kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update the firewall cookbook to the latest version

Browse Source 
This gives us comments from the named resources
This commit is contained in:
Greg Karékinian
2023-06-29 15:08:44 +02:00
parent 916ae8094c
commit 68ce3c4834
72 changed files with 4774 additions and 448 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cookbooks/firewall/.foodcritic
View File

@@ -1,3 +0,0 @@
~FC001
~FC057
~FC019

5
cookbooks/firewall/.markdownlint-cli2.yaml Normal file
View File

@@ -0,0 +1,5 @@
config:
ul-indent: false # MD007
line-length: false # MD013
no-duplicate-heading: false # MD024
reference-links-images: false # MD052

551
cookbooks/firewall/CHANGELOG.md
View File

@@ -1,291 +1,458 @@
firewall Cookbook CHANGELOG
=======================
# firewall Cookbook CHANGELOG
This file is used to list changes made in each version of the firewall cookbook.
## 6.2.16 - *2023-05-17*
## 6.2.15 - *2023-04-26*
Update CI runner to MacOS 12
## 6.2.14 - *2023-04-17*
## 6.2.13 - *2023-04-11*
Fix documentation to pass markdown lint
## 6.2.12 - *2023-04-07*
Standardise files with files in sous-chefs/repo-management
## 6.2.11 - *2023-04-04*
Fixed a typo in the readme
## 6.2.10 - *2023-04-01*
## 6.2.9 - *2023-04-01*
## 6.2.8 - *2023-04-01*
Standardise files with files in sous-chefs/repo-management
Standardise files with files in sous-chefs/repo-management
## 6.2.7 - *2023-03-02*
## 6.2.6 - *2023-02-23*
Standardise files with files in sous-chefs/repo-management
## 6.2.5 - *2023-02-16*
Standardise files with files in sous-chefs/repo-management
## 6.2.4 - *2023-02-15*
Standardise files with files in sous-chefs/repo-management
## 6.2.3 - *2022-12-08*
Standardise files with files in sous-chefs/repo-management
## 6.2.2 - *2022-12-08*
Standardise files with files in sous-chefs/repo-management
## 6.2.1 - *2022-12-02*
## 6.2.0 - *2022-12-02*
- Add support for for the description attribute when using UFW
## 6.1.0 - *2022-09-15*
- Add filepath selection based on OS for nftables.conf
## 6.0.2 - *2022-05-15*
Standardise files with files in sous-chefs/repo-management
## 6.0.1 - *2022-05-13*
- Standardise files with files in sous-chefs/repo-management
## 6.0.0 - *2022-05-09*
- Values for firewalld resources must be specified as one would
specify them to `firewall-cmd`.
- Do not use begin/rescue blocks when adding firewalld-objects, as
that resulted in errors being logged by firewalld.
- Various bug fixes that were found along the way.
## 5.1.0 - *2022-05-07*
- Add new providers for firewalld using the dbus-interface of firewalld.
## 5.0.0 - *2022-04-20*
- Add support for nftables
## 4.0.3 - *2022-04-11*
- Use resuable workflows instead of Chef Delivery
## 4.0.2 - *2022-02-17*
- Standardise files with files in sous-chefs/repo-management
- Remove delivery folder
## 4.0.1 - *2022-01-07*
- Remove extraneous task file that's no longer needed
## 4.0.0 - *2021-09-09*
- Remove dependency on chef-sugar cookbook
- Bump to require Chef Infra Client >= 15.5 for chef-utils
- Update metadata and README to Sous Chefs
## 3.0.2 - *2021-08-30*
- Standardise files with files in sous-chefs/repo-management
## 3.0.1 - *2021-07-08*
- Restart netfilter service in iptables mode after updating firewall rules
## 3.0.0 - *2021-06-14*
- Add Amazon Linux support
- Fix firewall resource actions list
- First attempt to modernize testing
- Various Cookstyle fixes
## 2.7.1 - *2021-06-01*
- resolved cookstyle error: libraries/helpers_windows.rb:47:9 convention: `Style/RedundantAssignment`
- resolved cookstyle error: libraries/helpers_windows.rb:48:9 convention: `Layout/IndentationWidth`
- resolved cookstyle error: libraries/helpers_windows.rb:49:16 convention: `Layout/ElseAlignment`
- resolved cookstyle error: libraries/helpers_windows.rb:50:9 convention: `Layout/IndentationWidth`
- resolved cookstyle error: libraries/helpers_windows.rb:51:16 warning: `Layout/EndAlignment`
- resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention: `Layout/EmptyLinesAroundMethodBody`
- resolved cookstyle error: libraries/helpers_windows.rb:52:1 convention: `Layout/TrailingWhitespace`
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:30:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:54:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:114:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:136:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_firewalld.rb:149:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:33:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:63:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:112:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables.rb:134:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:34:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:67:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:133:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu.rb:156:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:34:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:67:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:133:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_iptables_ubuntu1404.rb:156:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_rule.rb:24:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:32:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:61:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:102:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_ufw.rb:115:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_windows.rb:29:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_windows.rb:42:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_windows.rb:97:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: libraries/provider_firewall_windows.rb:118:5 refactor: `ChefModernize/ActionMethodInResource`
- resolved cookstyle error: attributes/iptables.rb:8:54 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:8:54 convention: `Style/StringLiteralsInInterpolation`
- resolved cookstyle error: attributes/iptables.rb:8:63 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:8:64 convention: `Style/StringLiteralsInInterpolation`
- resolved cookstyle error: attributes/iptables.rb:9:56 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:9:56 convention: `Style/StringLiteralsInInterpolation`
- resolved cookstyle error: attributes/iptables.rb:9:65 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:9:66 convention: `Style/StringLiteralsInInterpolation`
- resolved cookstyle error: attributes/iptables.rb:10:55 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:10:55 convention: `Style/StringLiteralsInInterpolation`
- resolved cookstyle error: attributes/iptables.rb:10:64 refactor: `ChefStyle/AttributeKeys`
- resolved cookstyle error: attributes/iptables.rb:10:65 convention: `Style/StringLiteralsInInterpolation`
## 2.7.0 (2018-12-19)
- Nominal support for Debian 9 (#202)
## 2.6.5 (2018-07-24)
- use platform_family instead of platform to include all rhels
v2.6.4 (2018-07-01)
-------------------
* Stop including chef-sugar when it's >= 4.0.0 (#197)
## v2.6.4 (2018-07-01)
v2.6.3 (2018-02-01)
-------------------
* Fix issue with deep merging of hashes and arrays in recent chef release (#185)
- Stop including chef-sugar when it's >= 4.0.0 (#197)
v2.6.2 (2017-06-01)
-------------------
* Incorrect file checking on Ubuntu, double file write (#173)
* Added testing on CentOS 6.9
* Clarify metadata that we're not working on Amazon Linux (#172)
## v2.6.3 (2018-02-01)
v2.6.1 (2017-04-21)
-------------------
* Add recipe to disable firewall (#164)
- Fix issue with deep merging of hashes and arrays in recent chef release (#185)
v2.6.0 (2017-04-17)
-------------------
* Initial Chef 13.x support (#160, #159)
* Allow loopback and icmp, when enabled (#161)
* Address various newer rubocop and foodcritic complaints
* Convert rule provider away from DSL (#159)
## v2.6.2 (2017-06-01)
v2.5.4 (2017-02-13)
-------------------
* Update Test Kitchen platforms to the latest
* Update copyright headers
* Allow package options to be passed through to the package install for firewall
* Define policy for Windows Firewall and use the attributes to set desired policy
- Incorrect file checking on Ubuntu, double file write (#173)
- Added testing on CentOS 6.9
- Clarify metadata that we're not working on Amazon Linux (#172)
v2.5.3 (2016-10-26)
-------------------
* Don't show firewall resource as updated (#133)
* Add :off as a valid logging level (#129)
* Add support for Ubuntu 16.04 (#149)
## v2.6.1 (2017-04-21)
v2.5.2 (2016-06-02)
-------------------
* Don't issue commands when firewalld isn't active (#140)
* Install iptables-services on CentOS >= 7 (#131)
* Update Ruby version on Travis for listen gem
- Add recipe to disable firewall (#164)
v2.5.1 (2016-05-31)
-------------------
* Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
* Fix wrongly ordered conditional for converting ports to strings using port_to_s
* Fix notify_firewall attribute crashing firewall_rule provider (#130)
* Add warning if firewall rule opens all traffic (#132)
* Add ipv6 attribute respect to Ubuntu iptables (#138)
## v2.6.0 (2017-04-17)
v2.5.0 (2016-03-08)
-------------------
* Don't modify parameter for port (#120)
* Remove a reference to the wrong variable name under windows (#123)
* Add support for mobile shell default firewall rule (#121)
* New rubocop rules and style fixes
* Correct a README.md example for `action :allow`
- Initial Chef 13.x support (#160, #159)
- Allow loopback and icmp, when enabled (#161)
- Address various newer rubocop and foodcritic complaints
- Convert rule provider away from DSL (#159)
v2.4.0 (2016-01-28)
-------------------
* Expose default iptables ruleset so that raw rules can be used in conjunction
with rulesets for other tables (#101).
## v2.5.4 (2017-02-13)
v2.3.1 (2016-01-08)
-------------------
* Add raw rule support to the ufw firewall provider (#113).
- Update Test Kitchen platforms to the latest
- Update copyright headers
- Allow package options to be passed through to the package install for firewall
- Define policy for Windows Firewall and use the attributes to set desired policy
v2.3.0 (2015-12-23)
-------------------
* Refactor logic so that firewall rules don't add a string rule to the firewall
when their actions run. Just run the action once on the firewall itself. This is
designed to prevent partial application of rules (#106)
## v2.5.3 (2016-10-26)
* Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on
the firewall resource. It was difficult to reason with "disabled false" for some
complicated recipes using firewall downstream. `disabled` is now deprecated.
