply.
377
+
378
+###Other
379
+
380
+Bugs can be reported using Github Issues:
381
+
382
+<http://github.com/puppetlabs/puppetlabs-firewall/issues>
383
+
384
+##Development
385
+
386
+Puppet Labs modules on the Puppet Forge are open projects, and community contributions are essential for keeping them great. We can’t access the huge number of platforms and myriad of hardware, software, and deployment configurations that Puppet is intended to serve.
387
+
388
+We want to keep it as easy as possible to contribute changes so that our modules work in your environment. There are a few guidelines that we need contributors to follow so that we can have a chance of keeping on top of things.
389
+
390
+You can read the complete module contribution guide [on the Puppet Labs wiki.](http://projects.puppetlabs.com/projects/module-site/wiki/Module_contributing)
391
+
392
+For this particular module, please also read CONTRIBUTING.md before contributing.
393
+
394
+Currently we support:
395
+
396
+* iptables
397
+* ip6tables
398
+* ebtables (chains only)
399
+
400
+But plans are to support lots of other firewall implementations:
401
+
402
+* FreeBSD (ipf)
403
+* Mac OS X (ipfw)
404
+* OpenBSD (pf)
405
+* Cisco (ASA and basic access lists)
406
+
407
+If you have knowledge in these technologies, know how to code, and wish to contribute to this project, we would welcome the help.
408
+
409
+###Testing
410
+
411
+Make sure you have:
412
+
413
+* rake
414
+* bundler
415
+
416
+Install the necessary gems:
417
+
418
+    bundle install
419
+
420
+And run the tests from the root of the source code:
421
+
422
+    rake test
423
+
424
+If you have a copy of Vagrant 1.1.0 you can also run the system tests:
425
+
426
+    RSPEC_SET=debian-606-x64 rake spec:system
427
+    RSPEC_SET=centos-58-x64 rake spec:system
428
+
429
+*Note:* system testing is fairly alpha at this point, your mileage may vary.

+ 14
- 0
deployment_scripts/puppet/modules/firewall/Rakefile View File

@@ -0,0 +1,14 @@
1
+require 'puppetlabs_spec_helper/rake_tasks'
2
+
3
+require 'puppet-lint/tasks/puppet-lint'
4
+PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp']
5
+
6
+task :default do
7
+  sh %{rake -T}
8
+end
9
+
10
+desc 'Run reasonably quick tests for CI'
11
+task :ci => [
12
+  :lint,
13
+  :spec,
14
+]

+ 11
- 0
deployment_scripts/puppet/modules/firewall/lib/facter/ip6tables_version.rb View File

@@ -0,0 +1,11 @@
1
+Facter.add(:ip6tables_version) do
2
+  confine :kernel => :linux
3
+  setcode do
4
+    version = Facter::Util::Resolution.exec('ip6tables --version')
5
+    if version
6
+      version.match(/\d+\.\d+\.\d+/).to_s
7
+    else
8
+      nil
9
+    end
10
+  end
11
+end

+ 15
- 0
deployment_scripts/puppet/modules/firewall/lib/facter/iptables_persistent_version.rb View File

@@ -0,0 +1,15 @@
1
+Facter.add(:iptables_persistent_version) do
2
+  confine :operatingsystem => %w{Debian Ubuntu}
3
+  setcode do
4
+    # Throw away STDERR because dpkg >= 1.16.7 will make some noise if the
5
+    # package isn't currently installed.
6
+    cmd = "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null"
7
+    version = Facter::Util::Resolution.exec(cmd)
8
+
9
+    if version.nil? or !version.match(/\d+\.\d+/)
10
+      nil
11
+    else
12
+      version
13
+    end
14
+  end
15
+end

+ 11
- 0
deployment_scripts/puppet/modules/firewall/lib/facter/iptables_version.rb View File

@@ -0,0 +1,11 @@
1
+Facter.add(:iptables_version) do
2
+  confine :kernel => :linux
3
+  setcode do
4
+    version = Facter::Util::Resolution.exec('iptables --version')
5
+    if version
6
+      version.match(/\d+\.\d+\.\d+/).to_s
7
+    else
8
+      nil
9
+    end
10
+  end
11
+end

