From 47ce1ecd37ad8b4d7b045616a6501d4ba5b1504b Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 17:56:45 +0000 Subject: [PATCH 01/21] Remove legacy code Signed-off-by: Ben Hughes --- attributes/default.rb | 39 ---------------- kitchen.yml | 35 -------------- resources/chain6.rb | 55 ---------------------- resources/rule6.rb | 106 ------------------------------------------ 4 files changed, 235 deletions(-) delete mode 100644 attributes/default.rb delete mode 100644 resources/chain6.rb delete mode 100644 resources/rule6.rb diff --git a/attributes/default.rb b/attributes/default.rb deleted file mode 100644 index fca769e..0000000 --- a/attributes/default.rb +++ /dev/null @@ -1,39 +0,0 @@ -# -# Cookbook:: iptables -# Attribute:: default -# -# Copyright:: 2016-2019, Chef Software, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -default['iptables']['iptables_sysconfig'] = { - 'IPTABLES_MODULES' => '', - 'IPTABLES_MODULES_UNLOAD' => 'no', - 'IPTABLES_SAVE_ON_STOP' => 'no', - 'IPTABLES_SAVE_ON_RESTART' => 'no', - 'IPTABLES_SAVE_COUNTER' => 'no', - 'IPTABLES_STATUS_NUMERIC' => 'yes', - 'IPTABLES_STATUS_VERBOSE' => 'no', - 'IPTABLES_STATUS_LINENUMBERS' => 'yes', -} -default['iptables']['ip6tables_sysconfig'] = { - 'IP6TABLES_MODULES' => '', - 'IP6TABLES_MODULES_UNLOAD' => 'no', - 'IP6TABLES_SAVE_ON_STOP' => 'no', - 'IP6TABLES_SAVE_ON_RESTART' => 'no', - 'IP6TABLES_SAVE_COUNTER' => 'no', - 'IP6TABLES_STATUS_NUMERIC' => 'yes', - 'IP6TABLES_STATUS_VERBOSE' => 'no', - 'IP6TABLES_STATUS_LINENUMBERS' => 'yes', -} diff --git a/kitchen.yml b/kitchen.yml index 45bbf01..45134eb 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -25,41 +25,6 @@ platforms: - name: ubuntu-18.04 suites: - # - name: default - # run_list: - # - recipe[test::default] - # attributes: - # iptables: - # iptables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - # ip6tables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - - - # - name: disabled - # run_list: - # - recipe[iptables::disabled] - - # - name: no_template - # run_list: - # - recipe[test::no_template] - # attributes: - # iptables: - # iptables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - # ip6tables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - - # - name: nested - # run_list: - # - recipe[test::nested] - # attributes: - # iptables: - # iptables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - # ip6tables_sysconfig: - # IPTABLES_STATUS_VERBOSE: 'yes' - - name: all-tables run_list: - recipe[test::all-tables] diff --git a/resources/chain6.rb b/resources/chain6.rb deleted file mode 100644 index c2831a4..0000000 --- a/resources/chain6.rb +++ /dev/null @@ -1,55 +0,0 @@ -unified_mode true - -include Iptables::Cookbook::Helpers - -property :table, [Symbol, String], - equal_to: [:filter, :mangle, :nat, :raw, :security, 'filter', 'mangle', 'nat', 'raw', 'security'], - default: :filter, - description: 'The table the chain should exist on' - -property :chain, [Symbol, String], - description: 'The name of the Chain' - -property :value, String, - default: 'ACCEPT [0:0]', - description: 'The default action and the Packets : Bytes count' - -property :ip_version, Symbol, - equal_to: %i(ipv4 ipv6), - default: :ipv6, - description: 'The IP version, 4 or 6' - -property :file_mode, String, - default: '0644', - description: 'Permissions on the saved output file' - -property :source_template, String, - default: 'iptables.erb', - description: 'Source template to use to create the rules' - -property :cookbook, String, - default: 'iptables', - description: 'Source cookbook to find the template in' - -property :sensitive, [true, false], - default: false, - description: 'mark the resource as senstive' - -property :config_file, String, - default: lazy { default_iptables_rules_file(ip_version) }, - description: 'The full path to find the rules on disk' - -action :create do - Chef::Log.warn('iptables_chain6 is deprecated, please use the normal iptable_chain with property ip_version set to :ipv6') - iptables_chain new_resource.name do - table new_resource.table - chain new_resource.chain - value new_resource.value - ip_version new_resource.ip_version - file_mode new_resource.file_mode - source_template new_resource.source_template - cookbook new_resource.cookbook - sensitive new_resource.sensitive - config_file new_resource.config_file - end -end diff --git a/resources/rule6.rb b/resources/rule6.rb deleted file mode 100644 index 3861f92..0000000 --- a/resources/rule6.rb +++ /dev/null @@ -1,106 +0,0 @@ -unified_mode true - -include Iptables::Cookbook::Helpers - -property :table, [Symbol, String], - equal_to: [:filter, :mangle, :nat, :raw, :security, 'filter', 'mangle', 'nat', 'raw', 'security'], - default: :filter, - description: 'The table the chain exists on for the rule' - -property :chain, [Symbol, String], - description: 'The name of the Chain to put this rule on' - -property :ip_version, [Symbol, String], - equal_to: [:ipv4, :ipv6, 'ipv4', 'ipv6'], - default: :ipv6, - description: 'The IP version, 4 or 6' - -property :protocol, [Symbol, String, Integer], #--protocol (-p) - description: 'The protocol of the rule or of the packet to check. The specified protocol can be one of :tcp, :udp, :icmp, or :all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. ' - -property :match, String, # --match (-m) - description: 'extended packet matching module to use' - -property :source, String, # --source (-s) - description: "Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A \"!\" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. " - -property :destination, String, # --destination (-d) - description: "Destination specification, Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A \"!\" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option." - -property :jump, String, # --jump (-j) - description: "This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and goto is not used), then matching the rule will have no effect on the packet\'s fate, but the counters on the rule will be incremented." - -property :go_to, String, # --goto (-g) - description: 'This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.' - -property :in_interface, String, # --in-interface (-i) - description: 'Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' - -property :out_interface, String, # --out-interface (-o) - description: 'Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' - -property :fragment, String, # --fragment (-f) - description: 'Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' - -property :line_number, Integer, - callbacks: { - 'should be a number greater than 0' => lambda { |p| - p > 1024 - }, - }, - description: 'The location to insert the rule into for the chain' - -property :line, String, - description: 'Specify the entire line yourself, overrides all other options' - -property :extra_options, String, - description: 'Pass in extra arguments which are not available directly, useful with modules' -### Section here is for the accumalator pattern -property :file_mode, String, - default: '0644', - description: 'Permissions on the saved output file' - -property :source_template, String, - default: 'iptables.erb', - description: 'Source template to use to create the rules' - -property :cookbook, String, - default: 'iptables', - description: 'Source cookbook to find the template in' - -property :sensitive, [true, false], - default: false, - description: 'mark the resource as senstive' - -property :config_file, String, - default: lazy { default_iptables_rules_file(ip_version) }, - description: 'The full path to find the rules on disk' - -deprecated_property_alias 'target', 'jump', 'The target property was renamed jump in 7.0.0 and will be removed in 8.0.0' - -action :create do - Chef::Log.warn('iptables_rule6 is deprecated, please use the normal iptable_rule with property ip_version set to :ipv6') - iptables_rule new_resource.name do - table new_resource.table - chain new_resource.chain - ip_version new_resource.ip_version - protocol new_resource.protocol - match new_resource.match - source new_resource.source - destination new_resource.destination - target new_resource.target - jump new_resource.jump - go_to new_resource.go_to - in_interface new_resource.in_interface - out_interface new_resource.out_interface - fragment new_resource.fragment - line_number new_resource.line_number - line new_resource.line - extra_options new_resource.extra_options - file_mode new_resource.file_mode - source_template new_resource.source_template - cookbook new_resource.cookbook - sensitive new_resource.sensitive - config_file new_resource.config_file - end -end From e549b4ad5980d017879ec7cd7b3f2b2899952bbd Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 17:57:19 +0000 Subject: [PATCH 02/21] Switch CentOS 8 testing to centos-stream-8 dokken Service detection is broken with the centos-8 container due to the systemd/kernel version mismatch bug. Signed-off-by: Ben Hughes --- kitchen.dokken.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 6718a9f..a2e1c59 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -45,7 +45,7 @@ platforms: - name: centos-8 driver: - image: dokken/centos-8 + image: dokken/centos-stream-8 pid_one_command: /usr/lib/systemd/systemd - name: fedora-latest From 3156e49b868a7e51a717896f4c4f421afa4363c4 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 17:59:32 +0000 Subject: [PATCH 03/21] Refactor rule and chain resources Signed-off-by: Ben Hughes --- libraries/helpers.rb | 33 ++---- libraries/resource.rb | 98 ++++++++++++++++++ libraries/template.rb | 28 +++++ resources/chain.rb | 96 ++++++++--------- resources/rule.rb | 155 +++++++++++----------------- templates/default/iptables.erb | 23 ++--- templates/default/iptables_load.erb | 5 + 7 files changed, 252 insertions(+), 186 deletions(-) create mode 100644 libraries/resource.rb create mode 100644 libraries/template.rb diff --git a/libraries/helpers.rb b/libraries/helpers.rb index ea5d07e..c4d4260 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -1,6 +1,6 @@ # # Cookbook:: iptables -# Library:: chain +# Library:: helpers # # Copyright:: 2019, Chef Software, Inc. # @@ -20,9 +20,11 @@ module Iptables module Cookbook module Helpers - def get_service_name(ip_version) - # This function will return the service name - # for the given ip version + IPTABLES_TABLE_NAMES ||= %i(filter mangle nat raw security).freeze + + def default_service_name(ip_version) + return 'netfilter-persistent' if platform_family?