- Don't show firewall resource as updated (#133)
- Add :off as a valid logging level (#129)
- Add support for Ubuntu 16.04 (#149)
* Add proper Windows testing and serverspec tests back into this cookbook.
## v2.5.2 (2016-06-02)
* Fix the `port_to_s` function so it also works for Windows (#111)
- Don't issue commands when firewalld isn't active (#140)
- Install iptables-services on CentOS >= 7 (#131)
- Update Ruby version on Travis for listen gem
* Fix typo checking action instead of command in iptables helper (#112)
## v2.5.1 (2016-05-31)
* Remove testing ranges of ports on CentOS 5.x, as it's broken there.
- Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
- Fix wrongly ordered conditional for converting ports to strings using port_to_s
- Fix notify_firewall attribute crashing firewall_rule provider (#130)
- Add warning if firewall rule opens all traffic (#132)
- Add ipv6 attribute respect to Ubuntu iptables (#138)
## v2.5.0 (2016-03-08)
- Don't modify parameter for port (#120)
- Remove a reference to the wrong variable name under windows (#123)
- Add support for mobile shell default firewall rule (#121)
- New rubocop rules and style fixes
- Correct a README.md example for `action :allow`
## v2.4.0 (2016-01-28)
- Expose default iptables ruleset so that raw rules can be used in conjunction with rulesets for other tables (#101).
## v2.3.1 (2016-01-08)
- Add raw rule support to the ufw firewall provider (#113).
## v2.3.0 (2015-12-23)
- Refactor logic so that firewall rules don't add a string rule to the firewall when their actions run. Just run the action once on the firewall itself. This is designed to prevent partial application of rules (#106)
- Switch to "enabled" (positive logic) instead of "disabled" (negative logic) on the firewall resource. It was difficult to reason with "disabled false" for some complicated recipes using firewall downstream. `disabled` is now deprecated.
- Add proper Windows testing and serverspec tests back into this cookbook.
- Fix the `port_to_s` function so it also works for Windows (#111)
- Fix typo checking action instead of command in iptables helper (#112)
- Remove testing ranges of ports on CentOS 5.x, as it's broken there.
## v2.2.0 (2015-11-02)
v2.2.0 (2015-11-02)
-------------------
Added permanent as default option for RHEL 7 based systems using firewall-cmd.
This defaults to turned off, but it will be enabled by default on the next major version bump.
v2.1.0 (2015-10-15)
-------------------
## v2.1.0 (2015-10-15)
Minor feature release.
* Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations.
v2.0.5 (2015-10-05)
-------------------
- Ensure ICMPv6 is open when `['firewall']['allow_established']` is set to true (the default). ICMPv6 is critical for most IPv6 operations.
## v2.0.5 (2015-10-05)
Minor bugfix release.
* Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
* Documentation update #96
v2.0.4 (2015-09-23)
-------------------
- Ensure provider filtering always yields 1 and only 1 provider, #97 & #98
- Documentation update #96
## v2.0.4 (2015-09-23)
Minor bugfix release.
* Allow override of filter chain policies, #94
* Fix foodcrtitic and chefspec errors
v2.0.3 (2015-09-14)
-------------------
- Allow override of filter chain policies, #94
- Fix foodcrtitic and chefspec errors
## v2.0.3 (2015-09-14)
Minor bugfix release.
* Fix wrong conditional for firewalld ports, #93
* Fix ipv6 command logic under iptables, #91
v2.0.2 (2015-09-08)
-------------------
* Release with working CI, Chefspec matchers.
- Fix wrong conditional for firewalld ports, #93
- Fix ipv6 command logic under iptables, #91
v2.0.1 (2015-09-01)
-------------------
* Add default related/established rule for iptables
## v2.0.2 (2015-09-08)
v2.0.0 (2015-08-31)
-------------------
* #84, major rewrite:
- Allow relative positioning of rules
- Use delayed notifications to create one firewall ruleset instead of incremental changes
- Remove poise dependency
* #82 - Introduce Windows firewall support and test-kitchen platform.
* #73 - Add the option to disable ipv6 commands on iptables
* #78 - Use Chef-12 style `provides` to address provider mapping issues
* Rubocop and foodcritic cleanup
- Release with working CI, Chefspec matchers.
v1.6.1 (2015-07-24)
-------------------
* #80 - Remove an extra space in port range
## v2.0.1 (2015-09-01)
v1.6.0 (2015-07-15)
-------------------
* #68 - Install firewalld when it does not exist
* #72 - Fix symbol that was a string, breaking comparisons
- Add default related/established rule for iptables
v1.5.2 (2015-07-15)
-------------------
* #75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
## v2.0.0 (2015-08-31)
v1.5.1 (2015-07-13)
-------------------
* #74 - add :save matcher for Chefspec
- 84, major rewrite
- Allow relative positioning of rules
- Use delayed notifications to create one firewall ruleset instead of incremental changes
- Remove poise dependency
- #82 - Introduce Windows firewall support and test-kitchen platform
- #73 - Add the option to disable ipv6 commands on iptables
- #78 - Use Chef-12 style `provides` to address provider mapping issues
- Rubocop and foodcritic cleanup
v1.5.0 (2015-07-06)
-------------------
## v1.6.1 (2015-07-24)
* #70 - Add chef service resource to ensure firewall-related services are enabled/disabled
* - Add testing and support for iptables on ubuntu in iptables provider
- 80 - Remove an extra space in port range
v1.4.0 (2015-06-30)
-------------------
## v1.6.0 (2015-07-15)
* #69 - Support for CentOS/RHEL 5.x
- 68 - Install firewalld when it does not exist
- 72 - Fix symbol that was a string, breaking comparisons
v1.3.0 (2015-06-09)
-------------------
* #63 - Add support for protocol numbers
## v1.5.2 (2015-07-15)
v1.2.0 (2015-05-28)
-------------------
* #64 - Support the newer version of poise
- 75 - Use correct service in iptables save action, Add serverspec tests for iptables suite
v1.1.2 (2015-05-19)
-------------------
* #60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively.
## v1.5.1 (2015-07-13)
- 74 - add :save matcher for Chefspec
## v1.5.0 (2015-07-06)
- 70 - Add chef service resource to ensure firewall-related services are enabled/disabled
- Add testing and support for iptables on ubuntu in iptables provider
## v1.4.0 (2015-06-30)
- 69 - Support for CentOS/RHEL 5.x
## v1.3.0 (2015-06-09)
- 63 - Add support for protocol numbers
## v1.2.0 (2015-05-28)
- 64 - Support the newer version of poise
## v1.1.2 (2015-05-19)
- 60 - Always add /32 or /128 to ipv4 or ipv6 addresses, respectively
- Make comment quoting optional; iptables on Ubuntu strips quotes on strings without any spaces
v1.1.1 (2015-05-11)
-------------------
* #57 - Suppress warning: already initialized constant XXX while Chefspec
## v1.1.1 (2015-05-11)
v1.1.0 (2015-04-27)
-------------------
* #56 - Better ipv6 support for firewalld and iptables
* #54 - Document raw parameter
- 57 - Suppress warning: already initialized constant XXX while Chefspec
v1.0.2 (2015-04-03)
-------------------
* #52 - Typo in :masquerade action name
## v1.1.0 (2015-04-27)
v1.0.1 (2015-03-28)
-------------------
* #49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
- 56 - Better ipv6 support for firewalld and iptables
- 54 - Document raw parameter
v1.0.0 (2015-03-25)
-------------------
* Major upgrade and rewrite as HWRP using poise
* Adds support for iptables and firewalld
* Modernize tests and other files
* Fix many bugs from ufw defaults to multiport suppot
## v1.0.2 (2015-04-03)
v0.11.8 (2014-05-20)
--------------------
* Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
- 52 - Typo in :masquerade action name
## v1.0.1 (2015-03-28)
- 49 - Fix position attribute of firewall_rule providers to be correctly used as a string in commands
## v1.0.0 (2015-03-25)
- Major upgrade and rewrite as HWRP using poise
- Adds support for iptables and firewalld
- Modernize tests and other files
- Fix many bugs from ufw defaults to multiport suppot
## v0.11.8 (2014-05-20)
- Corrects issue where on a secondary converge would not distinguish between inbound and outbound rules
## v0.11.6 (2014-02-28)
v0.11.6 (2014-02-28)
--------------------
[COOK-4385] - UFW provider is broken
## v0.11.4 (2014-02-25)
v0.11.4 (2014-02-25)
--------------------
[COOK-4140] Only notify when a rule is actually added
## v0.11.2
v0.11.2
-------
### Bug
- **[COOK-3615](https://tickets.opscode.com/browse/COOK-3615)** - Install required UFW package on Debian
v0.11.0
-------
- [COOK-3615]: Install required UFW package on Debian
## v0.11.0
### Improvement
- [COOK-2932]: ufw providers work on debian but cannot be used
v0.10.2
-------
## v0.10.2
- [COOK-2250] - improve readme
v0.10.0
------
## v0.10.0
- [COOK-1234] - allow multiple ports per rule
v0.9.2
------
## v0.9.2
- [COOK-1615] - Firewall example docs have incorrect direction syntax
v0.9.0
------
## v0.9.0
The default action for firewall LWRP is now :enable, the default action for firewall_rule LWRP is now :reject. This is in line with a "default deny" policy.
- [COOK-1429] - resolve foodcritic warnings
v0.8.0
------
## v0.8.0
- refactor all resources and providers into LWRPs
- removed :reset action from firewall resource (couldn't find a good way to make it idempotent)
- removed :logging action from firewall resource...just set desired level via the log_level attribute
v0.6.0
------
## v0.6.0
- [COOK-725] Firewall cookbook firewall_rule LWRP needs to support logging attribute.