+ 34
- 0
deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall.rb View File

@@ -0,0 +1,34 @@
1
+class Puppet::Provider::Firewall < Puppet::Provider
2
+
3
+  # Prefetch our rule list. This is ran once every time before any other
4
+  # action (besides initialization of each object).
5
+  def self.prefetch(resources)
6
+    debug("[prefetch(resources)]")
7
+    instances.each do |prov|
8
+      if resource = resources[prov.name] || resources[prov.name.downcase]
9
+        resource.provider = prov
10
+      end
11
+    end
12
+  end
13
+
14
+  # Look up the current status. This allows us to conventiently look up
15
+  # existing status with properties[:foo].
16
+  def properties
17
+    if @property_hash.empty?
18
+      @property_hash = query || {:ensure => :absent}
19
+      @property_hash[:ensure] = :absent if @property_hash.empty?
20
+    end
21
+    @property_hash.dup
22
+  end
23
+
24
+  # Pull the current state of the list from the full list.  We're
25
+  # getting some double entendre here....
26
+  def query
27
+    self.class.instances.each do |instance|
28
+      if instance.name == self.name or instance.name.downcase == self.name
29
+        return instance.properties
30
+      end
31
+    end
32
+    nil
33
+  end
34
+end

+ 131
- 0
deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb View File

@@ -0,0 +1,131 @@
1
+Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source => :iptables do
2
+  @doc = "Ip6tables type provider"
3
+
4
+  has_feature :iptables
5
+  has_feature :hop_limiting
6
+  has_feature :rate_limiting
7
+  has_feature :recent_limiting
8
+  has_feature :snat
9
+  has_feature :dnat
10
+  has_feature :interface_match
11
+  has_feature :icmp_match
12
+  has_feature :owner
13
+  has_feature :state_match
14
+  has_feature :reject_type
15
+  has_feature :log_level
16
+  has_feature :log_prefix
17
+  has_feature :mark
18
+  has_feature :tcp_flags
19
+  has_feature :pkttype
20
+  has_feature :ishasmorefrags
21
+  has_feature :islastfrag
22
+  has_feature :isfirstfrag
23
+
24
+  optional_commands({
25
+    :ip6tables      => 'ip6tables',
26
+    :ip6tables_save => 'ip6tables-save',
27
+  })
28
+
29
+  def initialize(*args)
30
+    if Facter.fact('ip6tables_version').value.match /1\.3\.\d/
31
+      raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables'
32
+    else
33
+      super
34
+    end
35
+  end
36
+
37
+  def self.iptables(*args)
38
+    ip6tables(*args)
39
+  end
40
+
41
+  def self.iptables_save(*args)
42
+    ip6tables_save(*args)
43
+  end
44
+
45
+  @protocol = "IPv6"
46
+
47
+  @resource_map = {
48
+    :burst => "--limit-burst",
49
+    :ctstate => "-m conntrack --ctstate",
50
+    :destination => "-d",
51
+    :dport => "-m multiport --dports",
52
+    :gid => "-m owner --gid-owner",
53
+    :icmp => "-m icmp6 --icmpv6-type",
54
+    :iniface => "-i",
55
+    :jump => "-j",
56
+    :hop_limit => "-m hl --hl-eq",
57
+    :limit => "-m limit --limit",
58
+    :log_level => "--log-level",
59
+    :log_prefix => "--log-prefix",
60
+    :name => "-m comment --comment",
61
+    :outiface => "-o",
62
+    :port => '-m multiport --ports',
63
+    :proto => "-p",
64
+    :rdest => "--rdest",
65
+    :reap => "--reap",
66
+    :recent => "-m recent",
67
+    :reject => "--reject-with",
68
+    :rhitcount => "--hitcount",
69
+    :rname => "--name",
70
+    :rseconds => "--seconds",
71
+    :rsource => "--rsource",
72
+    :rttl => "--rttl",
73
+    :source => "-s",
74
+    :state => "-m state --state",
75
+    :sport => "-m multiport --sports",
76
+    :table => "-t",
77
+    :todest => "--to-destination",
78
+    :toports => "--to-ports",
79
+    :tosource => "--to-source",
80
+    :uid => "-m owner --uid-owner",
81
+    :pkttype => "-m pkttype --pkt-type",
82
+    :ishasmorefrags => "-m frag --fragid 0 --fragmore",
83
+    :islastfrag => "-m frag --fragid 0 --fraglast",
84
+    :isfirstfrag => "-m frag --fragid 0 --fragfirst",
85
+  }
86
+
87
+  # These are known booleans that do not take a value, but we want to munge
88
+  # to true if they exist.
89
+  @known_booleans = [:ishasmorefrags, :islastfrag, :isfirstfrag, :rsource, :rdest, :reap, :rttl]
90
+
91
+  # Create property methods dynamically
92
+  (@resource_map.keys << :chain << :table << :action).each do |property|
93
+    if @known_booleans.include?(property) then
94
+      # The boolean properties default to '' which should be read as false
95
+      define_method "#{property}" do
96
+        @property_hash[property] = :false if @property_hash[property] == nil
97
+        @property_hash[property.to_sym]
98
+      end
99
+    else
100
+      define_method "#{property}" do
101
+        @property_hash[property.to_sym]
102
+      end
103
+    end
104
+
105
+    if property == :chain
106
+      define_method "#{property}=" do |value|
107
+        if @property_hash[:chain] != value
108
+          raise ArgumentError, "Modifying the chain for existing rules is not supported."
109
+        end
110
+      end
111
+    else
112
+      define_method "#{property}=" do |value|
113
+        @property_hash[:needs_change] = true
114
+      end
115
+    end
116
+  end
117
+
118
+  # This is the order of resources as they appear in iptables-save output,
119
+  # we need it to properly parse and apply rules, if the order of resource
120
+  # changes between puppet runs, the changed rules will be re-applied again.
121
+  # This order can be determined by going through iptables source code or just tweaking and trying manually
122
+  # (Note: on my CentOS 6.4 ip6tables-save returns -m frag on the place
123
+  # I put it when calling the command. So compability with manual changes
124
+  # not provided with current parser [georg.koester])
125
+  @resource_list = [:table, :source, :destination, :iniface, :outiface,
126
+    :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
127
+    :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
128
+    :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
129
+    :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
130
+
131
+end