('debian') + case ip_version when :ipv4 'iptables' @@ -33,9 +35,7 @@ def get_service_name(ip_version) end end - def get_sysconfig_path(ip_version) - # This function will return the sysconfig path - # for the given ip version + def default_sysconfig_path(ip_version) case ip_version when :ipv4 '/etc/sysconfig/iptables-config' @@ -46,9 +46,7 @@ def get_sysconfig_path(ip_version) end end - def get_sysconfig(ip_version) - # This function will return the sysconfig settings - # for the given ip version + def default_sysconfig(ip_version) case ip_version when :ipv4 { @@ -78,7 +76,6 @@ def get_sysconfig(ip_version) end def package_names - # This function will return all package names case node['platform_family'] when 'rhel' if node['platform_version'].to_i < 7 @@ -95,16 +92,7 @@ def package_names end end - def convert_to_symbol_and_mark_deprecated(parameter_name, parameter_value) - if parameter_value.class == 'String' - Chef::Log.warn("Property #{parameter_name} should be a symbol, the property will no longer accept Strings in the next major version (8.0.0)") - end - parameter_value.to_sym - end - def default_iptables_rules_file(ip_version) - # This function will look at the node platform - # and return the correct file on disk location for the config file case ip_version when :ipv4 case node['platform_family'] @@ -125,10 +113,7 @@ def default_iptables_rules_file(ip_version) end end - def get_default_chains_for_table(table_name) - # This function will take in a table and look for default chains - # that should exist for that table, it will then return a structured hash - # of those chains + def default_chains_for_table(table_name) case table_name when :filter { diff --git a/libraries/resource.rb b/libraries/resource.rb new file mode 100644 index 0000000..c493b51 --- /dev/null +++ b/libraries/resource.rb @@ -0,0 +1,98 @@ +# +# Cookbook:: iptables +# Library:: resource +# +# Copyright:: 2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative 'template' + +module Iptables + module Cookbook + module ResourceHelpers + include Iptables::Cookbook::TemplateHelpers + + IPTABLES_RULE_PROPERTIES ||= { + chain: '-A', + protocol: '-p', + match: '-m', + source: '-s', + destination: '-d', + jump: '-j', + go_to: '-g', + in_interface: '-i', + out_interface: '-o', + fragment: '-f', + comment: '-m comment --comment', + extra_options: nil, + }.freeze + + def rulefile_resource_init + rulefile_resource_create unless rulefile_resource_exist? + end + + def rulefile_resource + return false unless rulefile_resource_exist? + + find_resource(:template, new_resource.config_file) + end + + def rule_builder + return new_resource.line unless nil_or_empty?(new_resource.line) + + IPTABLES_RULE_PROPERTIES.map do |property, prefix| + next if nil_or_empty?(new_resource.send(property)) + + nil_or_empty?(prefix) ? new_resource.send(property) : "#{prefix} #{new_resource.send(property)}" + end.compact.join(' ') + end + + private + + def rulefile_resource_exist? + !find_resource(:template, new_resource.config_file).nil? + rescue Chef::Exceptions::ResourceNotFound + false + end + + def rulefile_resource_create + with_run_context(:root) do + edit_resource(:template, new_resource.config_file) do |new_resource| + owner new_resource.owner + group new_resource.group + mode new_resource.mode + + source new_resource.template + cookbook new_resource.cookbook + sensitive new_resource.sensitive + + variables[:iptables] ||= {} + + Iptables::Cookbook::Helpers::IPTABLES_TABLE_NAMES.each do |table| + variables[:iptables][table] ||= {} + variables[:iptables][table][:chains] ||= default_chains_for_table(table) + variables[:iptables][table][:rules] ||= [] + end + + helpers(Iptables::Cookbook::TemplateHelpers) + + action :nothing + delayed_action :create + end + end + end + end + end +end diff --git a/libraries/template.rb b/libraries/template.rb new file mode 100644 index 0000000..800fc54 --- /dev/null +++ b/libraries/template.rb @@ -0,0 +1,28 @@ +# +# Cookbook:: iptables +# Library:: template +# +# Copyright:: 2019, Chef Software, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +module Iptables + module Cookbook + module TemplateHelpers + def nil_or_empty?(v) + v.nil? || (v.respond_to?(:empty?) && v.empty?) + end + end + end +end diff --git a/resources/chain.rb b/resources/chain.rb index 547b8ff..4761262 100644 --- a/resources/chain.rb +++ b/resources/chain.rb @@ -2,73 +2,65 @@ include Iptables::Cookbook::Helpers -property :table, [Symbol, String], - equal_to: [:filter, :mangle, :nat, :raw, :security, 'filter', 'mangle', 'nat', 'raw', 'security'], - default: :filter, - description: 'The table the chain should exist on' - -property :chain, [Symbol, String], - description: 'The name of the Chain' - -property :value, String, - default: 'ACCEPT [0:0]', - description: 'The default action and the Packets : Bytes count' +property :config_file, String, + default: lazy { default_iptables_rules_file(ip_version) }, + description: 'The full path to find the rules on disk' -property :ip_version, Symbol, - equal_to: %i(ipv4 ipv6), - default: :ipv4, - description: 'The IP version, 4 or 6' +property :owner, String, + default: 'root', + description: 'Permissions on the saved output file' -property :file_mode, String, - default: '0644', +property :group, String, + default: 'root', description: 'Permissions on the saved output file' -property :source_template, String, - default: 'iptables.erb', - description: 'Source template to use to create the rules' +property :mode, String, + default: '0600', + description: 'Permissions on the saved output file' property :cookbook, String, default: 'iptables', description: 'Source cookbook to find the template in' +property :template, String, + default: 'iptables.erb', + description: 'Source template to use to create the rules' + property :sensitive, [true, false], - default: false, - description: 'mark the resource as senstive' + default: true, + description: 'Mark the resource as senstive' -property :config_file, String, - default: lazy { default_iptables_rules_file(ip_version) }, - description: 'The full path to find the rules on disk' +property :ip_version, [Symbol, String], + coerce: proc { |p| p.to_sym }, + equal_to: %i(ipv4 ipv6), + default: :ipv4, + description: 'The IP version, 4 or 6' -action :create do - # We are using the accumalator pattern here - # This is as we are managing a single config file but using multiple - # resouces to allow a cleaner api for the end user - # Note, this will only ever go as a file on disk at the end of a chef run - table = convert_to_symbol_and_mark_deprecated('table', new_resource.table) if new_resource.table - chain = convert_to_symbol_and_mark_deprecated('chain', new_resource.chain) if new_resource.chain +property :table, [Symbol, String], + coerce: proc { |p| p.to_sym }, + equal_to: Iptables::Cookbook::Helpers::IPTABLES_TABLE_NAMES, + required: true, + description: 'The table the chain should exist on' - table_name = table.to_s - with_run_context :root do - edit_resource(:template, new_resource.config_file) do |new_resource| - source new_resource.source_template - cookbook new_resource.cookbook - sensitive new_resource.sensitive - mode new_resource.file_mode +property :chain, [Symbol, String], + coerce: proc { |p| p.to_sym }, + description: 'The name of the Chain' - variables['iptables'] ||= {} - # We have to make sure default exists, so this is a hack to do that ... - variables['iptables']['filter'] ||= {} - variables['iptables']['filter']['chains'] ||= {} - variables['iptables']['filter']['chains'] = get_default_chains_for_table(:filter) if variables['iptables']['filter']['chains'] == {} +property :value, String, + default: 'ACCEPT [0:0]', + description: 'The default action and the Packets : Bytes count' - variables['iptables'][table_name] ||= {} - variables['iptables'][table_name]['chains'] ||= {} - variables['iptables'][table_name]['chains'] = get_default_chains_for_table(table) if variables['iptables'][table_name]['chains'] == {} +action_class do + include Iptables::Cookbook::ResourceHelpers + include Iptables::Cookbook::TemplateHelpers +end - variables['iptables'][table_name]['chains'][chain] = new_resource.value if new_resource.chain +action :create do + rulefile_resource_init + rulefile_resource.variables[:iptables][new_resource.table][:chains][new_resource.chain] = new_resource.value unless nil_or_empty?(new_resource.chain) +end - action :nothing - delayed_action :create - end - end +action :delete do + rulefile_resource_init + rulefile_resource.variables[:iptables][new_resource.table][:chains].delete(new_resource.chain) end diff --git a/resources/rule.rb b/resources/rule.rb index 99e1495..7cd6ce2 100644 --- a/resources/rule.rb +++ b/resources/rule.rb @@ -2,44 +2,75 @@ include Iptables::Cookbook::Helpers +property :config_file, String, + default: lazy { default_iptables_rules_file(ip_version) }, + description: 'The full path to find the rules on disk' + +property :owner, String, + default: 'root', + description: 'Permissions on the saved output file' + +property :group, String, + default: 'root', + description: 'Permissions on the saved output file' + +property :mode, String, + default: '0600', + description: 'Permissions on the saved output file' + +property :cookbook, String, + default: 'iptables', + description: 'Source cookbook to find the template in' + +property :template, String, + default: 'iptables.erb', + description: 'Source template to use to create the rules' + +property :sensitive, [true, false], + default: true, + description: 'Mark the resource as senstive' + +property :ip_version, [Symbol, String], + coerce: proc { |p| p.to_sym }, + equal_to: %i(ipv4 ipv6), + default: :ipv4, + description: 'The IP version, 4 or 6' + property :table, [Symbol, String], - equal_to: [:filter, :mangle, :nat, :raw, :security, 'filter', 'mangle', 'nat', 'raw', 'security'], + coerce: proc { |p| p.to_sym }, + equal_to: Iptables::Cookbook::Helpers::IPTABLES_TABLE_NAMES, default: :filter, description: 'The table the chain exists on for the rule' property :chain, [Symbol, String], + coerce: proc { |p| p.to_sym }, description: 'The name of the Chain to put this rule on' -property :ip_version, [Symbol, String], - equal_to: [:ipv4, :ipv6, 'ipv4', 'ipv6'], - default: :ipv4, - description: 'The IP version, 4 or 6' - -property :protocol, [Symbol, String, Integer], #--protocol (-p) +property :protocol, [Symbol, String, Integer], description: 'The protocol of the rule or of the packet to check. The specified protocol can be one of :tcp, :udp, :icmp, or :all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. ' -property :match, String, # --match (-m) +property :match, String, description: 'Extended packet matching module to use' -property :source, String, # --source (-s) +property :source, String, description: "Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A \"!\" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. " -property :destination, String, # --destination (-d) +property :destination, String, description: "Destination specification, Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A \"!\" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option." -property :jump, String, # --jump (-j) +property :jump, String, description: "This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and goto is not used), then matching the rule will have no effect on the packet\'s fate, but the counters on the rule will be incremented." -property :go_to, String, # --goto (-g) +property :go_to, String, description: 'This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via --jump.' -property :in_interface, String, # --in-interface (-i) +property :in_interface, String, description: 'Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' -property :out_interface, String, # --out-interface (-o) +property :out_interface, String, description: 'Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' -property :fragment, String, # --fragment (-f) +property :fragment, String, description: 'Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. ' property :line_number, Integer, @@ -50,97 +81,31 @@ }, description: 'The location to insert the rule into for the chain' -property :line, String, - description: 'Specify the entire line yourself, overrides all other options' - property :extra_options, String, description: 'Pass in extra arguments which are not available directly, useful with modules' property :comment, String, + coerce: proc { |p| "\"#{p}\"" }, description: 'An optional comment to add to the rule' -### Section here is for the accumalator pattern - -property :file_mode, String, - default: '0644', - description: 'Permissions on the saved output file' - -property :source_template, String, - default: 'iptables.erb', - description: 'Source template to use to create the rules' - -property :cookbook, String, - default: 'iptables', - description: 'Source cookbook to find the template in' - -property :sensitive, [true, false], - default: false, - description: 'mark the resource as senstive' - -property :config_file, String, - default: lazy { default_iptables_rules_file(ip_version.to_sym) }, - description: 'The full path to find the rules on disk' +property :line, String, + description: 'Specify the entire line yourself, overriding all other options' -deprecated_property_alias 'target', 'jump', 'The target property was renamed jump in 7.0.0 and will be removed in 8.0.0' +action_class do + include Iptables::Cookbook::ResourceHelpers +end action :create do - # We are using the accumalator pattern here - # This is as we are managing a single config file but using multiple - # resouces to allow a cleaner api for the end user - # Note, this will only ever go as a file on disk at the end of a chef run - table = convert_to_symbol_and_mark_deprecated('table', new_resource.table) - table_name = table.to_s - - chain = convert_to_symbol_and_mark_deprecated('chain', new_resource.chain) if new_resource.chain + rulefile_resource_init - if new_resource.line - rule = new_resource.line + if new_resource.line_number + rulefile_resource.variables[:iptables][new_resource.table][:rules].insert((new_resource.line_number - 1), rule_builder) else - rule = "-A #{chain}" - # rule << " -t #{new_resource.table.to_s}" - rule << " -p #{new_resource.protocol}" if new_resource.protocol - rule << " -m #{new_resource.match}" if new_resource.match - rule << " -s #{new_resource.source}" if new_resource.source - rule << " -d #{new_resource.destination}" if new_resource.destination - rule << " -j #{new_resource.jump}" if new_resource.jump - rule << " -g #{new_resource.go_to}" if new_resource.go_to - rule << " -i #{new_resource.in_interface}" if new_resource.in_interface - rule << " -o #{new_resource.out_interface}" if new_resource.out_interface - rule << " -f #{new_resource.fragment}" if new_resource.fragment - rule << " #{new_resource.extra_options}" if new_resource.extra_options - rule << " -m comment --comment \"#{new_resource.comment}\"" if new_resource.comment + rulefile_resource.variables[:iptables][new_resource.table][:rules].push(rule_builder) end +end - with_run_context :root do - edit_resource(:template, new_resource.config_file) do |new_resource| - source new_resource.source_template - cookbook new_resource.cookbook - sensitive new_resource.sensitive - mode new_resource.file_mode - - variables['iptables'] ||= {} - # We have to make sure default exists, so this is a hack to do that ... - variables['iptables']['filter'] ||= {} - variables['iptables']['filter']['chains'] ||= {} - variables['iptables']['filter']['chains'] = get_default_chains_for_table(:filter) if variables['iptables']['filter']['chains'] == {} - - # We have to ensure the tables are initalised so we can insert rules into them - variables['iptables'][table_name] ||= {} - variables['iptables'][table_name]['chains'] ||= {} - variables['iptables'][table_name]['chains'] = get_default_chains_for_table(table) if variables['iptables'][table_name]['chains'] == {} - - variables['iptables'][table_name]['rules'] ||= [] - # If there is a line number let's insert it into the rules - # for the chain at that point - if new_resource.line_number - line_number = new_resource.line_number - 1 # 0 index vs 1 index - variables['iptables'][table_name]['rules'].insert(line_number, rule) - else - variables['iptables'][table_name]['rules'].push(rule) - end - - action :nothing - delayed_action :create - end - end +action :delete do + rulefile_resource_init + rulefile_resource.variables[:iptables][new_resource.table][:rules].delete(rule) end diff --git a/templates/default/iptables.erb b/templates/default/iptables.erb index bd53f94..c2dd974 100644 --- a/templates/default/iptables.erb +++ b/templates/default/iptables.erb @@ -1,29 +1,22 @@ # Generated by Chef # Do NOT modify this file by hand. # -<%# IPtables declares items in the following pattern: -*tablename, e.g. *filter or *mangle -default chains -custom chains -rules to go into the chain -COMMIT -next table and so on - %> -<% unless @iptables.nil? || @iptables.empty? -%> + +<% unless nil_or_empty?(@iptables) -%> <% @iptables.each do |table, data| -%> +<% next if nil_or_empty?(data) -%> *<%= table %> -<%# Put the chains in the file, format of :Name%> -<% unless data['chains'].nil? || data['chains'].empty? -%> -<% data['chains'].each do |chain, value| -%> +<% unless nil_or_empty?(data[:chains]) -%> +<% data[:chains].each do |chain, value| -%> :<%= chain %> <%= value %> <% end -%> <% end -%> -<%# once all chains are down we put the rules doen%> -<% unless data['rules'].nil? || data['rules'].empty? -%> -<% data['rules'].each do |rule| -%> +<% unless nil_or_empty?(data[:rules]) -%> +<% data[:rules].each do |rule| -%> <%= rule %> <% end -%> <% end -%> COMMIT + <% end -%> <% end -%> diff --git a/templates/default/iptables_load.erb b/templates/default/iptables_load.erb index 51c13b4..37d21aa 100755 --- a/templates/default/iptables_load.erb +++ b/templates/default/iptables_load.erb @@ -1,3 +1,8 @@ #!/bin/sh + +# Generated by Chef +# Do NOT modify this file by hand. +# + <%= @iptables_restore_binary %> < <%= @iptables_save_file %> exit 0 From cc7537b4dd79b7d470827445dcab68d80b13aaa2 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 18:00:08 +0000 Subject: [PATCH 04/21] Refactor package and service resources Signed-off-by: Ben Hughes --- libraries/resource.rb | 2 +- resources/packages.rb | 21 ++-- resources/service.rb | 132 ++++++++++++-------------- templates/default/iptables-config.erb | 7 +- 4 files changed, 78 insertions(+), 84 deletions(-) diff --git a/libraries/resource.rb b/libraries/resource.rb index c493b51..6e7f437 100644 --- a/libraries/resource.rb +++ b/libraries/resource.rb @@ -88,7 +88,7 @@ def rulefile_resource_create helpers(Iptables::Cookbook::TemplateHelpers) - action :nothing + action :create_if_missing delayed_action :create end end diff --git a/resources/packages.rb b/resources/packages.rb index 2bc281a..cd4390e 100644 --- a/resources/packages.rb +++ b/resources/packages.rb @@ -3,19 +3,14 @@ include Iptables::Cookbook::Helpers property :packages, Array, - default: lazy { package_names }, - description: 'The packages to install for iptables' + default: lazy { package_names }, + description: 'The packages to install for iptables' -action :install do - package 'iptables' do - package_name new_resource.packages - action :install - end -end - -action :remove do - package 'iptables' do - package_name new_resource.packages - action :remove +%i(install purge reconfig remove upgrade).each do |service_action| + action service_action do + package 'iptables' do + package_name new_resource.packages + action service_action + end end end diff --git a/resources/service.rb b/resources/service.rb index 116cf58..f0ac6a7 100644 --- a/resources/service.rb +++ b/resources/service.rb @@ -2,94 +2,88 @@ include Iptables::Cookbook::Helpers -property :ip_version, Symbol, - equal_to: %i(ipv4 ipv6), - default: :ipv4, - description: 'The IP version, 4 or 6' +property :config_file, String, + default: lazy { default_iptables_rules_file(ip_version) }, + description: 'The full path to find the rules on disk' -property :sysconfig, Hash, - default: lazy { get_sysconfig(ip_version) }, - description: 'The sysconfig settings' +property :owner, String, + default: 'root', + description: 'Permissions on the saved output file' -property :service_name, String, - default: lazy { get_service_name(ip_version) }, - description: 'Name of the iptables services' +property :group, String, + default: 'root', + description: 'Permissions on the saved output file' -property :sysconfig_file_mode, String, +property :mode, String, default: '0600', - description: 'Permissions on the saved sysconfig file' - -property :file_mode, String, - default: '0644', - description: 'Permissions on the saved rules file' - -property :source_template, String, - default: 'iptables-config.erb', - description: 'Source template to use to create the sysconfig file' + description: 'Permissions on the saved