- Firewall cookbook firewall LWRP needs to support :logging
v0.5.7
------
## v0.5.7
- [COOK-696] Firewall cookbook firewall_rule LWRP needs to support interface
- [COOK-697] Firewall cookbook firewall_rule LWRP needs to support the direction for the rules
v0.5.6
------
## v0.5.6
- [COOK-695] Firewall cookbook firewall_rule LWRP needs to support destination port
v0.5.5
------
## v0.5.5
- [COOK-709] fixed :nothing action for the 'firewall_rule' resource.
v0.5.4
------
## v0.5.4
- [COOK-694] added :reject action to the 'firewall_rule' resource.
v0.5.3
------
## v0.5.3
- [COOK-698] added :reset action to the 'firewall' resource.
v0.5.2
------
- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error.
thanks to Ernad Husremović for the fix.
## v0.5.2
- Add missing 'requires' statements. fixes 'NameError: uninitialized constant' error. Thanks to Ernad Husremović for the fix.
## v0.5.0
v0.5.0
------
- [COOK-686] create firewall and firewall_rule resources
- [COOK-687] create UFW providers for all resources

2
cookbooks/firewall/CONTRIBUTING.md
View File

@@ -1,2 +0,0 @@
Please refer to
https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

202
cookbooks/firewall/LICENSE Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

19
cookbooks/firewall/MAINTAINERS.md
View File

@@ -1,19 +0,0 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Martin Smith](https://github.com/martinb3)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)
* [Martin Smith](https://github.com/martinb3)

255
cookbooks/firewall/README.md
View File

@@ -1,59 +1,79 @@
firewall Cookbook
=================
# firewall Cookbook
[![Build Status](https://travis-ci.org/chef-cookbooks/firewall.svg?branch=master)](http://travis-ci.org/chef-cookbooks/firewall)
[![Cookbook Version](https://img.shields.io/cookbook/v/firewall.svg)](https://supermarket.chef.io/cookbooks/firewall)
[![CI State](https://github.com/sous-chefs/firewall/workflows/ci/badge.svg)](https://github.com/sous-chefs/firewall/actions?query=workflow%3Aci)
[![OpenCollective](https://opencollective.com/sous-chefs/backers/badge.svg)](#backers)
[![OpenCollective](https://opencollective.com/sous-chefs/sponsors/badge.svg)](#sponsors)
[![License](https://img.shields.io/badge/License-Apache%202.0-green.svg)](https://opensource.org/licenses/Apache-2.0)
Provides a set of primitives for managing firewalls and associated rules.
PLEASE NOTE - The resource/providers in this cookbook are under heavy development. An attempt is being made to keep the resource simple/stupid by starting with less sophisticated firewall implementations first and refactor/vet the resource definition with each successive provider.
Requirements
------------
**Chef 12.5.x+** is required. We are currently testing against Chef 13. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:
```
depends 'firewall', '< 2.0'
## Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If youd like to know more please visit [sous-chefs.org](https://sous-chefs.org/) or come chat with us on the Chef Community Slack in [#sous-chefs](https://chefcommunity.slack.com/messages/C2V7B88SF).
## Requirements
- Chef Infra Client 15.5+
```ruby
depends 'firewall'
```
### Supported firewalls and platforms
* UFW - Ubuntu, Debian
* IPTables - Red Hat & CentOS, Ubuntu
* FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))
* Windows Advanced Firewall - 2012 R2
- UFW - Ubuntu, Debian (except 9)
- IPTables - Red Hat & CentOS, Ubuntu
- FirewallD - Red Hat & CentOS >= 7.0 (IPv4 only support, [needs contributions/testing](https://github.com/chef-cookbooks/firewall/issues/86))
- Windows Advanced Firewall - 2012 R2
- nftables
Tested on:
* Ubuntu 14.04, 16.04 with iptables, ufw
* Debian 7, 8 with ufw
* CentOS 6 with iptables
* CentOS 7.1 with firewalld
* Windows Server 2012r2 with Windows Advanced Firewall
- Ubuntu 16.04 with iptables, ufw
- Debian 9 with iptables
- Debian 11 with nftables
- Debian 11 with new resources for firewalld
- CentOS 6 with iptables
- CentOS 7.1 with firewalld
- Oracle 8 with nftables
- Windows Server 2012r2 with Windows Advanced Firewall
By default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file:
```
```ruby
default['firewall']['ubuntu_iptables'] = true
```
By default, Red Hat & CentOS >= 7.0 chooses firewalld. To switch to iptables, set this in an attribute file:
```
```ruby
default['firewall']['redhat7_iptables'] = true
```
# Considerations that apply to all firewall providers and resources
In order to use nftables, just use the resource `nftables` and
`nftables_rule`. These resources are written in more modern design
styles and are not configurable by node attributes.
## Considerations that apply to all firewall providers and resources
This cookbook comes with two resources, firewall and firewall rule. The typical usage scenario is as follows:
- run the `:install` action on the `firewall` resource named 'default', which installs appropriate packages and configures services to start on boot and starts them
- run the `:create` action on every `firewall_rule` resource, which adds to the list of rules that should be configured on the firewall. `firewall_rule` then automatically sends a delayed notification to the `firewall['default']` resource to run the `:restart` action.
- run the delayed notification with action `:restart` on the `firewall` resource. if any rules are different than the last run, the provider will update the current state of the firewall rules to match the expected rules.
There is a fundamental mismatch between the idea of a chef action and the action that should be taken on a firewall rule. For this reason, the chef action for a firewall_rule may be `:nothing` (the rule should not be present in the firewall) or `:create` (the rule should be present in the firewall), but the action taken on a packet in a firewall (`DROP`, `ACCEPT`, etc) is denoted as a `command` parameter on the `firewall_rule` resource.
# iptables considerations
The same points hold for the `nftables`- and `nftables_rule`-resources.
## iptables considerations
If you need to use a table other than `*filter`, the best way to do so is like so:
```
```ruby
node.default['firewall']['iptables']['defaults'][:ruleset] = {
'*filter' => 1,
':INPUT DROP' => 2,
@@ -71,7 +91,8 @@ node.default['firewall']['iptables']['defaults'][:ruleset] = {
Note -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.
Then it's trivial to add additional rules to the `*nat` table using the raw parameter:
```
```ruby
firewall_rule "postroute" do
raw "-A POSTROUTING -o eth1 -p tcp -d 172.28.128.21 -j SNAT --to-source 172.28.128.6"
position 150
@@ -81,42 +102,48 @@ end
Note that any line starting with `COMMIT` will become just `COMMIT`, as hash
keys must be unique but we need multiple commit lines.
# Recipes
## nftables
Please read the documentation for the
[`nftables` resource](documentation/resource_nftables.md) and the
[`nftables_rule` resource](documentation/resource_nftables_rule.md)
## Recipes
### default
The default recipe creates a firewall resource with action install.
### disable_firewall
Used to disable platform specific firewall. Many clouds have their own firewall configured outside of the OS instance such as AWS Security Groups.
# Attributes
## Attributes
* `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs
* `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs
* `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs
* `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface
* `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)
- `default['firewall']['allow_ssh'] = false`, set true to open port 22 for SSH when the default recipe runs
- `default['firewall']['allow_mosh'] = false`, set to true to open UDP ports 60000 - 61000 for [Mosh][0] when the default recipe runs
- `default['firewall']['allow_winrm'] = false`, set true to open port 5989 for WinRM when the default recipe runs
- `default['firewall']['allow_loopback'] = false`, set to true to allow all traffic on the loopback interface
- `default['firewall']['allow_icmp'] = false`, set true to allow icmp protocol on supported OSes (note: ufw and windows implementations don't support this)
- `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe
- `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe
- `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`
- `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`
- `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform
- `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables
- `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)
- `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.
* `default['firewall']['ubuntu_iptables'] = false`, set to true to use iptables on Ubuntu / Debian when using the default recipe
* `default['firewall']['redhat7_iptables'] = false`, set to true to use iptables on Red Hat / CentOS 7 when using the default recipe
## Resources
* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`
* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`
* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform
* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables
* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)
* `default['firewall']['firewalld']['permanent'] = false`, set to true if you want firewalld rules to be added with `--permanent` so they survive a reboot. This will be changed to `true` by default in a future major version release.
# Resources
There is a separate folder for [`firewalld` resources](documentation/README.md).
### firewall
***NB***: The name 'default' of this resource is important as it is used for firewall_rule providers to locate the firewall resource. If you change it, you must also supply the same value to any firewall_rule resources using the `firewall_name` parameter.
#### Actions
- `:install` (*default action*): Install and Enable the firewall. This will ensure the appropriate packages are installed and that any services have been started.
- `:disable`: Disable the firewall. Drop any rules and put the node in an unprotected state. Flush all current rules. Also erase any internal state used to detect when rules should be applied.
- `:flush`: Flush all current rules. Also erase any internal state used to detect when rules should be applied.
@@ -132,8 +159,6 @@ Used to disable platform specific firewall. Many clouds have their own firewall
- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`
- `package_options`: Used to pass options to the package install of firewall
#### Examples
```ruby
# all defaults
firewall 'default'
@@ -153,55 +178,36 @@ end
### firewall_rule
#### Actions
- `:create` (_default action_): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.
- `:create` (*default action*): If a firewall_rule runs this action, the rule will be recorded in a chef resource's internal state, and applied when providers automatically notify the firewall resource with action `:reload`. The notification happens automatically.
#### Parameters
- `firewall_name`: the matching firewall resource that this rule applies to. Default value: `default`
- `raw`: Used to pass an entire rule as a string, omitting all other parameters. This line will be directly loaded by `iptables-restore`, fed directly into `ufw` on the command line, or run using `firewall-cmd`.
- `description` (_default: same as rule name_): Used to provide a comment that will be included when adding the firewall rule.
- `include_comment` (_default: true_): Used to optionally exclude the comment in the rule.
- `position` (_default: 50_): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.
- `description` (*default: same as rule name*): Used to provide a comment that will be included when adding the firewall rule.
- `include_comment` (*default: true*): Used to optionally exclude the comment in the rule.
