kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Update upstream cookbooks

Browse Source
This commit is contained in:
Greg Karékinian
2017-03-20 13:19:10 +00:00
parent bfd2d52ea8
commit bcfd44b923
340 changed files with 12576 additions and 5465 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
cookbooks/firewall/CHANGELOG.md
View File

@@ -2,6 +2,33 @@ firewall Cookbook CHANGELOG
=======================
This file is used to list changes made in each version of the firewall cookbook.
v2.5.4 (2017-02-13)
-------------------
* Update Test Kitchen platforms to the latest
* Update copyright headers
* Allow package options to be passed through to the package install for firewall
* Define policy for Windows Firewall and use the attributes to set desired policy
v2.5.3 (2016-10-26)
-------------------
* Don't show firewall resource as updated (#133)
* Add :off as a valid logging level (#129)
* Add support for Ubuntu 16.04 (#149)
v2.5.2 (2016-06-02)
-------------------
* Don't issue commands when firewalld isn't active (#140)
* Install iptables-services on CentOS >= 7 (#131)
* Update Ruby version on Travis for listen gem
v2.5.1 (2016-05-31)
-------------------
* Protocol guard incorrectly prevents "none" protocol type on UFW helper (#128)
* Fix wrongly ordered conditional for converting ports to strings using port_to_s
* Fix notify_firewall attribute crashing firewall_rule provider (#130)
* Add warning if firewall rule opens all traffic (#132)
* Add ipv6 attribute respect to Ubuntu iptables (#138)
v2.5.0 (2016-03-08)
-------------------
* Don't modify parameter for port (#120)

19
cookbooks/firewall/MAINTAINERS.md Normal file
View File

@@ -0,0 +1,19 @@
<!-- This is a generated file. Please do not edit directly -->
# Maintainers
This file lists how this cookbook project is maintained. When making changes to the system, this
file tells you who needs to review your patch - you need a simple majority of maintainers
for the relevant subsystems to provide a :+1: on your pull request. Additionally, you need
to not receive a veto from a Lieutenant or the Project Lead.
Check out [How Cookbooks are Maintained](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD)
for details on the process and how to become a maintainer or the project lead.
# Project Maintainer
* [Martin Smith](https://github.com/martinb3)
# Maintainers
* [Jennifer Davis](https://github.com/sigje)
* [Tim Smith](https://github.com/tas50)
* [Thom May](https://github.com/thommay)
* [Martin Smith](https://github.com/martinb3)