output file' property :cookbook, String, default: 'iptables', description: 'Source cookbook to find the template in' +property :template, String, + default: 'iptables.erb', + description: 'Source template to use to create the rule file' + +property :sensitive, [true, false], + default: true, + description: 'Mark the resource as senstive' + +property :ip_version, [Symbol, String], + coerce: proc { |p| p.to_sym }, + equal_to: %i(ipv4 ipv6), + default: :ipv4, + description: 'The IP version, 4 or 6' + +property :service_name, String, + default: lazy { default_service_name(ip_version) }, + description: 'Name of the iptables services' + property :sysconfig_file, String, - default: lazy { get_sysconfig_path(ip_version) }, + default: lazy { default_sysconfig_path(ip_version) }, description: 'The full path to find the sysconfig file on disk' -property :config_file, String, - default: lazy { default_iptables_rules_file(ip_version) }, - description: 'The full path to find the rules on disk' +property :sysconfig_template, String, + default: 'iptables-config.erb', + description: 'Source template to use to create the rule file' -action :enable do - case node['platform_family'] - when 'debian' - with_run_context :root do - edit_resource(:service, 'netfilter-persistent') do |new_resource| - subscribes :restart, "template[#{new_resource.config_file}]", :delayed - action :enable - end - end - when 'rhel', 'fedora', 'amazon' - file new_resource.config_file do - content '# Chef managed placeholder to allow iptables service to start' - action :create_if_missing - end +property :sysconfig, Hash, + default: lazy { default_sysconfig(ip_version) }, + description: 'The sysconfig settings' - template new_resource.sysconfig_file do - source new_resource.source_template - cookbook new_resource.cookbook - mode new_resource.sysconfig_file_mode - variables( - config: new_resource.sysconfig - ) - end - with_run_context :root do - edit_resource(:service, new_resource.service_name) do |new_resource| - subscribes :restart, "template[#{new_resource.config_file}]", :delayed - action [:enable, :start] - end - end +action_class do + include Iptables::Cookbook::ResourceHelpers + + SERVICE_PRE_ACTIONS_REQUIRED ||= %i(start restart reload).freeze + + def do_service_action(resource_action) + edit_resource(:service, new_resource.service_name).action(resource_action) end -end -action :disable do - case node['platform_family'] - when 'debian' - service 'netfilter-persistent' do - action [:disable, :stop] - end - when 'rhel', 'fedora', 'amazon' - file new_resource.config_file do - content '# iptables rules files cleared by chef via iptables::disabled' - action :create - end + def do_redhat_pre_actions + edit_resource(:template, new_resource.sysconfig_file) do + owner new_resource.owner + group new_resource.group + mode new_resource.mode + + source new_resource.sysconfig_template + cookbook new_resource.cookbook + sensitive new_resource.sensitive + + variables['config'] = new_resource.sysconfig + + helpers(Iptables::Cookbook::TemplateHelpers) - file "#{new_resource.config_file}.fallback" do - content '# iptables rules files cleared by chef via iptables::disabled' action :create end + end +end - service new_resource.service_name do - action [:disable, :stop] - end +%i(start stop restart reload enable disable).each do |service_action| + action service_action do + rulefile_resource_init + do_redhat_pre_actions if platform_family?('rhel', 'fedora', 'amazon') && SERVICE_PRE_ACTIONS_REQUIRED.include?(action) + do_service_action(action) end end diff --git a/templates/default/iptables-config.erb b/templates/default/iptables-config.erb index d81f84f..8e0e35c 100644 --- a/templates/default/iptables-config.erb +++ b/templates/default/iptables-config.erb @@ -1,4 +1,9 @@ -# This file managed by Chef. Do not hand edit +# Generated by Chef +# Do NOT modify this file by hand. +# + +<% unless nil_or_empty?(@config) -%> <% @config.each do |k,v| -%> <%= k %>="<%= v %>" <% end -%> +<% end -%> From 7b83fe0556ef80b92609a485f7965b96a0254c49 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 18:00:26 +0000 Subject: [PATCH 05/21] Update chefspec to match refactoring Signed-off-by: Ben Hughes --- spec/libraries/helpers_spec.rb | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/spec/libraries/helpers_spec.rb b/spec/libraries/helpers_spec.rb index 77354e4..0344769 100644 --- a/spec/libraries/helpers_spec.rb +++ b/spec/libraries/helpers_spec.rb @@ -7,7 +7,7 @@ class DummyClass < Chef::Node subject { DummyClass.new } - describe '#get_sysconfig_path' do + describe '#default_sysconfig_path' do before do allow(subject).to receive(:[]).with('ip_version').and_return(ip_version) end @@ -15,7 +15,7 @@ class DummyClass < Chef::Node let(:ip_version) { :ipv4 } it 'returns the correct path' do - expect(subject.get_sysconfig_path(ip_version)).to match('/etc/sysconfig/iptables-config') + expect(subject.default_sysconfig_path(ip_version)).to match('/etc/sysconfig/iptables-config') end end @@ -23,12 +23,12 @@ class DummyClass < Chef::Node let(:ip_version) { :ipv6 } it 'returns the correct path' do - expect(subject.get_sysconfig_path(ip_version)).to match('/etc/sysconfig/ip6tables-config') + expect(subject.default_sysconfig_path(ip_version)).to match('/etc/sysconfig/ip6tables-config') end end end - describe '#get_sysconfig' do + describe '#default_sysconfig' do before do allow(subject).to receive(:[]).with('ip_version').and_return(ip_version) end @@ -36,7 +36,7 @@ class DummyClass < Chef::Node let(:ip_version) { :ipv4 } it 'returns the correct path' do - expect(subject.get_sysconfig(ip_version)).to match( + expect(subject.default_sysconfig(ip_version)).to match( 'IPTABLES_MODULES' => '', 'IPTABLES_MODULES_UNLOAD' => 'no', 'IPTABLES_SAVE_ON_STOP' => 'no', @@ -53,7 +53,7 @@ class DummyClass < Chef::Node let(:ip_version) { :ipv6 } it 'returns the correct path' do - expect(subject.get_sysconfig(ip_version)).to match( + expect(subject.default_sysconfig(ip_version)).to match( 'IP6TABLES_MODULES' => '', 'IP6TABLES_MODULES_UNLOAD' => 'no', 'IP6TABLES_SAVE_ON_STOP' => 'no', @@ -178,7 +178,7 @@ class DummyClass < Chef::Node end end - describe '#get_default_chains_for_table' do + describe '#default_chains_for_table' do before do allow(subject).to receive(:[]).with('table_name').and_return(table_name) end @@ -186,14 +186,14 @@ class DummyClass < Chef::Node let(:table_name) { :does_not_exist } it 'returns an empty Hash' do - expect(subject.get_default_chains_for_table(table_name)).to eq({}) + expect(subject.default_chains_for_table(table_name)).to eq({}) end end context 'When given the table filter' do let(:table_name) { :filter } it 'returns the correct default chains' do - expect(subject.get_default_chains_for_table(table_name)).to include( + expect(subject.default_chains_for_table(table_name)).to include( INPUT: 'ACCEPT [0:0]', FORWARD: 'ACCEPT [0:0]', OUTPUT: 'ACCEPT [0:0]' @@ -204,7 +204,7 @@ class DummyClass < Chef::Node let(:table_name) { :mangle } it 'returns the correct default chains' do - expect(subject.get_default_chains_for_table(table_name)).to include( + expect(subject.default_chains_for_table(table_name)).to include( PREROUTING: 'ACCEPT [0:0]', INPUT: 'ACCEPT [0:0]', FORWARD: 'ACCEPT [0:0]', @@ -217,7 +217,7 @@ class DummyClass < Chef::Node let(:table_name) { :nat } it 'returns the correct default chains' do - expect(subject.get_default_chains_for_table(table_name)).to include( + expect(subject.default_chains_for_table(table_name)).to include( PREROUTING: 'ACCEPT [0:0]', OUTPUT: 'ACCEPT [0:0]', POSTROUTING: 'ACCEPT [0:0]' @@ -229,7 +229,7 @@ class DummyClass < Chef::Node let(:table_name) { :raw } it 'returns the correct default chains' do - expect(subject.get_default_chains_for_table(table_name)).to include( + expect(subject.default_chains_for_table(table_name)).to include( PREROUTING: 'ACCEPT [0:0]', OUTPUT: 'ACCEPT [0:0]' ) @@ -240,7 +240,7 @@ class DummyClass < Chef::Node let(:table_name) { :security } it 'returns the correct default chains' do - expect(subject.get_default_chains_for_table(table_name)).to include( + expect(subject.default_chains_for_table(table_name)).to include( INPUT: 'ACCEPT [0:0]', FORWARD: 'ACCEPT [0:0]', OUTPUT: 'ACCEPT [0:0]' From f0051a8e8c02a541c72b6dc51247be781352714b Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 18:00:39 +0000 Subject: [PATCH 06/21] Update kitchen tests to match refactoring Signed-off-by: Ben Hughes --- test/cookbooks/test/recipes/all-tables.rb | 7 ++++++- test/cookbooks/test/recipes/install-and-remove.rb | 2 +- test/cookbooks/test/recipes/rule-line-number.rb | 7 ++++++- test/cookbooks/test/recipes/rule-line.rb | 7 ++++++- test/cookbooks/test/recipes/rules.rb | 8 +++++++- 5 files changed, 26 insertions(+), 5 deletions(-) diff --git a/test/cookbooks/test/recipes/all-tables.rb b/test/cookbooks/test/recipes/all-tables.rb index c8316fc..7aa3071 100644 --- a/test/cookbooks/test/recipes/all-tables.rb +++ b/test/cookbooks/test/recipes/all-tables.rb @@ -4,7 +4,12 @@ include_recipe '::centos-6-helper' if platform?('centos') && node['platform_version'].to_i == 6 iptables_packages 'install iptables' -iptables_service 'configure iptables services' +iptables_service 'configure iptables services' do + action %i(enable start) + + subscribes :restart, 'template[/etc/sysconfig/iptables]', :delayed + subscribes :restart, 'template[/etc/iptables/rules.v4]', :delayed +end iptables_chain 'filter' do table :filter diff --git a/test/cookbooks/test/recipes/install-and-remove.rb b/test/cookbooks/test/recipes/install-and-remove.rb index 6290dad..54b5920 100644 --- a/test/cookbooks/test/recipes/install-and-remove.rb +++ b/test/cookbooks/test/recipes/install-and-remove.rb @@ -4,7 +4,7 @@ iptables_service 'configure iptables services' iptables_service 'remove-services' do - action :disable + action %i(stop disable) end iptables_packages 'remove-packages' do diff --git a/test/cookbooks/test/recipes/rule-line-number.rb b/test/cookbooks/test/recipes/rule-line-number.rb index cd83f82..b2ea8a0 100644 --- a/test/cookbooks/test/recipes/rule-line-number.rb +++ b/test/cookbooks/test/recipes/rule-line-number.rb @@ -4,7 +4,12 @@ include_recipe '::centos-6-helper' if platform?