- `position` (*default: 50*): **relative** position to insert rule at. Position may be any integer between 0 < n < 100 (exclusive), and more than one rule may specify the same position.
- `command`: What action to take on a particular packet
- `:allow` (_default action_): the rule should allow matching packets
- `:deny`: the rule should deny matching packets
- `:reject`: the rule should reject matching packets
- `:masqerade`: Masquerade the matching packets
- `:redirect`: Redirect the matching packets
- `:log`: Configure logging
- `:allow` (*default action*): the rule should allow matching packets
- `:deny`: the rule should deny matching packets
- `:reject`: the rule should reject matching packets
- `:masquerade`: Masquerade the matching packets
- `:redirect`: Redirect the matching packets
- `:log`: Configure logging
- `stateful`: a symbol or array of symbols, such as ``[:related, :established]` that will be passed to the state module in iptables or firewalld.
- `protocol`: `:tcp` (_default_), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).
- `direction`: For ufw, direction of the rule. valid values are: `:in` (_default_), `:out`, `:pre`, `:post`.
- `source` (_Default is `0.0.0.0/0` or `Anywhere`_): source ip address or subnet to filter.
- `source_port` (_Default is nil_): source port for filtering packets.
- `protocol`: `:tcp` (*default*), `:udp`, `:icmp`, `:none` or protocol number. Using protocol numbers is not supported using the ufw provider (default for debian/ubuntu systems).
- `direction`: For ufw, direction of the rule. valid values are: `:in` (*default*), `:out`, `:pre`, `:post`.
- `source` (*Default is `0.0.0.0/0` or `Anywhere`*): source ip address or subnet to filter.
- `source_port` (*Default is nil*): source port for filtering packets.
- `destination`: ip address or subnet to filter on packet destination, must be a valid IP
- `port` or `dest_port`: target port number (ie. 22 to allow inbound SSH), or an array of incoming port numbers (ie. [80,443] to allow inbound HTTP & HTTPS).
NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.
NOTE: `protocol` attribute is required with multiple ports, or a range of incoming port numbers (ie. 60000..61000 to allow inbound mobile-shell. NOTE: `protocol`, or an attribute is required with a range of ports.
- `interface`: (source) interface to apply rule (ie. `eth0`).
- `dest_interface`: interface where packets may be destined to go
- `redirect_port`: redirected port for rules with command `:redirect`
- `logging`: may be added to enable logging for a particular rule. valid values are: `:connections`, `:packets`. In the ufw provider, `:connections` logs new connections while `:packets` logs all packets.
#### Examples
```ruby
# open standard ssh port
firewall_rule 'ssh' do
@@ -245,7 +251,7 @@ firewall_rule "VRRP" do
raw "allow to 224.0.0.18"
end
# open UDP ports 60000..61000 for mobile shell (mosh.mit.edu), note
# open UDP ports 60000..61000 for mobile shell (mosh.org), note
# that the protocol attribute is required when using port_range
firewall_rule 'mosh' do
protocol :udp
@@ -273,66 +279,71 @@ end
Different providers will determine the current state of the rules differently -- parsing the output of a command, maintaining the state in a file, or some other way. If the firewall is adjusted from outside of chef (non-idempotent), it's possible that chef may be caught unaware of the current state of the firewall. The best workaround is to add a `:flush` action to the firewall resource as early as possible in the chef run, if you plan to modify the firewall state outside of chef.
# Troubleshooting
## Troubleshooting
To figure out what the position values are for current rules, print the hash that contains the weights:
```
```ruby
require pp
default_firewall = resources(:firewall, 'default')
pp default_firewall.rules
```
# Development
## Development
This section details "quick development" steps. For a detailed explanation, see [[Contributing.md]].
1. Clone this repository from GitHub:
$ git clone git@github.com:chef-cookbooks/firewall.git
`$ git clone git@github.com:chef-cookbooks/firewall.git`
2. Create a git branch
1. Create a git branch
$ git checkout -b my_bug_fix
`$ git checkout -b my_bug_fix`
3. Install dependencies:
1. Install dependencies:
$ bundle install
`$ bundle install`
4. Make your changes/patches/fixes, committing appropiately
5. **Write tests**
6. Run the tests:
- `bundle exec foodcritic -f any .`
- `bundle exec rspec`
- `bundle exec rubocop`
- `bundle exec kitchen test`
1. Make your changes/patches/fixes, committing appropiately
1. **Write tests**
1. Run the tests:
In detail:
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
- `bundle exec foodcritic -f any .`
- `bundle exec rspec`
- `bundle exec rubocop`
- `bundle exec kitchen test`
In detail:
# License & Authors
<!-- $ find -type f -iname "*.rb" -exec grep -i author '{}' \; | sort -k4 | uniq | sed 's/#/-/g' -->
- Author:: Seth Chisamore (<schisamo@opscode.com>)
- Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
- Author:: Martin Smith (<martin@mbs3.org>)
- Author:: Sander van Harmelen (<svanharmelen@schubergphilis.com>)
- Foodcritic will catch any Chef-specific style errors
- RSpec will run the unit tests
- Rubocop will check for Ruby-specific style errors
- Test Kitchen will run and converge the recipes
```text
Copyright:: 2011-2015, Chef Software, Inc
## Contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
This project exists thanks to all the people who [contribute.](https://opencollective.com/sous-chefs/contributors.svg?width=890&button=false)
http://www.apache.org/licenses/LICENSE-2.0
### Backers
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```
Thank you to all our backers!
[0]: https://mosh.mit.edu/
![https://opencollective.com/sous-chefs#backers](https://opencollective.com/sous-chefs/backers.svg?width=600&avatarHeight=40)
### Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
![https://opencollective.com/sous-chefs/sponsor/0/website](https://opencollective.com/sous-chefs/sponsor/0/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/1/website](https://opencollective.com/sous-chefs/sponsor/1/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/2/website](https://opencollective.com/sous-chefs/sponsor/2/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/3/website](https://opencollective.com/sous-chefs/sponsor/3/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/4/website](https://opencollective.com/sous-chefs/sponsor/4/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/5/website](https://opencollective.com/sous-chefs/sponsor/5/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/6/website](https://opencollective.com/sous-chefs/sponsor/6/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/7/website](https://opencollective.com/sous-chefs/sponsor/7/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/8/website](https://opencollective.com/sous-chefs/sponsor/8/avatar.svg?avatarHeight=100)
![https://opencollective.com/sous-chefs/sponsor/9/website](https://opencollective.com/sous-chefs/sponsor/9/avatar.svg?avatarHeight=100)
[0]: https://mosh.org

6
cookbooks/firewall/TODO.md Normal file
View File

@@ -0,0 +1,6 @@
# TODO
- update for rhel-8+ nftables, RHEL docs recommend nftables for new firewalls <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking>
- fix windows tests
- iptables' `-S` not supported in libraries/provider_firewall_iptables.rb
- save action might not make sense for firewalls

6
cookbooks/firewall/attributes/iptables.rb
View File

@@ -5,9 +5,9 @@ default['firewall']['iptables']['defaults'][:policy] = {
}
default['firewall']['iptables']['defaults'][:ruleset] = {
'*filter' => 1,
":INPUT #{node['firewall']['iptables']['defaults'][:policy][:input]}" => 2,
":FORWARD #{node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3,
":OUTPUT #{node['firewall']['iptables']['defaults'][:policy][:output]}" => 4,
":INPUT #{node['firewall']['iptables']['defaults']['policy']['input']}" => 2,
":FORWARD #{node['firewall']['iptables']['defaults']['policy']['forward']}" => 3,
":OUTPUT #{node['firewall']['iptables']['defaults']['policy']['output']}" => 4,
'COMMIT_FILTER' => 100,
}

115
cookbooks/firewall/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen*.yml
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

9
cookbooks/firewall/libraries/helpers.rb
View File

@@ -67,8 +67,8 @@ module FirewallCookbook
end
end
def ubuntu?(current_node)
current_node['platform'] == 'ubuntu'
def debian?(current_node)
current_node['platform_family'] == 'debian'
end
def build_rule_file(rules)
@@ -96,5 +96,10 @@ module FirewallCookbook
false
end
def default_description(new_resource)
new_resource.description ||
"Generated by chef from #{cookbook_name}[#{recipe_name}] by #{new_resource}"
end
end
end

2
cookbooks/firewall/libraries/helpers_firewalld.rb
View File

@@ -21,7 +21,7 @@ module FirewallCookbook
return false unless firewalld_active?
