}
```
+##### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
+
+```puppet
+$my_rules = @(EOT)
+chain OPENVPN_FORWORD_RULES {
+ proto udp {
+ interface tun0 {
+ outerface enp4s0 {
+ mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+ }
+ }
+ }
+}
+| EOT
+
+ferm::chain{'OPENVPN_FORWORD_RULES':
+ chain => 'OPENVPN_FORWORD_RULES',
+ content => $my_rules,
+}
+
+ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+ chain => 'FORWARD',
+ action => 'OPENVPN_FORWORD_RULES',
+ saddr => '10.8.0.0/24',
+ proto => 'udp',
+}
+```
+
#### Parameters
The following parameters are available in the `ferm::chain` defined type.
Default value: $ferm::ip_versions
+##### `content`
+
+Data type: `Optional[String]`
+
+Can only be used for custom chains. It allows you to provide your own ferm rules for this chain. Sets the contents of this custom chain to provided value.
+
+Default value: undef
+
### ferm::ipset
a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets.
String[1] $chain = $name,
Optional[Ferm::Policies] $policy = undef,
Ferm::Tables $table = 'filter',
- Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
+ Array[Enum['ip', 'ip6']] $ip_versions = $ferm::ip_versions,
+ Optional[String[1]] $content = undef,
) {
# prevent unmanaged files due to new naming schema
# keep the default "filter" chains in the original location
'filter' => ['INPUT', 'FORWARD', 'OUTPUT'],
}
- if $policy and ! ($chain in $builtin_chains[$table]) {
+ if $policy and !($chain in $builtin_chains[$table]) {
fail("Can only set a default policy for builtin chains. '${chain}' is not a builtin chain.")
}
# concat resource for the chain
- concat{$filename:
- ensure => 'present',
+ concat { $filename:
+ ensure => 'present',
}
- concat::fragment{"${table}-${chain}-policy":
- target => $filename,
- content => epp(
- "${module_name}/ferm_chain_header.conf.epp", {
- 'policy' => $policy,
- 'disable_conntrack' => $disable_conntrack,
- 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack,
- }
- ),
- order => '01',
- }
-
- if $log_dropped_packets {
- concat::fragment{"${table}-${chain}-footer":
+ if $content {
+ concat::fragment { "${table}-${chain}-custom-content":
target => $filename,
- content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
- order => 'zzzzzzzzzzzzzzzzzzzzz',
+ content => epp(
+ "${module_name}/ferm_chain_custom.conf.epp", {
+ 'content' => $content,
+ },
+ ),
+ }
+ } else {
+ concat::fragment { "${table}-${chain}-policy":
+ target => $filename,
+ content => epp(
+ "${module_name}/ferm_chain_header.conf.epp", {
+ 'policy' => $policy,
+ 'disable_conntrack' => $disable_conntrack,
+ 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack,
+ }
+ ),
+ order => '01',
+ }
+
+ if $log_dropped_packets {
+ concat::fragment { "${table}-${chain}-footer":
+ target => $filename,
+ content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
+ order => 'zzzzzzzzzzzzzzzzzzzzz',
+ }
}
}
# This happens if we add ipset matches. We suffix this ordering with `bbb`. This allows us to
# insert ipset matches before other rules by adding `-aaa` or
# insert them at the end by ordering them with `-ccc`.
- concat::fragment{"${table}-${chain}-config-include":
+ concat::fragment { "${table}-${chain}-config-include":
target => $ferm::configfile,
content => epp(
"${module_name}/ferm-table-chain-config-include.epp", {
'-A HTTP -s 127.0.0.1/32 -p tcp -m comment --comment ["]*allow_http_localhost["]* -m tcp --dport 80 -j ACCEPT'
]
end
+
+iptables_output_custom = ['-A FORWARD -s 10.8.0.0/24 -p udp -m comment --comment "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES" -j OPENVPN_FORWORD_RULES',
+ '-A OPENVPN_FORWORD_RULES -s 10.8.0.0/24 -i tun0 -o enp4s0 -p udp -m conntrack --ctstate NEW -j ACCEPT']
+
basic_manifest = %(
class { 'ferm':
manage_service => true,
end
end
- context 'with dropping INVALID pakets' do
+ context 'with dropping INVALID packets' do
pp2 = %(
class { 'ferm':
manage_service => true,
end
end
end
+
+ context 'with custom chain using ferm DSL as content' do
+ advanced_manifest = %(
+ $my_rules = @(EOT)
+ chain OPENVPN_FORWORD_RULES {
+ proto udp {
+ interface tun0 {
+ outerface enp4s0 {
+ mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
+ }
+ }
+ }
+ }
+ | EOT
+
+ ferm::chain{'OPENVPN_FORWORD_RULES':
+ chain => 'OPENVPN_FORWORD_RULES',
+ content => $my_rules,
+ }
+
+ ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
+ chain => 'FORWARD',
+ action => 'OPENVPN_FORWORD_RULES',
+ saddr => '10.8.0.0/24',
+ proto => 'udp',
+ }
+ )
+ pp = [basic_manifest, advanced_manifest].join("\n")
+
+ it 'works with no error' do
+ apply_manifest(pp, catch_failures: true)
+ end
+ it 'works idempotently' do
+ apply_manifest(pp, catch_changes: true)
+ end
+
+ describe iptables do
+ it do
+ is_expected.to have_rule(iptables_output_custom[0]). \
+ with_table('filter'). \
+ with_chain('FORWARD')
+ end
+ it do
+ is_expected.to have_rule(iptables_output_custom[1]). \
+ with_table('filter'). \
+ with_chain('OPENVPN_FORWORD_RULES')
+ end
+ end
+
+ describe service('ferm') do
+ it { is_expected.to be_running }
+ end
+
+ describe command('iptables-save') do
+ its(:stdout) { is_expected.to match %r{FORWARD.*-j OPENVPN_FORWORD_RULES} }
+ end
+ end
end
it { is_expected.to compile.and_raise_error(%r{Can only set a default policy for builtin chains}) }
end
+
+ context 'with custom chain FERM-DSL using content parameter' do
+ let(:title) { 'FERM-DSL' }
+ let :params do
+ {
+ content: 'mod rpfilter invert DROP;'
+ }
+ end
+
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('filter-FERM-DSL-config-include') }
+ it do
+ is_expected.to contain_concat__fragment('filter-FERM-DSL-custom-content'). \
+ with_content(%r{mod rpfilter invert DROP;})
+ end
+ it do
+ is_expected.not_to contain_concat__fragment('filter-FERM-DSL-policy')
+ end
+ it do
+ is_expected.not_to contain_concat__fragment('filter-FERM-DSL-footer')
+ end
+ if facts[:os]['name'] == 'Debian'
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/filter-FERM-DSL.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/filter-FERM-DSL.conf') }
+ end
+ it { is_expected.to contain_ferm__chain('FERM-DSL') }
+ end
end
end
end
--- /dev/null
+<%- | String[1] $content,
+| -%>
+# THIS FILE IS MANAGED BY PUPPET
+<%= $content %>
projects / puppet-ferm.git / commitdiff