('centos') && node['platform_version'].to_i == 6 iptables_packages 'install iptables' -iptables_service 'configure iptables services' +iptables_service 'configure iptables services' do + action %i(enable start) + + subscribes :restart, 'template[/etc/sysconfig/iptables]', :delayed + subscribes :restart, 'template[/etc/iptables/rules.v4]', :delayed +end iptables_chain 'filter' do table :filter diff --git a/test/cookbooks/test/recipes/rule-line.rb b/test/cookbooks/test/recipes/rule-line.rb index 5a6c383..1e5dd23 100644 --- a/test/cookbooks/test/recipes/rule-line.rb +++ b/test/cookbooks/test/recipes/rule-line.rb @@ -3,7 +3,12 @@ include_recipe '::centos-6-helper' if platform?('centos') && node['platform_version'].to_i == 6 iptables_packages 'install iptables' -iptables_service 'configure iptables services' +iptables_service 'configure iptables services' do + action %i(enable start) + + subscribes :restart, 'template[/etc/sysconfig/iptables]', :delayed + subscribes :restart, 'template[/etc/iptables/rules.v4]', :delayed +end iptables_chain 'filter' do table :filter diff --git a/test/cookbooks/test/recipes/rules.rb b/test/cookbooks/test/recipes/rules.rb index c6633f9..490b541 100644 --- a/test/cookbooks/test/recipes/rules.rb +++ b/test/cookbooks/test/recipes/rules.rb @@ -4,7 +4,13 @@ include_recipe '::centos-6-helper' if platform?('centos') && node['platform_version'].to_i == 6 iptables_packages 'install iptables' -iptables_service 'configure iptables services' +iptables_service 'configure iptables services' do + action :enable + delayed_action :start + + subscribes :restart, 'template[/etc/sysconfig/iptables]', :delayed + subscribes :restart, 'template[/etc/iptables/rules.v4]', :delayed +end iptables_chain 'mangle' do table :mangle From 208a80d13124d140cf3f73fc5557f5005c149ae9 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 18:03:37 +0000 Subject: [PATCH 07/21] Update CHANGELOG Signed-off-by: Ben Hughes --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84ae5e8..0c636f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ This file is used to list changes made in each version of the iptables cookbook. +## Unreleased + +- Refactor cookbook [@bmhughes](https://github.com/bmhughes) + - Remove legacy code + - Refactor chain and rule resources + - Complex logic moved to helper libraries + - Refactor service resource + - Add the full set of service actions + - Create a default configuration to ensure starting on Redhat platform families + - Refactor package resource + - Add the full set of package actions + ## 8.0.0 (2021-05-26) - Cookstyle Bot Auto Corrections with Cookstyle 6.17.6 - [@cookstyle](https://github.com/cookstyle) From ee81606218676c6fe32e1eec87597d64da9c3741 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Sun, 7 Mar 2021 20:43:00 +0000 Subject: [PATCH 08/21] Documentation update Signed-off-by: Ben Hughes --- documentation/iptables_chain.md | 21 +++++++++++--------- documentation/iptables_packages.md | 11 +++++++---- documentation/iptables_rule.md | 19 ++++++++++-------- documentation/iptables_service.md | 31 ++++++++++++++++++++---------- 4 files changed, 51 insertions(+), 31 deletions(-) diff --git a/documentation/iptables_chain.md b/documentation/iptables_chain.md index df6af6d..817e43c 100644 --- a/documentation/iptables_chain.md +++ b/documentation/iptables_chain.md @@ -1,4 +1,4 @@ -[back to resource list](https://github.com/chef-cookbooks/iptables#resources) +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) --- @@ -12,21 +12,24 @@ As this is an accumalator pattern resource not declaring a chain will have it re ## Actions -`:create` +- `:create` +- `:delete` ## Properties | Name | Type | Default | Description | Allowed Values | --------------------------------- | ----------- | -------- | ----------- | -------------- | +| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | | `table` | `Symbol` | `:filter` | The table the chain should exist on | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | | `chain` | `Symbol` | `nil` | The name of the Chain | | | `value` | `String` | `ACCEPT [0:0]` | The default action and the Packets : Bytes count | | -| `ip_version` | `Symbol` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | -| `file_mode` | `String` | `0644` | Permissions on the saved output file | | -| `source_template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | -| `sensitive` | `true, false` | `false` | mark the resource as senstive | | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | ## Examples @@ -43,7 +46,7 @@ Create a custom chain ```ruby iptables_chain 'filter' do table :filter - chain :LOGGIMG + chain :LOGGING value '- [0:0]' end ``` diff --git a/documentation/iptables_packages.md b/documentation/iptables_packages.md index f2bc6c4..eb1a89f 100644 --- a/documentation/iptables_packages.md +++ b/documentation/iptables_packages.md @@ -1,4 +1,4 @@ -[back to resource list](https://github.com/chef-cookbooks/iptables#resources) +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) --- @@ -8,14 +8,17 @@ The `iptables_packages` resource can be used to install the required packages fo ## Actions -`:install` -`:remove` +- `:install` +- `:purge` +- `:reconfig` +- `:remove` +- `:upgrade` ## Properties | Name | Type | Default | Description | Allowed Values | --------------------------------- | ----------- | -------- | ----------- | -------------- | -| `package_names` | `Array` | Correct packages for platfrom | List of packages required for this cookbook to work | | +| `package_names` | `Array` | Correct packages for platfrom | List of packages required for this cookbook to work | | ## Examples diff --git a/documentation/iptables_rule.md b/documentation/iptables_rule.md index 966077f..4f62d19 100644 --- a/documentation/iptables_rule.md +++ b/documentation/iptables_rule.md @@ -1,4 +1,4 @@ -[back to resource list](https://github.com/chef-cookbooks/iptables#resources) +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) --- @@ -14,15 +14,23 @@ If the property `line` is used all other properties around configuring the iptab ## Actions -`:create` +- `:create` +- `:delete` ## Properties | Name | Type | Default | Description | Allowed Values | --------------------------------- | ----------- | -------- | ----------- | -------------- | +| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | | `table` | `Symbol` | `:filter` | The table the chain exists on for the rule | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | | `chain` | `Symbol` | `nil` | The name of the Chain to put this rule on | | -| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6`, `ipv4`, `ipv6` | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6`, `ipv4`, `ipv6` | | `protocol` | `Symbol`, `String`, `Integer` | | The protocol to look for | | | `match` | `String` | | extended packet matching module to use | | | `source` | `String` | | Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. | | @@ -36,11 +44,6 @@ If the property `line` is used all other properties around configuring the iptab | `line` | `String` | | Specify the entire line yourself, overrides all other options | | | `extra_options` | `String` | | Pass in extra arguments which are not available directly, useful with modules | | | `comment` | `String` | | A comment to put on the rule | | -| `file_mode` | `String` | `0644` | Permissions on the saved output file | | -| `source_template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | -| `sensitive` | `true, false` | `false` | mark the resource as senstive | | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | ## Examples diff --git a/documentation/iptables_service.md b/documentation/iptables_service.md index d80f1cd..9c3d2ba 100644 --- a/documentation/iptables_service.md +++ b/documentation/iptables_service.md @@ -1,4 +1,4 @@ -[back to resource list](https://github.com/chef-cookbooks/iptables#resources) +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) --- @@ -8,23 +8,34 @@ The `iptables_service` resource can be used to configure the required service fo ## Actions -`:enable` -`:disable` +- `:start` +- `:stop` +- `:restart` +- `:reload` +- `:enable` +- `:disable` ## Properties | Name | Type | Default | Description | Allowed Values | --------------------------------- | ----------- | -------- | ----------- | -------------- | -| `ip_version` | `Symbol` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | -| `sysconfig` | `Hash` | Correct default settings | A hash of the config settings for sysconfig, see library for more details | | +| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | | `service_name` | `String` | Correct service name | Name of the iptables services | | -| `sysconfig_file_mode` | `String` | `0600` | Permissions on the saved sysconfig file | | - -| `file_mode` | `String` | `0644` | Permissions on the saved rules file | | -| `source_template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved rules file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | | `cookbook` | `cookbook` | `iptables` | Source cookbook to find the template in | | | `sysconfig_file` | `String` | The default location on disk of the sysconfig file, see resource for details | The full path to find the sysconfig file on disk | | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | +| `sysconfig_template` | `source_template` | `iptables-config.erb` | Source template to use to create the rules | | +| `sysconfig` | `Hash` | Correct default settings | A hash of the config settings for sysconfig, see library for more details | | ## Examples From 3aecee4b32de5233b92b4a70e3c869790bbd0b82 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Mon, 8 Mar 2021 18:32:13 +0000 Subject: [PATCH 09/21] Add CentOS 8 stream as a kitchen/CI platform Signed-off-by: Ben Hughes --- .github/workflows/ci.yml | 1 + kitchen.dokken.yml | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e889c85..65dbe22 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,7 @@ jobs: - 'centos-6' - 'centos-7' - 'centos-8' + - 'centos-stream-8' - 'fedora-latest' - 'ubuntu-1604' - 'ubuntu-1804' diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index a2e1c59..9b229e7 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -44,6 +44,11 @@ platforms: pid_one_command: /usr/lib/systemd/systemd - name: centos-8 + driver: + image: dokken/centos-8 + pid_one_command: /usr/lib/systemd/systemd + + - name: centos-stream-8 driver: image: dokken/centos-stream-8 pid_one_command: /usr/lib/systemd/systemd From 9f01444682a137efaeca40fce7b6e0317394e377 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Mon, 8 Mar 2021 18:32:53 +0000 Subject: [PATCH 10/21] Use Chef Infra Client name in template headers Signed-off-by: Ben Hughes --- templates/default/iptables-config.erb | 2 +- templates/default/iptables.erb | 2 +- templates/default/iptables_load.erb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/default/iptables-config.erb b/templates/default/iptables-config.erb index 8e0e35c..439e4c0 100644 --- a/templates/default/iptables-config.erb +++ b/templates/default/iptables-config.erb @@ -1,4 +1,4 @@ -# Generated by Chef +# Generated by Chef Infra Client # Do NOT modify this file by hand. # diff --git a/templates/default/iptables.erb b/templates/default/iptables.erb index c2dd974..3e9a1a5 100644 --- a/templates/default/iptables.erb +++ b/templates/default/iptables.erb @@ -1,4 +1,4 @@ -# Generated by Chef +# Generated by Chef Infra Client # Do NOT modify this file by hand. # diff --git a/templates/default/iptables_load.erb b/templates/default/iptables_load.erb index 37d21aa..a8dbee6 100755 --- a/templates/default/iptables_load.erb +++ b/templates/default/iptables_load.erb @@ -1,6 +1,6 @@ #!