+ 499
- 0
deployment_scripts/puppet/modules/firewall/lib/puppet/provider/firewall/iptables.rb View File

@@ -0,0 +1,499 @@
1
+require 'puppet/provider/firewall'
2
+require 'digest/md5'
3
+
4
+Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Firewall do
5
+  include Puppet::Util::Firewall
6
+
7
+  @doc = "Iptables type provider"
8
+
9
+  has_feature :iptables
10
+  has_feature :rate_limiting
11
+  has_feature :recent_limiting
12
+  has_feature :snat
13
+  has_feature :dnat
14
+  has_feature :interface_match
15
+  has_feature :icmp_match
16
+  has_feature :owner
17
+  has_feature :state_match
18
+  has_feature :reject_type
19
+  has_feature :log_level
20
+  has_feature :log_prefix
21
+  has_feature :mark
22
+  has_feature :tcp_flags
23
+  has_feature :pkttype
24
+  has_feature :isfragment
25
+  has_feature :socket
26
+  has_feature :address_type
27
+  has_feature :iprange
28
+  has_feature :ipsec_dir
29
+  has_feature :ipsec_policy
30
+  has_feature :mac
31
+
32
+  optional_commands({
33
+    :iptables => 'iptables',
34
+    :iptables_save => 'iptables-save',
35
+  })
36
+
37
+  defaultfor :kernel => :linux
38
+
39
+  iptables_version = Facter.fact('iptables_version').value
40
+  if (iptables_version and Puppet::Util::Package.versioncmp(iptables_version, '1.4.1') < 0)
41
+    mark_flag = '--set-mark'
42
+  else
43
+    mark_flag = '--set-xmark'
44
+  end
45
+
46
+  @protocol = "IPv4"
47
+
48
+  @resource_map = {
49
+    :burst => "--limit-burst",
50
+    :ctstate => "-m conntrack --ctstate",
51
+    :destination => "-d",
52
+    :dst_type => "-m addrtype --dst-type",
53
+    :dst_range => "-m iprange --dst-range",
54
+    :dport => ["-m multiport --dports", "--dport"],
55
+    :gid => "-m owner --gid-owner",
56
+    :icmp => "-m icmp --icmp-type",
57
+    :iniface => "-i",
58
+    :jump => "-j",
59
+    :limit => "-m limit --limit",
60
+    :log_level => "--log-level",
61
+    :log_prefix => "--log-prefix",
62
+    :name => "-m comment --comment",
63
+    :outiface => "-o",
64
+    :port => '-m multiport --ports',
65
+    :proto => "-p",
66
+    :random => "--random",
67
+    :rdest => "--rdest",
68
+    :reap => "--reap",
69
+    :recent => "-m recent",
70
+    :reject => "--reject-with",
71
+    :rhitcount => "--hitcount",
72
+    :rname => "--name",
73
+    :rseconds => "--seconds",
74
+    :rsource => "--rsource",
75
+    :rttl => "--rttl",
76
+    :set_mark => mark_flag,
77
+    :socket => "-m socket",
78
+    :source => "-s",
79
+    :src_type => "-m addrtype --src-type",
80
+    :src_range => "-m iprange --src-range",
81
+    :sport => ["-m multiport --sports", "--sport"],
82
+    :state => "-m state --state",
83
+    :table => "-t",
84
+    :tcp_flags => "-m tcp --tcp-flags",
85
+    :todest => "--to-destination",
86
+    :toports => "--to-ports",
87
+    :tosource => "--to-source",
88
+    :uid => "-m owner --uid-owner",
89
+    :pkttype => "-m pkttype --pkt-type",
90
+    :isfragment => "-f",
91
+    :ipsec_dir => "-m policy --dir",
92
+    :ipsec_policy => "--pol",
93
+    :mac_source => "-m mac --mac-source",
94
+    :mac_destination => "-m mac --mac-destination",
95
+  }
96
+
97
+  # These are known booleans that do not take a value, but we want to munge
98
+  # to true if they exist.
99
+  @known_booleans = [
100
+    :isfragment,
101
+    :random,
102
+    :rdest,
103
+    :reap,
104
+    :rsource,
105
+    :rttl,
106
+    :socket
107
+  ]
108
+
109
+
110
+  # Create property methods dynamically
111
+  (@resource_map.keys << :chain << :table << :action).each do |property|
112
+    if @known_booleans.include?(property) then
113
+      # The boolean properties default to '' which should be read as false
114
+      define_method "#{property}" do
115
+        @property_hash[property] = :false if @property_hash[property] == nil
116
+        @property_hash[property.to_sym]
117
+      end
118
+    else