15
cookbooks/firewall/README.md
View File

@@ -10,7 +10,7 @@ PLEASE NOTE - The resource/providers in this cookbook are under heavy developmen
Requirements
------------
**Chef 12.4.x+** is required. We are currently testing against 12.5.1. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:
**Chef 12.4.x+** is required. We are currently testing against 12.8.1. If you need Chef 11 support, please try pinning back to a version less than 2.0, e.g.:
```
depends 'firewall', '< 2.0'
```
@@ -22,7 +22,7 @@ depends 'firewall', '< 2.0'
* Windows Advanced Firewall - 2012 R2
Tested on:
* Ubuntu 12.04 & 14.04 with iptables, ufw
* Ubuntu 12.04, 14.04, 16.04 with iptables, ufw
* Debian 7.8, 8.1 with ufw
* CentOS 5.11, 6.7 with iptables
* CentOS 7.1 with firewalld
@@ -58,16 +58,18 @@ node.default['firewall']['iptables']['defaults'][:ruleset] = {
'*filter' => 1,
':INPUT DROP' => 2,
':FORWARD DROP' => 3,
':OUTPUT ACCEPT' => 4,
':OUTPUT ACCEPT_FILTER' => 4,
'COMMIT_FILTER' => 100,
'*nat' => 101,
':PREROUTING DROP' => 102,
':POSTROUTING DROP' => 103,
':OUTPUT ACCEPT' => 104,
':OUTPUT ACCEPT_NAT' => 104,
'COMMIT_NAT' => 200
}
```
Note -- in order to support multiple hash keys containing the same rule, anything found after the underscore will be stripped for: `:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT`. This allows an example like the above to be reduced to just repeated lines of `COMMIT` and `:OUTPUT ACCEPT` while still avoiding duplication of other things.
Then it's trivial to add additional rules to the `*nat` table using the raw parameter:
```
firewall_rule "postroute" do
@@ -96,6 +98,8 @@ The default recipe creates a firewall resource with action install, and if `node
* `default['firewall']['ufw']['defaults']` hash for template `/etc/default/ufw`
* `default['firewall']['iptables']['defaults']` hash for default policies for 'filter' table's chains`
* `default['firewall']['windows']['defaults']` hash to define inbound / outbound firewall policy on Windows platform
* `default['firewall']['allow_established'] = true`, set to false if you don't want a related/established default rule on iptables
* `default['firewall']['ipv6_enabled'] = true`, set to false if you don't want IPv6 related/established default rule on iptables (this enables ICMPv6, which is required for much of IPv6 communication)
@@ -117,10 +121,11 @@ The default recipe creates a firewall resource with action install, and if `node
- `disabled` (default to `false`): If set to true, all actions will no-op on this resource. This is a way to prevent included cookbooks from configuring a firewall.
- `ipv6_enabled` (default to `true`): If set to false, firewall will not perform any ipv6 related work. Currently only supported in iptables.
- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full. default is :low.
- `log_level`: UFW only. Level of verbosity the firewall should log at. valid values are: :low, :medium, :high, :full, :off. default is :low.
- `rules`: This is used internally for firewall_rule resources to append their rules. You should NOT touch this value unless you plan to supply an entire firewall ruleset at once, and skip using firewall_rule resources.
- `disabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be disabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:public.`
- `enabled_zone` (firewalld only): The zone to set on firewalld when the firewall should be enabled. Can be any string in symbol form, e.g. :public, :drop, etc. Defaults to `:drop.`
- `package_options`: Used to pass options to the package install of firewall
#### Examples

8
cookbooks/firewall/attributes/windows.rb Normal file
View File

@@ -0,0 +1,8 @@
# Windows platform defult settings: block undefined inbould traffic, allow all outgoing traffic
default['firewall']['windows']['defaults'] = {
policy: {
input: 'blockinbound',
output: 'allowoutbound'
}
}

13
cookbooks/firewall/libraries/helpers.rb
View File

@@ -78,8 +78,9 @@ module FirewallCookbook
contents << "# position #{sorted_value}"
rules.each do |k, v|
next unless v == sorted_value
contents << if k.start_with?('COMMIT')
'COMMIT'
contents << if repeatable_directives(k)
k[/[^_]+/]
else
k
end
@@ -87,5 +88,13 @@ module FirewallCookbook
end
"#{contents.join("\n")}\n"
end
def repeatable_directives(s)
%w(:OUTPUT :INPUT :POSTROUTING :PREROUTING COMMIT).each do |special|
return true if s.start_with?(special)
end
false
end
end
end

10
cookbooks/firewall/libraries/helpers_firewalld.rb
View File

@@ -18,11 +18,15 @@ module FirewallCookbook
end
def firewalld_default_zone?(z)
raise false unless firewalld_active?
cmd = shell_out('firewall-cmd', '--get-default-zone')
cmd.stdout =~ /^#{z.to_s}$/
end
def firewalld_default_zone!(z)
raise 'firewall not active' unless firewalld_active?
shell_out!('firewall-cmd', "--set-default-zone=#{z}")
end
@@ -31,6 +35,8 @@ module FirewallCookbook
end
def firewalld_flush!
raise 'firewall not active' unless firewalld_active?
shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'INPUT')
shell_out!('firewall-cmd', '--direct', '--remove-rules', 'ipv4', 'filter', 'OUTPUT')
shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT')
@@ -38,12 +44,16 @@ module FirewallCookbook
end
def firewalld_all_rules_permanent!
raise 'firewall not active' unless firewalld_active?
rules = shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout
perm_rules = shell_out!('firewall-cmd', '--direct', '--permanent', '--get-all-rules').stdout
rules == perm_rules
end
def firewalld_save!
raise 'firewall not active' unless firewalld_active?
shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'INPUT')
shell_out!('firewall-cmd', '--direct', '--permanent', '--remove-rules', 'ipv4', 'filter', 'OUTPUT')
shell_out!('firewall-cmd', '--direct', '--get-all-rules').stdout.lines do |line|