cmd = shell_out('firewall-cmd', '--get-default-zone')
cmd.stdout =~ /^#{z.to_s}$/
cmd.stdout =~ /^#{z}$/
end
def firewalld_default_zone!(z)

72
cookbooks/firewall/libraries/helpers_firewalld_dbus.rb Normal file
View File

@@ -0,0 +1,72 @@
module FirewallCookbook
module Helpers
module FirewalldDBus
def firewalld(system_bus)
system_bus['org.fedoraproject.FirewallD1']
end
def firewalld_object(system_bus)
firewalld(system_bus)['/org/fedoraproject/FirewallD1']
end
def firewalld_interface(system_bus)
firewalld_object(system_bus)['org.fedoraproject.FirewallD1']
end
def config_object(system_bus)
firewalld(system_bus)['/org/fedoraproject/FirewallD1/config']
end
def config_interface(system_bus)
config_object(system_bus)['org.fedoraproject.FirewallD1.config']
end
def icmptype_interface(dbus, icmptype_path)
icmptype_object = firewalld(dbus)[icmptype_path]
icmptype_object['org.fedoraproject.FirewallD1.config.icmptype']
end
def ipset_interface(dbus, ipset_path)
ipset_object = firewalld(dbus)[ipset_path]
ipset_object['org.fedoraproject.FirewallD1.config.ipset']
end
def helper_interface(dbus, helper_path)
helper_object = firewalld(dbus)[helper_path]
helper_object['org.fedoraproject.FirewallD1.config.helper']
end
def service_interface(dbus, service_path)
service_object = firewalld(dbus)[service_path]
service_object['org.fedoraproject.FirewallD1.config.service']
end
def policy_interface(dbus, policy_path)
policy_object = firewalld(dbus)[policy_path]
policy_object['org.fedoraproject.FirewallD1.config.policy']
end
def zone_interface(dbus, zone_path)
zone_object = firewalld(dbus)[zone_path]
zone_object['org.fedoraproject.FirewallD1.config.zone']
end
# port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
def parse_forward_ports(forward_ports)
port_regex = %r{port=([\w-]+):proto=([\w]+)(:toport=([\w-]+)|)(:toaddr=([\d\./]+)|)}
captures = forward_ports.match(port_regex).captures
captures.delete_at(4)
captures.delete_at(2)
captures.map { |e| e || '' }
end
def forward_ports_to_dbus(new_resource)
fwp = new_resource.forward_ports.map do |e|
parse_forward_ports(e)
end
new_resource.forward_ports = fwp
DBus.variant('a(ssss)', new_resource.forward_ports)
end
end
end
end

4
cookbooks/firewall/libraries/helpers_iptables.rb
View File

@@ -49,14 +49,14 @@ module FirewallCookbook
end
def iptables_packages(new_resource)
packages = if ipv6_enabled?(new_resource)
packages = if ipv6_enabled?(new_resource) && !amazon_linux? && node['platform_version'].to_i < 8
%w(iptables iptables-ipv6)
else
%w(iptables)
end
# centos 7 requires extra service
if !ubuntu?(node) && node['platform_version'].to_i >= 7
if (!debian?(node) && node['platform_version'].to_i >= 7) || amazon_linux?
packages << %w(iptables-services)
end

170
cookbooks/firewall/libraries/helpers_nftables.rb Normal file
View File

@@ -0,0 +1,170 @@
module FirewallCookbook
module Helpers
module Nftables
include FirewallCookbook::Helpers
CHAIN ||= {
in: 'INPUT',
out: 'OUTPUT',
pre: 'PREROUTING',
post: 'POSTROUTING',
forward: 'FORWARD',
}.freeze
TARGET ||= {
accept: 'accept',
allow: 'accept',
counter: 'counter',
deny: 'drop',
drop: 'drop',
log: 'log',
masquerade: 'masquerade',
redirect: 'redirect',
reject: 'reject',
}.freeze
def port_to_s(ports)
case ports
when String
ports
when Integer
ports.to_s
when Array
p_strings = ports.map { |o| port_to_s(o) }
"{#{p_strings.sort.join(',')}}"
when Range
"#{ports.first}-#{ports.last}"
else
raise "unknown class of port definition: #{ports.class}"
end
end
def nftables_command_log(rule_resource)
log_prefix = 'prefix '
log_prefix << if rule_resource.log_prefix.nil?
"\"#{CHAIN[rule_resource.direction]}:\""
else
"\"#{rule_resource.log_prefix}\""
end
log_group = if rule_resource.log_group.nil?
nil
else
"group #{rule_resource.log_group} "
end
"log #{log_prefix} #{log_group}"
end
def nftables_command_redirect(rule_resource)
if rule_resource.redirect_port.nil?
raise 'Specify redirect_port when using :redirect as commmand'
end
"redirect to #{rule_resource.redirect_port} "
end
def nftables_commands(rule_resource)
firewall_rule = ''
Array(rule_resource.command).each do |command|
begin
target = TARGET.fetch(command)
rescue KeyError
raise "Invalid command: #{command.inspect}. Use one of #{TARGET.keys}"
end
firewall_rule << case target
when 'log'
nftables_command_log(rule_resource)
when 'redirect'
nftables_command_redirect(rule_resource)
else
"#{TARGET[command.to_sym]} "
end
end
firewall_rule
end
def build_firewall_rule(rule_resource)
return rule_resource.raw.strip if rule_resource.raw
ip = ipv6_rule?(rule_resource) ? 'ip6' : 'ip'
table = if [:pre, :post].include?(rule_resource.direction)
'nat'
else
'filter'
end
firewall_rule = if table == 'nat'
"add rule #{ip} #{table} "
else
"add rule inet #{table} "
end
firewall_rule << "#{CHAIN.fetch(rule_resource.direction.to_sym, 'FORWARD')} "
firewall_rule << "iif #{rule_resource.interface} " if rule_resource.interface
firewall_rule << "oif #{rule_resource.outerface} " if rule_resource.outerface
if rule_resource.source
source_with_mask = ip_with_mask(rule_resource, rule_resource.source)
if source_with_mask != '0.0.0.0/0' && source_with_mask != '::/128'
firewall_rule << "#{ip} saddr #{source_with_mask} "
end
end
firewall_rule << "#{ip} daddr #{rule_resource.destination} " if rule_resource.destination
case rule_resource.protocol
when :icmp
firewall_rule << 'icmp type echo-request '
when :'ipv6-icmp', :icmpv6
firewall_rule << 'icmpv6 type { echo-request, nd-router-solicit, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } '
when :tcp, :udp
firewall_rule << "#{rule_resource.protocol} sport #{port_to_s(rule_resource.sport)} " if rule_resource.sport
firewall_rule << "#{rule_resource.protocol} dport #{port_to_s(rule_resource.dport)} " if rule_resource.dport
when :esp, :ah
firewall_rule << "#{ip} #{ip == 'ip6' ? 'nexthdr' : 'protocol'} #{rule_resource.protocol} "
when :ipv6, :none
# nothing to do
end
firewall_rule << "ct state #{Array(rule_resource.stateful).join(',').downcase} " if rule_resource.stateful
firewall_rule << nftables_commands(rule_resource)
firewall_rule << "comment \"#{rule_resource.description}\" " if rule_resource.include_comment
firewall_rule.strip!
firewall_rule
end
def default_ruleset(new_resource)
rules = {
'add table inet filter' => 1,
"add chain inet filter INPUT { type filter hook input priority 0 ; policy #{new_resource.input_policy}; }" => 2,
"add chain inet filter OUTPUT { type filter hook output priority 0 ; policy #{new_resource.output_policy}; }" => 2,
"add chain inet filter FOWARD { type filter hook forward priority 0 ; policy #{new_resource.forward_policy}; }" => 2,
}
if new_resource.table_ip_nat
rules['add table ip nat'] = 1
rules['add chain ip nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
rules['add chain ip nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
end
if new_resource.table_ip6_nat
rules['add table ip6 nat'] = 1
rules['add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
rules['add chain ip6 nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
end
rules
end
def ensure_default_rules_exist(new_resource)
input = new_resource.rules || {}
input.merge!(default_ruleset(new_resource))
end
def default_nftables_conf_path
case node['platform_family']
when 'rhel'
'/etc/sysconfig/nftables.conf'
when 'debian'
'/etc/nftables.conf'
else
raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}."
end
end
end
end
end

7
cookbooks/firewall/libraries/helpers_ufw.rb
View File

@@ -74,6 +74,7 @@ module FirewallCookbook
rule << rule_proto(new_resource)
rule << rule_dest_port(new_resource)
rule << rule_source_port(new_resource)
rule << rule_description(new_resource)
rule = rule.strip
if rule == 'ufw allow in proto tcp to any from any'
@@ -97,6 +98,12 @@ module FirewallCookbook
rule
end
def rule_description(new_resource)
rule = ''
rule << "comment \"#{new_resource.description}\" " if new_resource.description && new_resource.include_comment
rule
end
def rule_dest_port(new_resource)
rule = if new_resource.destination
"to #{new_resource.destination} "

17
cookbooks/firewall/libraries/helpers_windows.rb
View File

@@ -44,12 +44,11 @@ module FirewallCookbook
def to_type(new_resource)
cmd = new_resource.command
type = if cmd == :reject || cmd == :deny
:block
else
:allow
end
type
if cmd == :reject || cmd == :deny
:block
else
:allow
end
end
def build_rule(new_resource)
@@ -66,13 +65,13 @@ module FirewallCookbook
if new_resource.direction.to_sym == :out
parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
parameters['interfacetype'] = new_resource.interface ? new_resource.interface : 'any'
parameters['interfacetype'] = new_resource.interface || 'any'
parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
else
parameters['localip'] = new_resource.destination ? new_resource.destination : 'any'
parameters['localip'] = new_resource.destination || 'any'
parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any'
parameters['interfacetype'] = new_resource.dest_interface || 'any'
parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
end

30
cookbooks/firewall/libraries/matchers.rb
View File

@@ -1,30 +0,0 @@
if defined?(ChefSpec)
ChefSpec.define_matcher(:firewall)
ChefSpec.define_matcher(:firewall_rule)
# actions(:install, :restart, :disable, :flush, :save)
def install_firewall(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall, :install, resource)
end
def restart_firewall(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall, :restart, resource)
end
def disable_firewall(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall, :disable, resource)
end
def flush_firewall(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall, :flush, resource)
end
def save_firewall(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall, :save, resource)
end
def create_firewall_rule(resource)
ChefSpec::Matchers::ResourceMatcher.new(:firewall_rule, :create, resource)
end
end

14
cookbooks/firewall/libraries/provider_firewall_firewalld.rb
View File

@@ -19,15 +19,15 @@ class Chef
class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers::Firewalld
provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables']
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
(node['platform_version'].to_i == 7 && !node['firewall']['redhat7_iptables']) || (amazon_linux? && !node['firewall']['redhat7_iptables'])
end
def whyrun_supported?
false
end
def action_install
action :install do
return if disabled?(new_resource)
firewalld_package = package 'firewalld' do
@@ -51,7 +51,7 @@ class Chef
end
end
def action_restart
action :restart do
return if disabled?(new_resource)
# ensure it's initialized
@@ -111,7 +111,7 @@ class Chef
new_resource.updated_by_last_action(true)
end
def action_disable
action :disable do
return if disabled?(new_resource)
if firewalld_active?