119
+      define_method "#{property}" do
120
+        @property_hash[property.to_sym]
121
+      end
122
+    end
123
+
124
+    if property == :chain
125
+      define_method "#{property}=" do |value|
126
+        if @property_hash[:chain] != value
127
+          raise ArgumentError, "Modifying the chain for existing rules is not supported."
128
+        end
129
+      end
130
+    else
131
+      define_method "#{property}=" do |value|
132
+        @property_hash[:needs_change] = true
133
+      end
134
+    end
135
+  end
136
+
137
+  # This is the order of resources as they appear in iptables-save output,
138
+  # we need it to properly parse and apply rules, if the order of resource
139
+  # changes between puppet runs, the changed rules will be re-applied again.
140
+  # This order can be determined by going through iptables source code or just tweaking and trying manually
141
+  @resource_list = [
142
+    :table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
143
+    :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
144
+    :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
145
+    :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
146
+    :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
147
+    :toports, :random, :log_prefix, :log_level, :reject, :set_mark, :mac_source, :mac_destination
148
+  ]
149
+
150
+  def insert
151
+    debug 'Inserting rule %s' % resource[:name]
152
+    iptables insert_args
153
+  end
154
+
155
+  def update
156
+    debug 'Updating rule %s' % resource[:name]
157
+    iptables update_args
158
+  end
159
+
160
+  def delete
161
+    debug 'Deleting rule %s' % resource[:name]
162
+    iptables delete_args
163
+  end
164
+
165
+  def exists?
166
+    properties[:ensure] != :absent
167
+  end
168
+
169
+  # Flush the property hash once done.
170
+  def flush
171
+    debug("[flush]")
172
+    if @property_hash.delete(:needs_change)
173
+      notice("Properties changed - updating rule")
174
+      update
175
+    end
176
+    persist_iptables(self.class.instance_variable_get(:@protocol))
177
+    @property_hash.clear
178
+  end
179
+
180
+  def self.instances
181
+    debug "[instances]"
182
+    table = nil
183
+    rules = []
184
+    counter = 1
185
+
186
+    # String#lines would be nice, but we need to support Ruby 1.8.5
187
+    iptables_save.split("\n").each do |line|
188
+      unless line =~ /^\#\s+|^\:\S+|^COMMIT|^FATAL/
189
+        if line =~ /^\*/
190
+          table = line.sub(/\*/, "")
191
+        else
192
+          if hash = rule_to_hash(line, table, counter)
193
+            rules << new(hash)
194
+            counter += 1
195
+          end
196
+        end
197
+      end
198
+    end
199
+    rules
200
+  end
201
+
202
+  def self.rule_to_hash(line, table, counter)
203
+    hash = {}
204
+    keys = []
205
+    values = line.dup
206
+
207
+    ####################
208
+    # PRE-PARSE CLUDGING
209
+    ####################
210
+
211
+    # --tcp-flags takes two values; we cheat by adding " around it
212
+    # so it behaves like --comment
213
+    values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
214
+    # we do a similar thing for negated address masks (source and destination).
215
+    values = values.sub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
216
+    # the actual rule will have the ! mark before the option.
217
+    values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"')
218
+    # The match extension for tcp & udp are optional and throws off the @resource_map.
219
+    values = values.sub(/-m (tcp|udp) (--(s|d)port|-m multiport)/, '\2')
220
+
221
+    # Trick the system for booleans
222
+    @known_booleans.each do |bool|
223
+      # append "true" because all params are expected to have values
224
+      if bool == :isfragment then
225
+        # -f requires special matching:
226
