or write any rules. Be careful here: The default Debian package enabled
autostart for the service and only allows incoming SSH/IPSec connections.
+It is also possible to install ferm from sources:
+```puppet
+class {'ferm':
+ install_method = 'vcsrepo',
+}
+```
+
+When `install_method` is `vcsrepo`, the `git` binary is required, this module should handle Git installation.
+
+When `install_method` is `vcsrepo` with `vcstag` >= `v2.5` ferm call "legacy" xtables tools because nft based tools are incompatible.
+
You can easily define rules in Puppet (they don't need to be exported resources):
```puppet
Data type: `Hash[String[1],Array[String[1]]]`
-Hash with table:chains[] to use ferm @preserve for
+Hash with table:chains[] to use ferm @preserve for (since ferm v2.4)
Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
Default value: {}
+##### `install_method`
+
+Data type: `Enum['package','vcsrepo']`
+
+method used to install ferm
+
+Default value: 'package'
+
+##### `vcsrepo`
+
+Data type: `Stdlib::HTTPSUrl`
+
+git repository where ferm sources are hosted
+
+Default value: 'https://github.com/MaxKellermann/ferm.git'
+
+##### `vcstag`
+
+Data type: `String[1]`
+
+git tag used when install_method is vcsrepo
+
+Default value: 'v2.5.1'
+
## Defined types
### ferm::chain
$_ip = join($ferm::ip_versions, ' ')
+ if $facts['systemd'] { #fact provided by systemd module
+ if $ferm::install_method == 'vcsrepo' and $ferm::manage_service {
+ systemd::dropin_file { 'ferm.conf':
+ unit => 'ferm.service',
+ content => epp("${module_name}/dropin_ferm.conf.epp"),
+ before => Service['ferm'],
+ }
+ }
+ }
+
# copy static files to ferm
# on a long term point of view, we want to package this
file{$ferm::configdirectory:
# @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched
# @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
# @param ip_versions Set list of versions of ip we want ot use.
-# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for
+# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for (since ferm v2.4)
# Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
+# @param install_method method used to install ferm
+# @param vcsrepo git repository where ferm sources are hosted
+# @param vcstag git tag used when install_method is vcsrepo
class ferm (
Stdlib::Absolutepath $configfile,
Stdlib::Absolutepath $configdirectory,
Hash $chains = {},
Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'],
Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {},
+ Enum['package','vcsrepo'] $install_method = 'package',
+ Stdlib::HTTPSUrl $vcsrepo = 'https://github.com/MaxKellermann/ferm.git',
+ String[1] $vcstag = 'v2.5.1',
) {
contain ferm::install
contain ferm::config
# this is a private class
assert_private("You're not supposed to do that!")
- package{'ferm':
- ensure => 'latest',
+ case $ferm::install_method {
+ 'package': {
+ package{'ferm':
+ ensure => 'latest',
+ }
+ }
+ 'vcsrepo': {
+ $_source_path = '/opt/ferm'
+ ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present })
+
+ package{'ferm':
+ ensure => absent,
+ }
+ -> vcsrepo { $_source_path :
+ ensure => present,
+ provider => git,
+ source => $ferm::vcsrepo,
+ revision => $ferm::vcstag,
+ }
+ -> exec { 'make install':
+ cwd => $_source_path,
+ path => '/usr/sbin:/usr/bin:/sbin:/bin',
+ creates => '/usr/sbin/ferm',
+ }
+ -> file { '/etc/ferm':
+ ensure => directory,
+ owner => 0,
+ group => 0,
+ mode => '0700',
+ }
+ }
+ default: {
+ fail("unexpected install_method ${ferm::install_method}")
+ }
}
if $ferm::manage_initfile {
}
# on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm...
- if ($facts['os']['name'] in ['Ubuntu', 'Debian']) {
+ if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') {
file_line{'enable_ferm':
path => '/etc/default/ferm',
line => 'ENABLED="yes"',
{
"name": "puppetlabs/stdlib",
"version_requirement": ">= 4.25.0 < 7.0.0"
+ },
+ {
+ "name": "puppetlabs/vcsrepo",
+ "version_requirement": ">= 3.0.0 < 4.0.0"
+ },
+ {
+ "name": "camptocamp-systemd",
+ "version_requirement": ">= 2.9.0 < 3.0.0"
}
],
"operatingsystem_support": [
iptables_output_custom = ['-A FORWARD -s 10.8.0.0/24 -p udp -m comment --comment "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES" -j OPENVPN_FORWORD_RULES',
'-A OPENVPN_FORWORD_RULES -s 10.8.0.0/24 -i tun0 -o enp4s0 -p udp -m conntrack --ctstate NEW -j ACCEPT']
+# When `install_method` is `vcsrepo` with `vcstag` >= `v2.5` ferm call "legacy"
+# xtables tools because nft based tools are incompatible.
+iptables_save_cmd = case sut_os
+ when 'Debian-10'
+ 'iptables-legacy-save'
+ else
+ 'iptables-save'
+ end
+
basic_manifest = %(
class { 'ferm':
manage_service => true,
},
},
ip_versions => ['ip'], #only ipv4 available with CI
- }
)
describe 'ferm' do
- context 'with basics settings' do
- pp = basic_manifest
+ context 'with basics settings and vcsrepo install_method' do
+ pp = [basic_manifest, "install_method => 'vcsrepo',}"].join("\n")
+
+ it 'works with no error' do
+ apply_manifest(pp, catch_failures: true)
+ end
+ it 'works idempotently' do
+ apply_manifest(pp, catch_changes: true)
+ end
+
+ describe package('ferm') do
+ it { is_expected.not_to be_installed }
+ end
+
+ describe service('ferm') do
+ it { is_expected.to be_running }
+ end
+
+ describe command("#{iptables_save_cmd} -t filter") do
+ its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m }
+ its(:stdout) { is_expected.not_to match %r{state INVALID -j DROP} }
+ its(:stdout) { is_expected.to match %r{allow_acceptance_tests.*-j ACCEPT}m }
+ end
+ end
+
+ context 'with basics settings and default install_method' do
+ pp = [basic_manifest, '}'].join("\n")
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
require => Ferm::Chain['check-http'],
}
)
- pp = [basic_manifest, advanced_manifest].join("\n")
+ pp = [basic_manifest, '}', advanced_manifest].join("\n")
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
proto => 'udp',
}
)
- pp = [basic_manifest, advanced_manifest].join("\n")
+
+ pp = [basic_manifest, '}', advanced_manifest].join("\n")
it 'works with no error' do
apply_manifest(pp, catch_failures: true)
--- /dev/null
+# THIS SNIPPET IS MANAGED BY PUPPET
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/ferm <%= $ferm::configfile %>
+ExecStop=
+ExecStop=/usr/sbin/ferm -F <%= $ferm::configfile %>
projects / puppet-ferm.git / commitdiff