@@ -133,7 +133,7 @@ class Chef
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
end
def action_flush
action :flush do
return if disabled?(new_resource)
return unless firewalld_active?
@@ -146,7 +146,7 @@ class Chef
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
end
def action_save
action :save do
return if disabled?(new_resource)
return if firewalld_all_rules_permanent!

16
cookbooks/firewall/libraries/provider_firewall_iptables.rb
View File

@@ -3,7 +3,7 @@
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011-2016, Chef Software, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,15 +22,15 @@ class Chef
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::Iptables
provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
(node['platform_version'].to_i < 7 && !amazon_linux?) || node['platform_version'].to_i >= 8 || node['firewall']['redhat7_iptables']
end
def whyrun_supported?
false
end
def action_install
action :install do
return if disabled?(new_resource)
# Ensure the package is installed
@@ -60,7 +60,7 @@ class Chef
end
end
def action_restart
action :restart do
return if disabled?(new_resource)
# prints all the firewall rules
@@ -104,12 +104,12 @@ class Chef
next unless iptables_file.updated_by_last_action?
iptables_service = lookup_or_create_service(iptables_type)
new_resource.notifies(:restart, iptables_service, :delayed)
iptables_service.run_action(:restart)
new_resource.updated_by_last_action(true)
end
end
def action_disable
action :disable do
return if disabled?(new_resource)
iptables_flush!(new_resource)
@@ -131,7 +131,7 @@ class Chef
end
end
def action_flush
action :flush do
return if disabled?(new_resource)
iptables_flush!(new_resource)

23
cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb
View File

@@ -3,7 +3,7 @@
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011-2016, Chef Software, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,14 +23,15 @@ class Chef
include FirewallCookbook::Helpers::Iptables
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
node['platform_version'].to_f > 14.04 && node['firewall'] && node['firewall']['ubuntu_iptables']
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
node['platform_version'].to_f > (node['platform'] == 'ubuntu' ? 14.04 : 7)
end
def whyrun_supported?
false
end
def action_install
action :install do
return if disabled?(new_resource)
# Ensure the package is installed
@@ -63,7 +64,7 @@ class Chef
end
end
def action_restart
action :restart do
return if disabled?(new_resource)
# prints all the firewall rules
@@ -97,6 +98,8 @@ class Chef
end
end
restart_service = false
rule_files = %w(iptables)
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
@@ -119,17 +122,19 @@ class Chef
iptables_file.run_action(:create)
# if the file was changed, restart iptables
next unless iptables_file.updated_by_last_action?
restart_service = true if iptables_file.updated_by_last_action?
end
if restart_service
service_affected = service 'netfilter-persistent' do
action :nothing
end
new_resource.notifies(:restart, service_affected, :delayed)
service_affected.run_action(:restart)
new_resource.updated_by_last_action(true)
end
end
def action_disable
action :disable do
return if disabled?(new_resource)
iptables_flush!(new_resource)
@@ -152,7 +157,7 @@ class Chef
end
end
def action_flush
action :flush do
return if disabled?(new_resource)
iptables_flush!(new_resource)

25
cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Seth Chisamore (<schisamo@opscode.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011, Opscode, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,14 +23,15 @@ class Chef
include FirewallCookbook::Helpers::Iptables
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
node['platform_version'].to_f <= 14.04 && node['firewall'] && node['firewall']['ubuntu_iptables']
node['firewall'] && node['firewall']['ubuntu_iptables'] &&
node['platform_version'].to_f <= (node['platform'] == 'ubuntu' ? 14.04 : 7)
end
def whyrun_supported?
false
end
def action_install
action :install do
return if disabled?(new_resource)
# Ensure the package is installed
@@ -63,7 +64,7 @@ class Chef
end
end
def action_restart
action :restart do
return if disabled?(new_resource)
# prints all the firewall rules
@@ -97,6 +98,8 @@ class Chef
end
end
restart_service = false
rule_files = %w(iptables)
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
@@ -119,17 +122,19 @@ class Chef
iptables_file.run_action(:create)
# if the file was changed, restart iptables
next unless iptables_file.updated_by_last_action?
restart_service = true if iptables_file.updated_by_last_action?
end
if restart_service
service_affected = service 'iptables-persistent' do
action :nothing
end
new_resource.notifies(:restart, service_affected, :delayed)
service_affected.run_action(:restart)
new_resource.updated_by_last_action(true)
end
end
def action_disable
action :disable do
return if disabled?(new_resource)
iptables_flush!(new_resource)
@@ -152,7 +157,7 @@ class Chef
end
end
def action_flush
action :flush do
return if disabled?(new_resource)
iptables_flush!(new_resource)

2
cookbooks/firewall/libraries/provider_firewall_rule.rb
View File

@@ -21,7 +21,7 @@ class Chef
class Provider::FirewallRuleGeneric < Chef::Provider::LWRPBase
provides :firewall_rule
def action_create
action :create do
return unless new_resource.notify_firewall
firewall_resource = Chef.run_context.resource_collection.find(firewall: new_resource.firewall_name)

10
cookbooks/firewall/libraries/provider_firewall_ufw.rb
View File

@@ -3,7 +3,7 @@
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011-2016, Chef Software, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ class Chef
false
end
def action_install
action :install do
return if disabled?(new_resource)
pkg_ufw = package 'ufw' do
@@ -58,7 +58,7 @@ class Chef
new_resource.updated_by_last_action(true) if ufw_file.updated_by_last_action?
end
def action_restart
action :restart do
return if disabled?(new_resource)
# ensure it's initialized
@@ -99,7 +99,7 @@ class Chef
new_resource.updated_by_last_action(true)
end
def action_disable
action :disable do
return if disabled?(new_resource)
ufw_file = lookup_or_create_rulesfile
@@ -112,7 +112,7 @@ class Chef
new_resource.updated_by_last_action(true)
end
def action_flush
action :flush do
return if disabled?(new_resource)
ufw_reset!

8
cookbooks/firewall/libraries/provider_firewall_windows.rb
View File

@@ -26,7 +26,7 @@ class Chef
false
end
def action_install
action :install do
return if disabled?(new_resource)
svc = service 'MpsSvc' do
@@ -39,7 +39,7 @@ class Chef
end
end
def action_restart
action :restart do
return if disabled?(new_resource)
# ensure it's initialized
@@ -94,7 +94,7 @@ class Chef
new_resource.updated_by_last_action(true)
end
def action_disable
action :disable do
return if disabled?(new_resource)
if active?
@@ -115,7 +115,7 @@ class Chef
end
end
def action_flush
action :flush do
return if disabled?(new_resource)
reset!

5
cookbooks/firewall/libraries/resource_firewall_rule.rb
View File

@@ -6,7 +6,6 @@ class Chef
resource_name(:firewall_rule)
provides(:firewall_rule)
actions(:create)
default_action(:create)
attribute(:firewall_name, kind_of: String, default: 'default')
@@ -20,12 +19,12 @@ class Chef
attribute(:direction, kind_of: Symbol, equal_to: [:in, :out, :pre, :post], default: :in)
attribute(:logging, kind_of: Symbol, equal_to: [:connections, :packets])
attribute(:source, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
attribute(:source, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
attribute(:source_port, kind_of: [Integer, Array, Range]) # source port
attribute(:interface, kind_of: String)
attribute(:port, kind_of: [Integer, Array, Range]) # shorthand for dest_port
attribute(:destination, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
attribute(:destination, kind_of: String, callbacks: { 'must be a valid ip address' => ->(ip) { !!IPAddr.new(ip) } })
attribute(:dest_port, kind_of: [Integer, Array, Range])
attribute(:dest_interface, kind_of: String)

41
cookbooks/firewall/metadata.json
View File

File diff suppressed because one or more lines are too long

15
cookbooks/firewall/metadata.rb Normal file
View File

@@ -0,0 +1,15 @@
name 'firewall'
maintainer 'Sous Chefs'
maintainer_email 'help@sous-chefs.org'
license 'Apache-2.0'
description 'Provides a set of primitives for managing firewalls and associated rules.'
version '6.2.16'
source_url 'https://github.com/sous-chefs/firewall'
issues_url 'https://github.com/sous-chefs/firewall/issues'
chef_version '>= 15.5'
supports 'amazon'
supports 'centos'
supports 'debian'
supports 'ubuntu'
supports 'windows'

10
cookbooks/firewall/recipes/default.rb
View File

@@ -2,7 +2,7 @@
# Cookbook:: firewall
# Recipe:: default
#
# Copyright:: 2011-2016, Chef Software, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,17 +17,13 @@
# limitations under the License.
#
chef_sugar_cookbook_version = Gem::Version.new(run_context.cookbook_collection['chef-sugar'].metadata.version)
include_recipe 'chef-sugar' if chef_sugar_cookbook_version < Gem::Version.new('4.0.0')
firewall 'default' do
ipv6_enabled node['firewall']['ipv6_enabled']
action :install
end
# create a variable to use as a condition on some rules that follow
iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
iptables_firewall = rhel? || amazon_linux? || node['firewall']['ubuntu_iptables']
firewall_rule 'allow loopback' do
interface 'lo'
@@ -41,7 +37,7 @@ firewall_rule 'allow icmp' do
command :allow
# debian ufw doesn't allow 'icmp' protocol, but does open
# icmp by default, so we skip it in default recipe
only_if { (!debian? || iptables_firewall) && node['firewall']['allow_icmp'] }
only_if { iptables_firewall && node['firewall']['allow_icmp'] }
end
firewall_rule 'allow world to ssh' do

2
cookbooks/firewall/recipes/disable_firewall.rb
View File

@@ -2,7 +2,7 @@
# Cookbook:: firewall
# Recipe:: disable_firewall
#
# Copyright:: 2011-2016, Chef Software, Inc.
# Copyright:: 2011-2019, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

17
cookbooks/firewall/renovate.json Normal file
View File

@@ -0,0 +1,17 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:base"],
"packageRules": [{
"groupName": "Actions",
"matchUpdateTypes": ["patch", "pin", "digest"],
"automerge": true,
"addLabels": ["Release: Patch", "Skip: Announcements"]
},
{
"groupName": "Actions",
"matchUpdateTypes": ["major"],
"automerge": false,
"addLabels": ["Release: Patch", "Skip: Announcements"]
}
]
}

28
cookbooks/firewall/resources/firewalld.rb Normal file
View File

@@ -0,0 +1,28 @@
unified_mode true
provides :firewalld,
os: 'linux'
action :install do
chef_gem 'ruby-dbus'
require 'dbus'
package 'firewalld'
end
action :reload do
service 'firewalld' do
action :reload
end
end
action :restart do
service 'firewalld' do
action :restart
end
end
action :disable do
service 'firewalld' do
action [:disable, :stop]
end
end

39
cookbooks/firewall/resources/firewalld_config.rb Normal file
View File

@@ -0,0 +1,39 @@
unified_mode true
provides :firewalld_config,
os: 'linux'
property :default_zone,
String,
description: 'Set default zone for connections and interfaces where no zone has been selected to zone. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone.'