+        # only replace those -f that are not followed by an l to
227
+        # distinguish between -f and the '-f' inside of --tcp-flags.
228
+        values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
229
+      else
230
+        values = values.sub(/#{@resource_map[bool]}/, "#{@resource_map[bool]} true")
231
+      end
232
+    end
233
+
234
+    ############
235
+    # Populate parser_list with used value, in the correct order
236
+    ############
237
+    map_index={}
238
+    @resource_map.each_pair do |map_k,map_v|
239
+      [map_v].flatten.each do |v|
240
+        ind=values.index(/\s#{v}/)
241
+        next unless ind
242
+        map_index[map_k]=ind
243
+     end
244
+    end
245
+    # Generate parser_list based on the index of the found option
246
+    parser_list=[]
247
+    map_index.sort_by{|k,v| v}.each{|mapi| parser_list << mapi.first }
248
+
249
+    ############
250
+    # MAIN PARSE
251
+    ############
252
+
253
+    # Here we iterate across our values to generate an array of keys
254
+    parser_list.reverse.each do |k|
255
+      resource_map_key = @resource_map[k]
256
+      [resource_map_key].flatten.each do |opt|
257
+        if values.slice!(/\s#{opt}/)
258
+          keys << k
259
+          break
260
+        end
261
+      end
262
+    end
263
+
264
+    # Manually remove chain
265
+    values.slice!('-A')
266
+    keys << :chain
267
+
268
+    # Here we generate the main hash
269
+    keys.zip(values.scan(/"[^"]*"|\S+/).reverse) { |f, v| hash[f] = v.gsub(/"/, '') }
270
+
271
+    #####################
272
+    # POST PARSE CLUDGING
273
+    #####################
274
+
275
+    # Normalise all rules to CIDR notation.
276
+    [:source, :destination].each do |prop|
277
+      next if hash[prop].nil?
278
+      m = hash[prop].match(/(!?)\s?(.*)/)
279
+      # skip this line if parsing was incorrect
280
+      return unless m
281
+      neg = "! " if m[1] == "!"
282
+      hash[prop] = "#{neg}#{Puppet::Util::IPCidr.new(m[2]).cidr}"
283
+    end
284
+
285
+    [:dport, :sport, :port, :state, :ctstate].each do |prop|
286
+      hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
287
+    end
288
+
289
+    # Convert booleans removing the previous cludge we did
290
+    @known_booleans.each do |bool|
291
+      if hash[bool] != nil then
292
+        if hash[bool] != "true" then
293
+          raise "Parser error: #{bool} was meant to be a boolean but received value: #{hash[bool]}."
294
+        end
295
+      end
296
+    end
297
+
298
+    # Our type prefers hyphens over colons for ranges so ...
299
+    # Iterate across all ports replacing colons with hyphens so that ranges match
300
+    # the types expectations.
301
+    [:dport, :sport, :port].each do |prop|
302
+      next unless hash[prop]
303
+      hash[prop] = hash[prop].collect do |elem|
304
+        elem.gsub(/:/,'-')
305
+      end
306
+    end
307
+
308
+    # States should always be sorted. This ensures that the output from
309
+    # iptables-save and user supplied resources is consistent.
310
+    hash[:state]   = hash[:state].sort   unless hash[:state].nil?
311
+    hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
312
+
313
+    # This forces all existing, commentless rules or rules with invalid comments to be moved
314
+    # to the bottom of the stack.
315
+    # Puppet-firewall requires that all rules have comments (resource names) and match this
316
+    # regex and will fail if a rule in iptables does not have a comment. We get around this
317
+    # by appending a high level
318
+    if ! hash[:name]
319
+      num = 9000 + counter
320
+      hash[:name] = "#{num} #{Digest::MD5.hexdigest(line)}"
321
+    elsif not /^\d+[[:alpha:][:digit:][:punct:][:space:]]+$/ =~ hash[:name]
322
+      num = 9000 + counter
323
+      hash[:name] = "#{num} #{/([[:alpha:][:digit:][:punct:][:space:]]+)/.match(hash[:name])[1]}"