/bin/sh -# Generated by Chef +# Generated by Chef Infra Client # Do NOT modify this file by hand. # From c7389a262d7056152c4ac981a536f9a649fab10a Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Tue, 9 Mar 2021 12:35:13 +0000 Subject: [PATCH 11/21] Add seperate cookbook source for sysconfig file template Signed-off-by: Ben Hughes --- resources/service.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/resources/service.rb b/resources/service.rb index f0ac6a7..6c65aa7 100644 --- a/resources/service.rb +++ b/resources/service.rb @@ -44,9 +44,13 @@ default: lazy { default_sysconfig_path(ip_version) }, description: 'The full path to find the sysconfig file on disk' +property :sysconfig_cookbook, String, + default: 'iptables', + description: 'Source cookbook to find the sysconfig template in' + property :sysconfig_template, String, default: 'iptables-config.erb', - description: 'Source template to use to create the rule file' + description: 'Source template to use to create the sysconfig file' property :sysconfig, Hash, default: lazy { default_sysconfig(ip_version) }, @@ -68,7 +72,7 @@ def do_redhat_pre_actions mode new_resource.mode source new_resource.sysconfig_template - cookbook new_resource.cookbook + cookbook new_resource.sysconfig_cookbook sensitive new_resource.sensitive variables['config'] = new_resource.sysconfig From 63822449da609ab3039c7fec4af3cc3cab526b92 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Tue, 9 Mar 2021 12:43:25 +0000 Subject: [PATCH 12/21] Documentation formatting fixes Signed-off-by: Ben Hughes --- documentation/iptables_chain.md | 32 ++++++++--------- documentation/iptables_packages.md | 12 +++---- documentation/iptables_rule.md | 56 ++++++++++++++---------------- documentation/iptables_service.md | 44 +++++++++++------------ 4 files changed, 68 insertions(+), 76 deletions(-) diff --git a/documentation/iptables_chain.md b/documentation/iptables_chain.md index 817e43c..fc004f0 100644 --- a/documentation/iptables_chain.md +++ b/documentation/iptables_chain.md @@ -1,9 +1,7 @@ -[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) - ---- - # iptables_chain +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) + The `iptables_chain` resource can be used to manage configuration of chains for iptables. More information available at @@ -17,19 +15,19 @@ As this is an accumalator pattern resource not declaring a chain will have it re ## Properties -| Name | Type | Default | Description | Allowed Values | ---------------------------------- | ----------- | -------- | ----------- | -------------- | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | -| `owner` | `String` | `root` | Owner of the saved output file | | -| `group` | `String` | `root` | Group of the saved output file | | -| `mode` | `String` | `0644` | Permissions on the saved output file | | -| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | -| `sensitive` | `true, false` | `false` | mark the resource as senstive | | -| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | -| `table` | `Symbol` | `:filter` | The table the chain should exist on | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | -| `chain` | `Symbol` | `nil` | The name of the Chain | | -| `value` | `String` | `ACCEPT [0:0]` | The default action and the Packets : Bytes count | | +| Name | Type | Default | Description | Allowed Values | +| ------------- | ------------------ | -------------- | ------------------------------------------------ | ------------------------------------------------- | +| `config_file` | `String` | | Platform dependant | The full path to find the rules on disk | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | +| `table` | `Symbol` | `:filter` | The table the chain should exist on | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | +| `chain` | `Symbol` | `nil` | The name of the Chain | | +| `value` | `String` | `ACCEPT [0:0]` | The default action and the Packets : Bytes count | | ## Examples diff --git a/documentation/iptables_packages.md b/documentation/iptables_packages.md index eb1a89f..0c0761c 100644 --- a/documentation/iptables_packages.md +++ b/documentation/iptables_packages.md @@ -1,9 +1,7 @@ -[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) - ---- - # iptables_packages +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) + The `iptables_packages` resource can be used to install the required packages for iptables. ## Actions @@ -16,9 +14,9 @@ The `iptables_packages` resource can be used to install the required packages fo ## Properties -| Name | Type | Default | Description | Allowed Values | ---------------------------------- | ----------- | -------- | ----------- | -------------- | -| `package_names` | `Array` | Correct packages for platfrom | List of packages required for this cookbook to work | | +| Name | Type | Default | Description | Allowed Values | +| --------------- | ------- | ------------------ | --------------------------------------------------- | -------------- | +| `package_names` | `Array` | Platform dependant | List of packages required for this cookbook to work | | ## Examples diff --git a/documentation/iptables_rule.md b/documentation/iptables_rule.md index 4f62d19..deac737 100644 --- a/documentation/iptables_rule.md +++ b/documentation/iptables_rule.md @@ -1,9 +1,7 @@ -[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) - ---- - # iptables_rule +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) + The `iptables_rule` resource can be used to manage configuration of rules for chains using iptables. More information available at @@ -19,31 +17,31 @@ If the property `line` is used all other properties around configuring the iptab ## Properties -| Name | Type | Default | Description | Allowed Values | ---------------------------------- | ----------- | -------- | ----------- | -------------- | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | -| `owner` | `String` | `root` | Owner of the saved output file | | -| `group` | `String` | `root` | Group of the saved output file | | -| `mode` | `String` | `0644` | Permissions on the saved output file | | -| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | -| `sensitive` | `true, false` | `false` | mark the resource as senstive | | -| `table` | `Symbol` | `:filter` | The table the chain exists on for the rule | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | -| `chain` | `Symbol` | `nil` | The name of the Chain to put this rule on | | -| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6`, `ipv4`, `ipv6` | -| `protocol` | `Symbol`, `String`, `Integer` | | The protocol to look for | | -| `match` | `String` | | extended packet matching module to use | | -| `source` | `String` | | Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. | | -| `destination` | `String` | | Destination specification, Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. | | -| `jump` | `String` | | This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and goto is not used), then matching the rule will have no effect on the packet\'s fate, but the counters on the rule will be incremented. | | -| `go_to` | `String` | | This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via jump. | | -| `in_interface` | `String` | | Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | -| `out_interface` | `String` | | Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | -| `fragment` | `String` | | Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | -| `line_number` | `Integer` | | The location to insert the rule into for the chain | greater than 0 | -| `line` | `String` | | Specify the entire line yourself, overrides all other options | | -| `extra_options` | `String` | | Pass in extra arguments which are not available directly, useful with modules | | -| `comment` | `String` | | A comment to put on the rule | | +| Name | Type | Default | Description | Allowed Values | +| --------------- | ----------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | +| `config_file` | `String` | Platform dependant | The full path to find the rules on disk | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | +| `table` | `Symbol` | `:filter` | The table the chain exists on for the rule | `:filter`, `:mangle`, `:nat`, `:raw`, `:security` | +| `chain` | `Symbol` | `nil` | The name of the Chain to put this rule on | | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6`, `ipv4`, `ipv6` | +| `protocol` | `Symbol`, `String`, `Integer` | | The protocol to look for | | +| `match` | `String` | | extended packet matching module to use | | +| `source` | `String` | | Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. | | +| `destination` | `String` | | Destination specification, Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. | | +| `jump` | `String` | | This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and goto is not used), then matching the rule will have no effect on the packet\'s fate, but the counters on the rule will be incremented. | | +| `go_to` | `String` | | This specifies that the processing should continue in a user specified chain. Unlike the --jump option return will not continue processing in this chain but instead in the chain that called us via jump. | | +| `in_interface` | `String` | | Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | +| `out_interface` | `String` | | Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | +| `fragment` | `String` | | Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. | | +| `line_number` | `Integer` | | The location to insert the rule into for the chain | greater than 0 | +| `line` | `String` | | Specify