property :log_denied,
String,
equal_to: %w(all unicast broadcast multicast off),
description: 'Set LogDenied value to value. If LogDenied is enabled, then logging rules are added right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.'
load_current_value do |_new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1']
interface = firewalld_object['org.fedoraproject.FirewallD1']
default_zone interface.getDefaultZone
log_denied interface.getLogDenied
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
converge_if_changed :default_zone do
fw.setDefaultZone new_resource.default_zone
end
converge_if_changed :log_denied do
fw.setLogDenied new_resource.log_denied
end
end
action_class do
include FirewallCookbook::Helpers::FirewalldDBus
end

106
cookbooks/firewall/resources/firewalld_helpers.rb Normal file
View File

@@ -0,0 +1,106 @@
unified_mode true
provides :firewalld_helper,
os: 'linux'
property :version,
String,
default: '',
description: 'see version attribute of helper tag in firewalld.helper(5).'
property :short,
String,
name_property: true,
description: 'see short tag in firewalld.helper(5).'
property :description,
String,
description: 'see description tag in firewalld.helper(5).'
property :family,
String,
equal_to: %w(ipv4 ipv6),
default: 'ipv4',
description: 'see family tag in firewalld.helper(5).'
property :nf_module,
String,
description: 'see module tag in firewalld.helper(5).'
property :ports,
[Array, String],
default: [],
description: 'array of port and protocol pairs. See port tag in firewalld.helper(5).',
coerce: proc { |o| Array(o) }
load_current_value do |new_resource|
dbus = DBus.system_bus
firewalld_service = dbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getHelperNames.include?(new_resource.short)
helper_path = fw_config.getHelperByName(new_resource.short)
object = firewalld_service[helper_path]
config_helper = object['org.fedoraproject.FirewallD1.config.helper']
settings = config_helper.getSettings
version settings[0]
# short settings[1]
description settings[2]
family settings[3]
nf_module settings[4]
ports settings[5]
else
Chef::Log.info "Helper #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
fw_config = config_interface(dbus)
helper_names = fw_config.getHelperNames
reload = false
if !helper_names.include?(new_resource.short)
values = [
new_resource.version,
new_resource.short,
default_description(new_resource),
new_resource.family,
new_resource.nf_module,
new_resource.ports.map { |e| e.split('/') },
]
converge_by "Add Helper #{new_resource.short}" do
fw_config.addHelper(new_resource.short, values)
end
reload = true
else
helper_path = fw_config.getHelperByName(new_resource.short)
helper = helper_interface(dbus, helper_path)
converge_if_changed :version do
helper.setVersion new_resource.version
reload = true
end
converge_if_changed :description do
helper.setDescription default_description(new_resource)
reload = true
end
converge_if_changed :family do
helper.setFamily new_resource.family
reload = true
end
converge_if_changed :nf_module do
helper.setModule new_resource.nf_module
reload = true
end
converge_if_changed :ports do
helper.setPorts new_resource.ports.map { |e| e.split('/') }
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::FirewalldDBus
end

88
cookbooks/firewall/resources/firewalld_icmptype.rb Normal file
View File

@@ -0,0 +1,88 @@
unified_mode true
provides :firewalld_icmptype,
os: 'linux'
property :version,
String,
default: '',
description: 'see version attribute of icmptype tag in firewalld.icmptype(5).'
property :short,
String,
name_property: true,
description: 'see short tag in firewalld.icmptype(5).'
property :description,
String,
description: 'see description tag in firewalld.icmptype(5).'
property :destinations,
Array,
equal_to: [['ipv4'], ['ipv6'], %w(ipv4 ipv6)],
default: 'ipv4',
description: 'array, either empty or containing strings \'ipv4\' and/or \'ipv6\', see destination tag in firewalld.icmptype(5).',
coerce: proc { |o| Array(o) }
load_current_value do |new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getIcmpTypeNames.include?(new_resource.short)
icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
object = firewalld_service[icmptype_path]
config_icmptype = object['org.fedoraproject.FirewallD1.config.icmptype']
settings = config_icmptype.getSettings
version settings[0]
# short settings[1]
description settings[2]
destinations settings[3]
else
Chef::Log.info "IcmpType #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw_config = config_interface(dbus)
fw = firewalld_interface(dbus)
reload = false
icmptype_names = fw_config.getIcmpTypeNames
if !icmptype_names.include?(new_resource.short)
values = [
new_resource.version,
new_resource.short,
default_description(new_resource),
new_resource.destinations,
]
converge_by "Add IcmpType #{new_resource.short}" do
fw_config.addIcmpType(new_resource.short, values)
end
reload = true
else
icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
icmptype = icmptype_interface(dbus, icmptype_path)
converge_if_changed :version do
icmptype.setVersion new_resource.version
reload = true
end
converge_if_changed :description do
icmptype.setDescription default_description(new_resource)
reload = true
end
converge_if_changed :destinations do
icmptype.setDestinations new_resource.destinations
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::FirewalldDBus
end

104
cookbooks/firewall/resources/firewalld_ipset.rb Normal file
View File

@@ -0,0 +1,104 @@
unified_mode true
provides :firewalld_ipset,
os: 'linux'
property :version,
String,
description: 'see version attribute of ipset tag in firewalld.ipset(5).'
property :short,
String,
name_property: true,
description: 'see short tag in firewalld.ipset(5).'
property :description,
String,
description: 'see description tag in firewalld.ipset(5).'
property :type,
String,
default: 'hash:ip',
description: 'see type attribute of ipset tag in firewalld.ipset(5).',
equal_to:
%w(hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net)
property :options,
Hash,
description: 'hash of {option : value} . See options tag in firewalld.ipset(5).'
property :entries,
[Array, String],
description: 'array of entries, see entry tag in firewalld.ipset(5).',
coerce: proc { |o| Array(o) }
load_current_value do |new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getIPSetNames.include?(new_resource.short)
ipset_path = fw_config.getIPSetByName(new_resource.short)
object = firewalld_service[ipset_path]
config_ipset = object['org.fedoraproject.FirewallD1.config.ipset']
settings = config_ipset.getSettings
version settings[0]
# short settings[1]
description settings[2]
type settings[3]
options settings[4]
entries settings[5]
else
Chef::Log.info "Ipset #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
fw_config = config_interface(dbus)
reload = false
if !fw_config.getIPSetNames.include?(new_resource.short)
values = [
new_resource.version || '',
new_resource.short,
default_description(new_resource),
new_resource.type,
new_resource.options || {},
new_resource.entries,
]
converge_by "Add ipset #{new_resource.short}" do
fw_config.addIPSet(new_resource.short, values)
end
reload = true
else
ipset_path = fw_config.getIPSetByName(new_resource.short)
ipset = ipset_interface(dbus, ipset_path)
converge_if_changed :version do
ipset.setVersion new_resource.version
reload = true
end
converge_if_changed :description do
ipset.setDescriptions default_description(new_resource)
reload = true
end
converge_if_changed :type do
ipset.setType new_resource.type
reload = true
end
converge_if_changed :options do
ipset.setOptions(new_resource.options || {})
reload = true
end
converge_if_changed :entries do
ipset.setEntries new_resource.entries
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::FirewalldDBus
end

115
cookbooks/firewall/resources/firewalld_policy.rb Normal file
View File

@@ -0,0 +1,115 @@
unified_mode true
provides :firewalld_policy,
os: 'linux'
property :description,
String,
description: 'see description tag in firewalld.policy(5).'
property :egress_zones,
[Array, String],
description: 'array of zone names. See egress-zone tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :forward_ports,
[Array, String],
description: 'array of `portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]`. See forward-port tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :icmp_blocks,
[Array, String],
description: 'array of icmp-blocks. See icmp-block tag in firewalld.policy(5).'
property :ingress_zones,
[Array, String],
description: 'array of zone names. See ingress-zone tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :masquerade,
[true, false],
description: 'see masquerade tag in firewalld.policy(5).'
property :ports,
[Array, String],
description: 'array of port and protocol pairs. See port tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :priority,
Integer,
description: 'see priority tag in firewalld.policy(5).'
property :protocols,
[Array, String],
description: 'array of protocols, see protocol tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :rich_rules,
[Array, String],
description: 'array of rich-language rules. See rule tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :services,
[Array, String],
description: 'array of service names, see service tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :short,
String,
description: 'see short tag in firewalld.policy(5).',
name_property: true
property :source_ports,
[Array, String],
description: 'array of port and protocol pairs. See source-port tag in firewalld.policy(5).',
coerce: proc { |o| Array(o) }
property :target,
String,
description: 'see target attribute of policy tag in firewalld.policy(5).'