15
cookbooks/firewall/libraries/helpers_iptables.rb
View File

@@ -49,11 +49,18 @@ module FirewallCookbook
end
def iptables_packages(new_resource)
if ipv6_enabled?(new_resource)
%w(iptables iptables-ipv6)
else
%w(iptables)
packages = if ipv6_enabled?(new_resource)
%w(iptables iptables-ipv6)
else
%w(iptables)
end
# centos 7 requires extra service
if !ubuntu?(node) && node['platform_version'].to_i >= 7
packages << %w(iptables-services)
end
packages.flatten
end
def iptables_commands(new_resource)

10
cookbooks/firewall/libraries/helpers_ufw.rb
View File

@@ -46,7 +46,7 @@ module FirewallCookbook
end
# if we don't do this, ufw will fail as it does not support protocol numbers, so we'll only allow it to run if specifying icmp/tcp/udp protocol types
if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|icmp)$')
if new_resource.protocol && !new_resource.protocol.to_s.downcase.match('^(tcp|udp|icmp|esp|ah|ipv6|none)$')
msg = ''
msg << "firewall_rule[#{new_resource.name}] was asked to "
msg << "#{new_resource.command} a rule using protocol #{new_resource.protocol} "
@@ -74,7 +74,13 @@ module FirewallCookbook
rule << rule_proto(new_resource)
rule << rule_dest_port(new_resource)
rule << rule_source_port(new_resource)
rule.strip
rule = rule.strip
if rule == 'ufw allow in proto tcp to any from any'
Chef::Log.warn("firewall_rule[#{new_resource.name}] produced a rule that opens all traffic. This may be a logic error in your cookbook.")
end
rule
end
def rule_interface(new_resource)

4
cookbooks/firewall/libraries/helpers_windows.rb
View File

@@ -60,7 +60,7 @@ module FirewallCookbook
parameters['dir'] = new_resource.direction
new_resource.program && parameters['program'] = new_resource.program
parameters['service'] = new_resource.service ? new_resource.service : 'any'
new_resource.service && parameters['service'] = new_resource.service
parameters['protocol'] = new_resource.protocol
if new_resource.direction.to_sym == :out
@@ -68,7 +68,7 @@ module FirewallCookbook
parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
parameters['interfacetype'] = new_resource.interface ? new_resource.interface : 'any'
parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
parameters['remoteport'] = port_to_s(new_resource.dest_port) ? new_resource.dest_port : 'any'
parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
else
parameters['localip'] = new_resource.destination ? new_resource.destination : 'any'
parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'

22
cookbooks/firewall/libraries/provider_firewall_firewalld.rb
View File

@@ -1,6 +1,6 @@
#
# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Resource:: default
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,6 +33,7 @@ class Chef
converge_by('install firewalld, create template for /etc/sysconfig') do
package 'firewalld' do
action :install
options new_resource.package_options
end
service 'firewalld' do
@@ -88,9 +89,13 @@ class Chef
firewalld_file.content build_rule_file(new_resource.rules['firewalld'])
firewalld_file.run_action(:create)
# ensure the service is running
service 'firewalld' do
action [:enable, :start]
# ensure the service is running without waiting.
firewall_service = service 'firewalld' do
action :nothing
end
[:enable, :start].each do |a|
firewall_service.run_action(a)
new_resource.updated_by_last_action(firewall_service.updated_by_last_action?)
end
# mark updated if we changed the zone
@@ -115,9 +120,11 @@ class Chef
action :disable do
next if disabled?(new_resource)
firewalld_flush!
firewalld_default_zone!(new_resource.disabled_zone)
new_resource.updated_by_last_action(true)
if firewalld_active?
firewalld_flush!
firewalld_default_zone!(new_resource.disabled_zone)
new_resource.updated_by_last_action(true)
end
service 'firewalld' do
action [:disable, :stop]
@@ -132,6 +139,7 @@ class Chef
action :flush do
next if disabled?(new_resource)
next unless firewalld_active?
firewalld_flush!
new_resource.updated_by_last_action(true)