the entire line yourself, overrides all other options | | +| `extra_options` | `String` | | Pass in extra arguments which are not available directly, useful with modules | | +| `comment` | `String` | | A comment to put on the rule | | ## Examples diff --git a/documentation/iptables_service.md b/documentation/iptables_service.md index 9c3d2ba..f85df34 100644 --- a/documentation/iptables_service.md +++ b/documentation/iptables_service.md @@ -1,9 +1,7 @@ -[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) - ---- - # iptables_service +[Back to resource list](https://github.com/chef-cookbooks/iptables/tree/master/README.md#resources) + The `iptables_service` resource can be used to configure the required service for iptables for autoreloading. ## Actions @@ -17,25 +15,25 @@ The `iptables_service` resource can be used to configure the required service fo ## Properties -| Name | Type | Default | Description | Allowed Values | ---------------------------------- | ----------- | -------- | ----------- | -------------- | -| `config_file` | `String` | The default location on disk of the config file, see resource for details | The full path to find the rules on disk | | -| `owner` | `String` | `root` | Owner of the saved output file | | -| `group` | `String` | `root` | Group of the saved output file | | -| `mode` | `String` | `0644` | Permissions on the saved output file | | -| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | -| `sensitive` | `true, false` | `false` | mark the resource as senstive | | -| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | -| `service_name` | `String` | Correct service name | Name of the iptables services | | -| `owner` | `String` | `root` | Owner of the saved output file | | -| `group` | `String` | `root` | Group of the saved output file | | -| `mode` | `String` | `0644` | Permissions on the saved rules file | | -| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | -| `cookbook` | `cookbook` | `iptables` | Source cookbook to find the template in | | -| `sysconfig_file` | `String` | The default location on disk of the sysconfig file, see resource for details | The full path to find the sysconfig file on disk | | -| `sysconfig_template` | `source_template` | `iptables-config.erb` | Source template to use to create the rules | | -| `sysconfig` | `Hash` | Correct default settings | A hash of the config settings for sysconfig, see library for more details | | +| Name | Type | Default | Description | Allowed Values | +| -------------------- | ------------------ | ------------------------ | ------------------------------------------------------------------------- | ---------------- | +| `config_file` | `String` | Platform dependant | The full path to find the rules on disk | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved output file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `String` | `iptables` | Source cookbook to find the template in | | +| `sensitive` | `true, false` | `false` | mark the resource as senstive | | +| `ip_version` | `Symbol`, `String` | `:ipv4` | The IP version | `:ipv4`, `:ipv6` | +| `service_name` | `String` | Correct service name | Name of the iptables services | | +| `owner` | `String` | `root` | Owner of the saved output file | | +| `group` | `String` | `root` | Group of the saved output file | | +| `mode` | `String` | `0644` | Permissions on the saved rules file | | +| `template` | `source_template` | `iptables.erb` | Source template to use to create the rules | | +| `cookbook` | `cookbook` | `iptables` | Source cookbook to find the template in | | +| `sysconfig_file` | `String` | Platform dependant | The full path to find the sysconfig file on disk | | +| `sysconfig_template` | `source_template` | `iptables-config.erb` | Source template to use to create the rules | | +| `sysconfig` | `Hash` | Correct default settings | A hash of the config settings for sysconfig, see library for more details | | ## Examples From 651db211c6d1408fbec25f737a7140efbfdf30b5 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Tue, 9 Mar 2021 12:46:52 +0000 Subject: [PATCH 13/21] Kitchen test fixup Signed-off-by: Ben Hughes --- .../test/recipes/rule-line-number.rb | 2 +- test/cookbooks/test/recipes/rules.rb | 3 +++ .../test/templates/default/iptables.erb | 24 +++++++++++++++++++ test/integration/rules/rules.rb | 4 ++++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 test/cookbooks/test/templates/default/iptables.erb diff --git a/test/cookbooks/test/recipes/rule-line-number.rb b/test/cookbooks/test/recipes/rule-line-number.rb index b2ea8a0..3d77702 100644 --- a/test/cookbooks/test/recipes/rule-line-number.rb +++ b/test/cookbooks/test/recipes/rule-line-number.rb @@ -24,7 +24,7 @@ end # This should be the first rule now -iptables_rule 'Allow from loopback interface' do +iptables_rule 'Allow from ethernet interface' do table :filter chain :INPUT ip_version 'ipv4' diff --git a/test/cookbooks/test/recipes/rules.rb b/test/cookbooks/test/recipes/rules.rb index 490b541..a011b39 100644 --- a/test/cookbooks/test/recipes/rules.rb +++ b/test/cookbooks/test/recipes/rules.rb @@ -8,6 +8,9 @@ action :enable delayed_action :start + cookbook 'test' + sensitive false + subscribes :restart, 'template[/etc/sysconfig/iptables]', :delayed subscribes :restart, 'template[/etc/iptables/rules.v4]', :delayed end diff --git a/test/cookbooks/test/templates/default/iptables.erb b/test/cookbooks/test/templates/default/iptables.erb new file mode 100644 index 0000000..770f2b3 --- /dev/null +++ b/test/cookbooks/test/templates/default/iptables.erb @@ -0,0 +1,24 @@ +# Generated by Chef Infra Client +# Do NOT modify this file by hand. +# +# I'm from the test cookbook +# + +<% unless nil_or_empty?(@iptables) -%> +<% @iptables.each do |table, data| -%> +<% next if nil_or_empty?(data) -%> +*<%= table %> +<% unless nil_or_empty?(data[:chains]) -%> +<% data[:chains].each do |chain, value| -%> +:<%= chain %> <%= value %> +<% end -%> +<% end -%> +<% unless nil_or_empty?(data[:rules]) -%> +<% data[:rules].each do |rule| -%> +<%= rule %> +<% end -%> +<% end -%> +COMMIT + +<% end -%> +<% end -%> diff --git a/test/integration/rules/rules.rb b/test/integration/rules/rules.rb index 8fdc76a..25e82de 100644 --- a/test/integration/rules/rules.rb +++ b/test/integration/rules/rules.rb @@ -2,6 +2,7 @@ when 'debian', 'ubuntu' describe file('/etc/iptables/rules.v4') do it { should exist } + its(:content) { should match /# I'm from the test cookbook/ } end describe service('netfilter-persistent') do it { should be_installed } @@ -9,6 +10,9 @@ it { should be_enabled } end when 'redhat', 'fedora' + describe file('/etc/sysconfig/iptables') do + its(:content) { should match /# I'm from the test cookbook/ } + end describe file('/etc/sysconfig/iptables-config') do its(:content) { should match /IPTABLES_STATUS_VERBOSE="no"/ } end From ed53e4a74966d075b459f87823e79ad3701efb5b Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Wed, 5 May 2021 18:57:05 +0100 Subject: [PATCH 14/21] Remove recipes Signed-off-by: Ben Hughes --- recipes/_package.rb | 31 --------------------- recipes/default.rb | 68 --------------------------------------------- recipes/disabled.rb | 45 ------------------------------ 3 files changed, 144 deletions(-) delete mode 100644 recipes/_package.rb delete mode 100644 recipes/default.rb delete mode 100644 recipes/disabled.rb diff --git a/recipes/_package.rb b/recipes/_package.rb deleted file mode 100644 index 2c79651..0000000 --- a/recipes/_package.rb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Cookbook:: iptables -# Recipe:: _package -# -# Copyright:: 2008-2019, Chef Software, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# amazon linux, any fedora, and amazon linux 2 -if (platform_family?('rhel') && node['platform_version'].to_i >= 7) || - (platform_family?('amazon') && node['platform_version'].to_i < 2013) || - platform_family?('fedora') - package 'iptables-services' -else - package 'iptables' - if platform_family?('debian') - # Since Ubuntu 10.04LTS and Debian6, this package takes over the automatic loading of the saved iptables rules - package 'iptables-persistent' - end -end diff --git a/recipes/default.rb b/recipes/default.rb deleted file mode 100644 index ce9e8c3..0000000 --- a/recipes/default.rb +++ /dev/null @@ -1,68 +0,0 @@ -# -# Cookbook:: iptables -# Recipe:: default -# -# Copyright:: 2008-2019, Chef Software, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -Chef::DSL::Recipe.include Iptables::Cookbook::Helpers -include_recipe 'iptables::_package' - -Chef::Log.warn('The recipes inside iptables will be removed in the next major itteration (8.0.0), please change to resources provided by the iptables cookbook') - -%w(iptables ip6tables).each do |ipt| - file = if ipt == 'iptables' - default_iptables_rules_file(:ipv4) - else - default_iptables_rules_file(:ipv6) - end - case node['platform_family'] - when 'debian' - # debian based systems load iptables during the interface activation - template "/etc/network/if-pre-up.d/#{ipt}_load" do - source 'iptables_load.erb' - mode '0755' - variables( - iptables_save_file: file, - iptables_restore_binary: "/sbin/#{ipt}-restore" - ) - end - - execute "reload #{ipt}" do - command "/etc/network/if-pre-up.d/#{ipt}_load" - subscribes :run, "template[#{file}]", :delayed - action :nothing - end - when 'rhel', 'fedora', 'amazon' - # iptables service exists only on RHEL based systems - file "/etc/sysconfig/#{ipt}" do - content '# Chef managed placeholder to allow iptables service to start' - action :create_if_missing - end - - template "/etc/sysconfig/#{ipt}-config" do - source 'iptables-config.erb' - mode '600' - variables( - config: node['iptables']["#{ipt}_sysconfig"] - ) - end - - service ipt do - supports status: true, start: true, stop: true, restart: true, reload: true - subscribes :restart, "template[#{file}]", :delayed - action [:enable, :start] - end - end -end diff --git a/recipes/disabled.rb b/recipes/disabled.rb deleted file mode 100644 index 0e61b93..0000000 --- a/recipes/disabled.rb +++ /dev/null @@ -1,45 +0,0 @@ -# -# Cookbook:: iptables -# Recipe:: default -# -# Copyright:: 2008-2019, Chef Software, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -include_recipe 'iptables::_package' - -Chef::Log.warn('The recipes inside iptables will be removed in the next major itteration (8.0.0), please change to resources provided by the iptables cookbook') - -%w(iptables ip6tables).each do |ipt| - service ipt do - action [:disable, :stop] - delayed_action :stop - supports status: true, start: true, stop: true, restart: true - only_if { platform_family?