property :version,
String,
description: 'see version attribute of policy tag in firewalld.policy(5).'
load_current_value do |new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getPolicyNames.include?(new_resource.short)
policy_path = fw_config.getPolicyByName(new_resource.short)
object = firewalld_service[policy_path]
config_policy = object['org.fedoraproject.FirewallD1.config.policy']
config_policy.getSettings.each do |k, v|
send(k, v)
end
else
Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
fw_config = config_interface(dbus)
reload = false
unless fw_config.getPolicyNames.include?(new_resource.short)
fw_config.addPolicy(new_resource.short, {})
end
policy_path = fw_config.getPolicyByName(new_resource.short)
policy = policy_interface(dbus, policy_path)
properties = new_resource.class.state_properties.map(&:name)
properties.each do |property|
new_value = new_resource.send(property)
next if new_value.nil?
if [:ports, :source_ports].include?(property)
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
elsif [:forward_ports].include?(property)
new_value = forward_ports_to_dbus(new_resource)
elsif [:priority].include?(property)
new_value = DBus.variant('i', new_value)
end
converge_if_changed property do
policy.update({ property.to_s => new_value })
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers::FirewalldDBus
end

98
cookbooks/firewall/resources/firewalld_service.rb Normal file
View File

@@ -0,0 +1,98 @@
unified_mode true
provides :firewalld_service,
os: 'linux'
property :version,
String,
description: 'see version attribute of service tag in firewalld.service(5).'
property :short,
String,
name_property: true,
description: 'see short tag in firewalld.service(5).'
property :description,
String,
description: 'see description tag in firewalld.service(5).'
property :ports,
[Array, String],
description: 'array of port and protocol pairs. See port tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
property :module_names,
[Array, String],
description: 'array of kernel netfilter helpers, see module tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
property :destination,
Hash,
description: 'hash of {IP family : IP address} where \'IP family\' key can be either \'ipv4\' or \'ipv6\'. See destination tag in firewalld.service(5).'
property :protocols,
[Array, String],
description: 'array of protocols, see protocol tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
property :source_ports,
[Array, String],
description: 'array of port and protocol pairs. See source-port tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
property :includes,
[Array, String],
description: 'array of service includes, see include tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
property :helpers,
[Array, String],
description: 'array of service helpers, see helper tag in firewalld.service(5).',
coerce: proc { |o| Array(o) }
load_current_value do |new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getServiceNames.include?(new_resource.short)
service_path = fw_config.getServiceByName(new_resource.short)
object = firewalld_service[service_path]
config_service = object['org.fedoraproject.FirewallD1.config.service']
config_service.getSettings2.each do |k, v|
send(k, v)
end
else
Chef::Log.info "Service #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
fw_config = config_interface(dbus)
reload = false
unless fw_config.getServiceNames.include?(new_resource.short)
fw_config.addService2(new_resource.short, {})
end
service_path = fw_config.getServiceByName(new_resource.short)
service = service_interface(dbus, service_path)
properties = new_resource.class.state_properties.map(&:name)
properties.each do |property|
new_value = new_resource.send(property)
next unless new_value
if [:ports, :source_ports].include?(property)
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
elsif property == :description
new_value = default_description(new_resource)
end
converge_if_changed property do
key = property == :short ? 'name' : property.to_s
service.update2({ key => new_value })
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::FirewalldDBus
end

118
cookbooks/firewall/resources/firewalld_zone.rb Normal file
View File

@@ -0,0 +1,118 @@
unified_mode true
provides :firewalld_zone,
os: 'linux'
property :description,
String,
description: 'see description tag in firewalld.zone(5).'
property :forward,
[true, false],
description: 'see forward tag in firewalld.zone(5).'
property :forward_ports,
[Array, String],
description: 'array of (port, protocol, to-port, to-addr). See forward-port tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :icmp_block_inversion,
[true, false],
description: 'see icmp-block-inversion tag in firewalld.zone(5).'
property :icmp_blocks,
[Array, String],
description: 'array of icmp-blocks. See icmp-block tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :interfaces,
[Array, String],
description: 'array of interfaces. See interface tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :masquerade,
[true, false],
description: 'see masquerade tag in firewalld.zone(5).'
property :ports,
[Array, String],
description: 'array of port and protocol pairs. See port tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :protocols,
[Array, String],
description: 'array of protocols, see protocol tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :rules_str,
[Array, String],
description: 'array of rich-language rules. See rule tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :services,
[Array, String],
description: 'array of service names, see service tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :short,
String,
name_property: true,
description: 'see short tag in firewalld.zone(5).'
property :source_ports,
[Array, String],
description: 'array of port and protocol pairs. See source-port tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :sources,
[Array, String],
description: 'array of source addresses. See source tag in firewalld.zone(5).',
coerce: proc { |o| Array(o) }
property :target,
String,
description: 'see target attribute of zone tag in firewalld.zone(5).'
property :version,
String,
description: 'see version attribute of zone tag in firewalld.zone(5).'
load_current_value do |new_resource|
sysbus = DBus.system_bus
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
if fw_config.getZoneNames.include?(new_resource.short)
zone_path = fw_config.getZoneByName(new_resource.short)
object = firewalld_service[zone_path]
config_zone = object['org.fedoraproject.FirewallD1.config.zone']
config_zone.getSettings2.each do |k, v|
send(k, v)
end
else
Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
end
end
action :update do
dbus = DBus.system_bus
fw = firewalld_interface(dbus)
fw_config = config_interface(dbus)
unless fw_config.getZoneNames.include?(new_resource.short)
fw_config.addZone2(new_resource.short, {})
end
zone_path = fw_config.getZoneByName(new_resource.short)
zone = zone_interface(dbus, zone_path)
reload = false
properties = new_resource.class.state_properties.map(&:name)
properties.each do |property|
new_value = new_resource.send(property)
next unless new_value
if [:ports, :source_ports].include?(property)
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
elsif [:forward_ports].include?(property)
new_value = forward_ports_to_dbus(new_resource)
end
converge_if_changed property do
zone.update2({ property.to_s => new_value })
reload = true
end
end
if reload
converge_by ['reload permanent configuration of firewalld'] do
fw.reload
end
end
end
action_class do
include FirewallCookbook::Helpers::FirewalldDBus
end

71
cookbooks/firewall/resources/nftables.rb Normal file
View File

@@ -0,0 +1,71 @@
unified_mode true
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::Nftables
provides :nftables,
os: 'linux'
property :rules,
Hash,
default: {}
property :input_policy,
String,
equal_to: %w(drop accept),
default: 'accept'
property :output_policy,
String,
equal_to: %w(drop accept),
default: 'accept'
property :forward_policy,
String,
equal_to: %w(drop accept),
default: 'accept'
property :table_ip_nat,
[true, false],
default: false
property :table_ip6_nat,
[true, false],
default: false
property :nftables_conf_path, String,
description: 'nftables.conf filepath',
default: lazy { default_nftables_conf_path }
action :install do
package 'nftables' do
action :install
notifies :rebuild, "nftables[#{new_resource.name}]"
end
end
action :rebuild do
ensure_default_rules_exist(new_resource)
file new_resource.nftables_conf_path do
content <<~NFT
#!/usr/sbin/nft -f
flush ruleset
#{build_rule_file(new_resource.rules)}
NFT
mode '0750'
owner 'root'
group 'root'
notifies :restart, 'service[nftables]'
end
service 'nftables' do
action [:enable, :start]
end
end
action :restart do
service 'nftables' do
action :restart
end
end
action :disable do
service 'nftables' do
action [:disable, :stop]
end
end

113
cookbooks/firewall/resources/nftables_rule.rb Normal file
View File

@@ -0,0 +1,113 @@
unified_mode true
require 'ipaddr'
action_class do
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::Nftables
def return_early?(new_resource)
!new_resource.notify_firewall ||
!(new_resource.action.include?(:create) &&
!new_resource.should_skip?(:create))
end
end
provides :nftables_rule
default_action :create
property :firewall_name,
String,
default: 'default'
property :command,
[Array, Symbol],
default: :accept
property :protocol,
[Integer, Symbol],
default: :tcp,
callbacks: {
'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
%i(udp tcp icmp icmpv6 ipv6-icmp esp ah ipv6 none).include?(p) || (0..142).include?(p)
end,
}
property :direction,
Symbol,
equal_to: [:in, :out, :pre, :post, :forward],
default: :in
# nftables handles ip6 and ip simultaneously. Except for directions
# :pre and :post, where where either :ip6 or :ip must be specified.
# callback should prevent from mixing that up.
property :family,
Symbol,
equal_to: [:ip6, :ip],
default: :ip
property :source,
[String, Array],
callbacks: {
'must be a valid ip address' => lambda do |ips|
Array(ips).inject(false) do |a, ip|
a || !!IPAddr.new(ip)
end
end,
}
property :sport,
[Integer, String, Array, Range]
property :interface,
String
property :dport,
[Integer, String, Array, Range]
property :destination,
[String, Array],
callbacks: {
'must be a valid ip address' => lambda do |ips|
Array(ips).inject(false) do |a, ip|
a || !!IPAddr.new(ip)
end
end,
}
property :outerface,
String
property :position,
Integer,
default: 50
property :stateful,
[Symbol, Array]
property :redirect_port,
Integer
property :description,
String,
name_property: true
property :include_comment,
[true, false],
default: true
property :log_prefix,
String
property :log_group,
Integer
# for when you just want to pass a raw rule
property :raw,
String
# do you want this rule to notify the firewall to recalculate
# (and potentially reapply) the firewall_rule(s) it finds?
property :notify_firewall,
[true, false],
default: true
action :create do
return if return_early?(new_resource)
fwr = build_firewall_rule(new_resource)
with_run_context :root do
edit_resource!('nftables', new_resource.firewall_name) do |fw_rule|
r = rules.dup || {}
r.merge!({
fwr => fw_rule.position,
})
rules(r)
delayed_action :rebuild
end
end
end