4
cookbooks/firewall/libraries/provider_firewall_iptables.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Seth Chisamore (<schisamo@opscode.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011, Opscode, Inc.
# Copyright:: 2011-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

26
cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Seth Chisamore (<schisamo@opscode.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011, Opscode, Inc.
# Copyright:: 2011-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -23,7 +23,7 @@ class Chef
include FirewallCookbook::Helpers::Iptables
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
node['firewall'] && node['firewall']['ubuntu_iptables']
node['platform_version'].to_f > 14.04 && node['firewall'] && node['firewall']['ubuntu_iptables']
end
def whyrun_supported?
@@ -41,7 +41,9 @@ class Chef
end
end
%w(rules.v4 rules.v6).each do |svc|
rule_files = %w(rules.v4)
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
rule_files.each do |svc|
# must create empty file for service to start
file "create empty /etc/iptables/#{svc}" do
path "/etc/iptables/#{svc}"
@@ -50,8 +52,9 @@ class Chef
end
end
service 'iptables-persistent' do
service 'netfilter-persistent' do
action [:enable, :start]
status_command 'true' # netfilter-persistent isn't a real service
end
end
end
@@ -90,7 +93,10 @@ class Chef
end
end
%w(iptables ip6tables).each do |iptables_type|
rule_files = %w(iptables)
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
rule_files.each do |iptables_type|
iptables_filename = if iptables_type == 'ip6tables'
'/etc/iptables/rules.v6'
else
@@ -110,7 +116,7 @@ class Chef
# if the file was changed, restart iptables
next unless iptables_file.updated_by_last_action?
service_affected = service 'iptables-persistent' do
service_affected = service 'netfilter-persistent' do
action :nothing
end
@@ -126,7 +132,7 @@ class Chef
iptables_default_allow!(new_resource)
new_resource.updated_by_last_action(true)
service 'iptables-persistent' do
service 'netfilter-persistent' do
action [:disable, :stop]
end
@@ -146,7 +152,9 @@ class Chef
iptables_flush!(new_resource)
new_resource.updated_by_last_action(true)
%w(rules.v4 rules.v6).each do |svc|
rule_files = %w(rules.v4)
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
rule_files.each do |svc|
# must create empty file for service to start
file "create empty /etc/iptables/#{svc}" do
path "/etc/iptables/#{svc}"

166
cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb Normal file
View File