324
+    end
325
+
326
+    # Iptables defaults to log_level '4', so it is omitted from the output of iptables-save.
327
+    # If the :jump value is LOG and you don't have a log-level set, we assume it to be '4'.
328
+    if hash[:jump] == 'LOG' && ! hash[:log_level]
329
+      hash[:log_level] = '4'
330
+    end
331
+
332
+    # Iptables defaults to burst '5', so it is ommitted from the output of iptables-save.
333
+    # If the :limit value is set and you don't have a burst set, we assume it to be '5'.
334
+    if hash[:limit] && ! hash[:burst]
335
+      hash[:burst] = '5'
336
+    end
337
+
338
+    hash[:line] = line
339
+    hash[:provider] = self.name.to_s
340
+    hash[:table] = table
341
+    hash[:ensure] = :present
342
+
343
+    # Munge some vars here ...
344
+
345
+    # Proto should equal 'all' if undefined
346
+    hash[:proto] = "all" if !hash.include?(:proto)
347
+
348
+    # If the jump parameter is set to one of: ACCEPT, REJECT or DROP then
349
+    # we should set the action parameter instead.
350
+    if ['ACCEPT','REJECT','DROP'].include?(hash[:jump]) then
351
+      hash[:action] = hash[:jump].downcase
352
+      hash.delete(:jump)
353
+    end
354
+
355
+    hash
356
+  end
357
+
358
+  def insert_args
359
+    args = []
360
+    args << ["-I", resource[:chain], insert_order]
361
+    args << general_args
362
+    args
363
+  end
364
+
365
+  def update_args
366
+    args = []
367
+    args << ["-R", resource[:chain], insert_order]
368
+    args << general_args
369
+    args
370
+  end
371
+
372
+  def delete_args
373
+    # Split into arguments
374
+    line = properties[:line].gsub(/\-A/, '-D').split(/\s(?=(?:[^"]|"[^"]*")*$)/).map{|v| v.gsub(/"/, '')}
375
+    line.unshift("-t", properties[:table])
376
+  end
377
+
378
+  # This method takes the resource, and attempts to generate the command line
379
+  # arguments for iptables.
380
+  def general_args
381
+    debug "Current resource: %s" % resource.class
382
+
383
+    args = []
384
+    resource_list = self.class.instance_variable_get('@resource_list')
385
+    resource_map = self.class.instance_variable_get('@resource_map')
386
+    known_booleans = self.class.instance_variable_get('@known_booleans')
387
+
388
+    resource_list.each do |res|
389
+      resource_value = nil
390
+      if (resource[res]) then
391
+        resource_value = resource[res]
392
+        # If socket is true then do not add the value as -m socket is standalone
393
+        if known_booleans.include?(res) then
394
+          if resource[res] == :true then
395
+            resource_value = nil
396
+          else
397
+            # If the property is not :true then we don't want to add the value
398
+            # to the args list
399
+            next
400
+          end
401
+        end
402
+      elsif res == :jump and resource[:action] then
403
+        # In this case, we are substituting jump for action
404
+        resource_value = resource[:action].to_s.upcase
405
+      else
406
+        next
407
+      end
408
+
409
+      args << [resource_map[res]].flatten.first.split(' ')
410
+
411
+      # On negations, the '!' has to be before the option (eg: "! -d 1.2.3.4")
412
+      if resource_value.is_a?(String) and resource_value.sub!(/^!\s*/, '') then
413
+        # we do this after adding the 'dash' argument because of ones like "-m multiport --dports", where we want it before the "--dports" but after "-m multiport".
414
+        # so we insert before whatever the last argument is
415
+        args.insert(-2, '!')
416
+      end
417
+
418
+
419
+      # For sport and dport, convert hyphens to colons since the type
420
+      # expects hyphens for ranges of ports.
421
+      if [:sport, :dport, :port].include?(res) then
422
+        resource_value = resource_value.collect do |elem|
423
+          elem.gsub(/-/, ':')
424
+        end
425
+      end
426
+