('rhel', 'fedora', 'amazon') } - end - - ["/etc/sysconfig/#{ipt}", "/etc/sysconfig/#{ipt}.fallback"].each do |f| - file f do - content '# iptables rules files cleared by chef via iptables::disabled' - only_if { platform_family?('rhel', 'fedora', 'amazon') } - notifies :run, "execute[flush #{ipt}]", :immediately - end - end - - # Flush and delete iptables rules - execute "flush #{ipt}" do - command "#{ipt} -F" - action :nothing - end -end From 1232f8fad0c715dc0b7c3364b0424ff7f126bb08 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Wed, 5 May 2021 18:57:23 +0100 Subject: [PATCH 15/21] Unified mode for Chef 17 Signed-off-by: Ben Hughes --- UPGRADING.md | 1 + resources/{packages.rb => package.rb} | 3 +++ resources/service.rb | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) rename resources/{packages.rb => package.rb} (87%) diff --git a/UPGRADING.md b/UPGRADING.md index 668ea19..ac06fac 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -46,3 +46,4 @@ This document will give you help on upgrading major versions of iptables - Property `match` now prefixes the `String` passed in with `-m` so you only need to pass in the match provider name, e.g: `tcp` - Property `target` has been deprecated please use property `jump` - Recipe `iptables::default` now gets it's iptables config file path from a helper library +- Resource `iptables_packages` renamed to `iptables_package` diff --git a/resources/packages.rb b/resources/package.rb similarity index 87% rename from resources/packages.rb rename to resources/package.rb index cd4390e..7663b92 100644 --- a/resources/packages.rb +++ b/resources/package.rb @@ -1,5 +1,8 @@ unified_mode true +provides :iptables_package +provides :iptables_packages + include Iptables::Cookbook::Helpers property :packages, Array, diff --git a/resources/service.rb b/resources/service.rb index 6c65aa7..af9dab5 100644 --- a/resources/service.rb +++ b/resources/service.rb @@ -62,11 +62,11 @@ SERVICE_PRE_ACTIONS_REQUIRED ||= %i(start restart reload).freeze def do_service_action(resource_action) - edit_resource(:service, new_resource.service_name).action(resource_action) + declare_resource(:service, new_resource.service_name) { action(resource_action) } end def do_redhat_pre_actions - edit_resource(:template, new_resource.sysconfig_file) do + declare_resource(:template, new_resource.sysconfig_file) do owner new_resource.owner group new_resource.group mode new_resource.mode From 76a45290ced070f180134532e1941d0f1d1aaac2 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Thu, 6 May 2021 11:11:25 +0100 Subject: [PATCH 16/21] Correct find_resource calls Signed-off-by: Ben Hughes --- libraries/resource.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/resource.rb b/libraries/resource.rb index 6e7f437..3abd1a8 100644 --- a/libraries/resource.rb +++ b/libraries/resource.rb @@ -44,9 +44,9 @@ def rulefile_resource_init end def rulefile_resource - return false unless rulefile_resource_exist? + return unless rulefile_resource_exist? - find_resource(:template, new_resource.config_file) + find_resource!(:template, new_resource.config_file) end def rule_builder @@ -62,7 +62,7 @@ def rule_builder private def rulefile_resource_exist? - !find_resource(:template, new_resource.config_file).nil? + !find_resource!(:template, new_resource.config_file).nil? rescue Chef::Exceptions::ResourceNotFound false end From 79c8700842b01d97317a31cc320d145e29cffe00 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Thu, 6 May 2021 11:26:02 +0100 Subject: [PATCH 17/21] Correct default packages for Fedora >= 34 Signed-off-by: Ben Hughes --- libraries/helpers.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libraries/helpers.rb b/libraries/helpers.rb index c4d4260..a077426 100644 --- a/libraries/helpers.rb +++ b/libraries/helpers.rb @@ -83,7 +83,13 @@ def package_names else %w(iptables iptables-services iptables-utils) end - when 'fedora', 'amazon' + when 'fedora' + if node['platform_version'].to_i >= 34 + %w(iptables-compat iptables-nft iptables-services iptables-utils) + else + %w(iptables iptables-services iptables-utils) + end + when 'amazon' %w(iptables iptables-services iptables-utils) when 'debian' %w(iptables iptables-persistent) From 7996c141795c64a6176c33f61c09996f3e9a7565 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Fri, 28 May 2021 13:19:08 +0100 Subject: [PATCH 18/21] Update CI platforms --- .github/workflows/ci.yml | 1 + kitchen.dokken.yml | 10 +++++++--- kitchen.yml | 9 +++++++-- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65dbe22..2cb33ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,6 +34,7 @@ jobs: - 'fedora-latest' - 'ubuntu-1604' - 'ubuntu-1804' + - 'ubuntu-2004' suite: - 'all-tables' diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 9b229e7..4fbe23f 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -3,15 +3,12 @@ driver: name: dokken privileged: true chef_version: <%= ENV['CHEF_VERSION'] || 'current' %> - chef_license: accept-no-persist transport: name: dokken provisioner: name: dokken - # We have our own deprecation errors ... - deprecations_as_errors: false platforms: - name: amazonlinux-2 @@ -71,3 +68,10 @@ platforms: pid_one_command: /bin/systemd intermediate_instructions: - RUN /usr/bin/apt-get update + + - name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update diff --git a/kitchen.yml b/kitchen.yml index 45134eb..957ffbc 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -4,8 +4,12 @@ driver: provisioner: name: chef_zero - deprecations_as_errors: false - chef_license: accept-no-persist + deprecations_as_errors: true + chef_license: accept + product_name: chef + product_version: <%= ENV['CHEF_VERSION'] || 'latest' %> + install_strategy: always + log_level: <%= ENV['CHEF_LOG_LEVEL'] || 'auto' %> verifier: name: inspec @@ -23,6 +27,7 @@ platforms: - name: fedora-latest - name: ubuntu-16.04 - name: ubuntu-18.04 + - name: ubuntu-20.04 suites: - name: all-tables From 9ec9eeb19fa56230950048ce9345dec4a5507d4d Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Wed, 16 Jun 2021 09:26:56 +0100 Subject: [PATCH 19/21] Add debug step to action --- .github/workflows/ci.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2cb33ee..45e116e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@master + uses: actions/checkout@main - name: Run Chef Delivery uses: actionshub/chef-delivery@main env: @@ -46,14 +46,22 @@ jobs: steps: - name: Check out code - uses: actions/checkout@master + uses: actions/checkout@main - name: Install Chef - uses: actionshub/chef-install@master + uses: actionshub/chef-install@main - name: Dokken - uses: actionshub/kitchen-dokken@master + uses: actionshub/kitchen-dokken@main env: CHEF_LICENSE: accept-no-persist KITCHEN_LOCAL_YAML: kitchen.dokken.yml with: suite: ${{ matrix.suite }} os: ${{ matrix.os }} + - name: Print debug output on failure + if: failure() + run: | + set -x + sudo journalctl -l --since today + sudo docker version + sudo docker info + KITCHEN_LOCAL_YAML=kitchen.dokken.yml /usr/bin/kitchen exec ${{ matrix.suite }}-${{ matrix.os }} -c "journalctl -l" From 7b64755fb6546b31ca62e98a9620b9243fc8bc1d Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Mon, 16 Aug 2021 13:51:25 +0100 Subject: [PATCH 20/21] Allow multiple matches to specified per rule --- CHANGELOG.md | 1 + resources/rule.rb | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c636f9..1d40dfe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ This file is used to list changes made in each version of the iptables cookbook. - Remove legacy code - Refactor chain and rule resources - Complex logic moved to helper libraries + - Allow multiple matches per rule - Refactor service resource - Add the full set of service actions - Create a default configuration to ensure starting on Redhat platform families diff --git a/resources/rule.rb b/resources/rule.rb index 7cd6ce2..c2a0de0 100644 --- a/resources/rule.rb +++ b/resources/rule.rb @@ -47,10 +47,11 @@ description: 'The name of the Chain to put this rule on' property :protocol, [Symbol, String, Integer], - description: 'The protocol of the rule or of the packet to check. The specified protocol can be one of :tcp, :udp, :icmp, or :all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. ' + description: 'The protocol of the rule or of the packet to check. The specified protocol can be one of :tcp, :udp, :icmp, or :all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.' -property :match, String, - description: 'Extended packet matching module to use' +property :match, [String, Array], + description: 'Extended packet matching module to use', + coerce: proc { |p| p.is_a?(Array) ? p.join(' -m ') : p } property :source, String, description: "Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A \"!\" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. " From cc494b3b031c68a8fa6f491c0bc10b1d7f5d623d Mon Sep 17 00:00:00 2001 From: "Benjamin M. Hughes" Date: Mon, 16 Aug 2021 13:58:42 +0100 Subject: [PATCH 21/21] Migrate to sous CI config --- .github/workflows/ci.yml | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45e116e..c1a30ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,11 +1,11 @@ --- name: ci -on: +"on": pull_request: push: branches: - - master + - main jobs: delivery: @@ -18,9 +18,25 @@ jobs: env: CHEF_LICENSE: accept-no-persist - dokken: - needs: [delivery] + yamllint: runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@main + - name: Run yaml Lint + uses: actionshub/yamllint@main + + mdl: + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@main + - name: Run Markdown Lint + uses: actionshub/markdownlint@main + + integration: + needs: [mdl, yamllint, delivery] + runs-on: macos-latest strategy: matrix: os: @@ -35,7 +51,6 @@ jobs: - 'ubuntu-1604' - 'ubuntu-1804' - 'ubuntu-2004' - suite: - 'all-tables' - 'install-and-remove' @@ -46,19 +61,18 @@ jobs: steps: - name: Check out code - uses: actions/checkout@main + uses: actions/checkout@v2 - name: Install Chef uses: actionshub/chef-install@main - - name: Dokken - uses: actionshub/kitchen-dokken@main + - name: test-kitchen + uses: actionshub/test-kitchen@main env: CHEF_LICENSE: accept-no-persist - KITCHEN_LOCAL_YAML: kitchen.dokken.yml with: suite: ${{ matrix.suite }} os: ${{ matrix.os }} - name: Print debug output on failure - if: failure() + if: ${{ failure() }} run: | set -x sudo journalctl -l --since today