@@ -0,0 +1,166 @@
#
# Author:: Seth Chisamore (<schisamo@opscode.com>)
# Cookbook Name:: firewall
# Resource:: default
#
# Copyright:: 2011, Opscode, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
class Chef
class Provider::FirewallIptablesUbuntu1404 < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers
include FirewallCookbook::Helpers::Iptables
provides :firewall, os: 'linux', platform_family: %w(debian) do |node|
node['platform_version'].to_f <= 14.04 && node['firewall'] && node['firewall']['ubuntu_iptables']
end
def whyrun_supported?
false
end
action :install do
next if disabled?(new_resource)
converge_by('install iptables and enable/start services') do
# Can't pass an array without breaking chef 11 support
%w(iptables-persistent).each do |p|
package p do
action :install
end
end
rule_files = %w(rules.v4)
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
rule_files.each do |svc|
# must create empty file for service to start
file "create empty /etc/iptables/#{svc}" do
path "/etc/iptables/#{svc}"
content '# created by chef to allow service to start'
not_if { ::File.exist?("/etc/iptables/#{svc}") }
end
end
service 'iptables-persistent' do
action [:enable, :start]
status_command 'true' # iptables-persistent isn't a real service
end
end
end
action :restart do
next if disabled?(new_resource)
# prints all the firewall rules
log_iptables(new_resource)
# ensure it's initialized
new_resource.rules({}) unless new_resource.rules
ensure_default_rules_exist(node, new_resource)
# this populates the hash of rules from firewall_rule resources
firewall_rules = run_context.resource_collection.select { |item| item.is_a?(Chef::Resource::FirewallRule) }
firewall_rules.each do |firewall_rule|
next unless firewall_rule.action.include?(:create) && !firewall_rule.should_skip?(:create)
types = if ipv6_rule?(firewall_rule) # an ip4 specific rule
%w(ip6tables)
elsif ipv4_rule?(firewall_rule) # an ip6 specific rule
%w(iptables)
else # or not specific
%w(iptables ip6tables)
end
types.each do |iptables_type|
# build rules to apply with weight
k = build_firewall_rule(node, firewall_rule, iptables_type == 'ip6tables')
v = firewall_rule.position
# unless we're adding them for the first time.... bail out.
next if new_resource.rules[iptables_type].key?(k) && new_resource.rules[iptables_type][k] == v
new_resource.rules[iptables_type][k] = v
end
end
rule_files = %w(iptables)
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
rule_files.each do |iptables_type|
iptables_filename = if iptables_type == 'ip6tables'
'/etc/iptables/rules.v6'
else
'/etc/iptables/rules.v4'
end
# ensure a file resource exists with the current iptables rules
begin
iptables_file = run_context.resource_collection.find(file: iptables_filename)
rescue
iptables_file = file iptables_filename do
action :nothing
end
end
iptables_file.content build_rule_file(new_resource.rules[iptables_type])
iptables_file.run_action(:create)
# if the file was changed, restart iptables
next unless iptables_file.updated_by_last_action?
service_affected = service 'iptables-persistent' do
action :nothing
end
new_resource.notifies(:restart, service_affected, :delayed)
new_resource.updated_by_last_action(true)
end
end
action :disable do
next if disabled?(new_resource)
iptables_flush!(new_resource)
iptables_default_allow!(new_resource)
new_resource.updated_by_last_action(true)
service 'iptables-persistent' do
action [:disable, :stop]
end
%w(rules.v4 rules.v6).each do |svc|
# must create empty file for service to start
file "create empty /etc/iptables/#{svc}" do
path "/etc/iptables/#{svc}"
content '# created by chef to allow service to start'
action :create
end
end
end
action :flush do
next if disabled?(new_resource)
iptables_flush!(new_resource)
new_resource.updated_by_last_action(true)
rule_files = %w(rules.v4)
rule_files << 'rules.v6' if ipv6_enabled?(new_resource)
rule_files.each do |svc|
# must create empty file for service to start
file "create empty /etc/iptables/#{svc}" do
path "/etc/iptables/#{svc}"
content '# created by chef to allow service to start'
end
end
end
end
end

16
cookbooks/firewall/libraries/provider_firewall_rule.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Ronald Doorn (<rdoorn@schubergphilis.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Provider:: rule_iptables
#
# Copyright 2015, computerlyrik
# Copyright:: 2015-2016, computerlyrik
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,13 +22,13 @@ class Chef
provides :firewall_rule
action :create do
return unless new_resource.notify_firewall
if new_resource.notify_firewall
firewall_resource = run_context.resource_collection.find(firewall: new_resource.firewall_name)
raise 'could not find a firewall resource' unless firewall_resource
firewall_resource = run_context.resource_collection.find(firewall: new_resource.firewall_name)
raise 'could not find a firewall resource' unless firewall_resource
new_resource.notifies(:restart, firewall_resource, :delayed)
new_resource.updated_by_last_action(true)
new_resource.notifies(:restart, firewall_resource, :delayed)
new_resource.updated_by_last_action(true)
end
end
end
end

4
cookbooks/firewall/libraries/provider_firewall_ufw.rb
View File

@@ -1,9 +1,9 @@
#
# Author:: Seth Chisamore (<schisamo@opscode.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Resource:: default
#
# Copyright:: 2011, Opscode, Inc.
# Copyright:: 2011-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

46
cookbooks/firewall/libraries/provider_firewall_windows.rb
View File

@@ -1,6 +1,6 @@
#
# Author:: Sander van Harmelen (<svanharmelen@schubergphilis.com>)
# Cookbook Name:: firewall
# Cookbook:: firewall
# Provider:: windows
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -29,10 +29,13 @@ class Chef
action :install do
next if disabled?(new_resource)
converge_by('enable and start Windows Firewall service') do
service 'MpsSvc' do
action [:enable, :start]
end
svc = service 'MpsSvc' do
action :nothing
end
[:enable, :start].each do |act|
svc.run_action(act)
new_resource.updated_by_last_action(true) if svc.updated_by_last_action?
end
end
@@ -57,6 +60,13 @@ class Chef
end
end
input_policy = node['firewall']['windows']['defaults']['policy']['input']
output_policy = node['firewall']['windows']['defaults']['policy']['output']
unless new_resource.rules['windows'].key?("set currentprofile firewallpolicy #{input_policy},#{output_policy}")
# Make this the possible last rule in the list
new_resource.rules['windows']["set currentprofile firewallpolicy #{input_policy},#{output_policy}"] = 99999
end
# ensure a file resource exists with the current rules
begin
windows_file = run_context.resource_collection.find(file: windows_rules_filename)
@@ -87,18 +97,21 @@ class Chef
action :disable do
next if disabled?(new_resource)
converge_by('disable and stop Windows Firewall service') do
if active?
disable!
Chef::Log.info("#{new_resource} disabled.")
new_resource.updated_by_last_action(true)
else
Chef::Log.debug("#{new_resource} already disabled.")
end
if active?
disable!
Chef::Log.info("#{new_resource} disabled.")
new_resource.updated_by_last_action(true)
else
Chef::Log.debug("#{new_resource} already disabled.")
end
service 'MpsSvc' do
action [:disable, :stop]
end
svc = service 'MpsSvc' do
action :nothing
end
[:disable, :stop].each do |act|
svc.run_action(act)
new_resource.updated_by_last_action(true) if svc.updated_by_last_action?
end
end
@@ -107,6 +120,7 @@ class Chef
reset!
Chef::Log.info("#{new_resource} reset.")
new_resource.updated_by_last_action(true)
end
end
end

5
cookbooks/firewall/libraries/resource_firewall.rb
View File

@@ -10,7 +10,7 @@ class Chef
attribute(:disabled, kind_of: [TrueClass, FalseClass], default: false)
attribute(:enabled, kind_of: [TrueClass, FalseClass], default: true)
attribute(:log_level, kind_of: Symbol, equal_to: [:low, :medium, :high, :full], default: :low)
attribute(:log_level, kind_of: Symbol, equal_to: [:low, :medium, :high, :full, :off], default: :low)
attribute(:rules, kind_of: Hash)
# for firewalld, specify the zone when firewall is disable and enabled
@@ -19,5 +19,8 @@ class Chef
# for firewall implementations where ipv6 can be skipped (currently iptables-specific)
attribute(:ipv6_enabled, kind_of: [TrueClass, FalseClass], default: true)
# allow override of package options for firewalld package
attribute(:package_options, kind_of: String, default: nil)
end
end

6
cookbooks/firewall/libraries/resource_firewall_rule.rb
View File

@@ -15,10 +15,8 @@ class Chef
attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp,
callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
!!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142)))
end
}
)
!!(p.to_s =~ /(udp|tcp|icmp|icmpv6|ipv6-icmp|esp|ah|ipv6|none)/ || (p.to_s =~ /^\d+$/ && p.between?(0, 142)))
end })
attribute(:direction, kind_of: Symbol, equal_to: [:in, :out, :pre, :post], default: :in)
attribute(:logging, kind_of: Symbol, equal_to: [:connections, :packets])

2
cookbooks/firewall/metadata.json
View File

File diff suppressed because one or more lines are too long

4
cookbooks/firewall/recipes/default.rb
View File

@@ -1,8 +1,8 @@
#
# Cookbook Name:: firewall
# Cookbook:: firewall
# Recipe:: default
#
# Copyright 2011, Opscode, Inc.
# Copyright:: 2011-2016, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.