allow preserving of chains in tables

diff --git a/REFERENCE.md b/REFERENCE.md
index 44d7034c8645ea8542bc41d8b395db400ba1627b..39ba310c68e80acb6fb47d62901258adf4dfafaf 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -7,7 +7,7 @@
 
 _Public Classes_
 
-* [`ferm`](#ferm): Class: ferm  This class manages ferm installation and rule generation on modern linux systems  class{'ferm':   manage_service => true,   ip_v
+* [`ferm`](#ferm): This class manages ferm installation and rule generation on modern linux systems
 
 _Private Classes_
 
@@ -31,19 +31,38 @@ _Private Classes_
 
 Class: ferm
 
-This class manages ferm installation and rule generation on modern linux systems
+#### Examples
 
-class{'ferm':
-  manage_service => true,
-  ip_versions    =>  ['ip6'],
-}
+##### deploy ferm without any configured rules, but also don't start the service or modify existing config files
 
-#### Examples
+```puppet
+include ferm
+```
 
-##### deploy ferm and start it, on node with only ipv6 enabled
+##### deploy ferm and start it, on nodes with only ipv6 enabled
 
 ```puppet
+class{'ferm':
+  manage_service  => true,
+  ip_versions     => ['ip6'],
+}
+```
 
+##### deploy ferm and don't touch chains from other software, like fail2ban and docker
+
+```puppet
+class{'ferm':
+  manage_service            => true,
+  preserve_chains_in_tables => {
+    'filter' => [
+      'f2b-sshd',
+      'DOCKER',
+      'DOCKER-ISOLATION-STAGE-1',
+      'DOCKER-ISOLATION-STAGE-2',
+      'DOCKER-USER',
+    ]
+  }
+}
 ```
 
 #### Parameters
@@ -161,6 +180,15 @@ Data type: `Array[Enum['ip','ip6']]`
 Set list of versions of ip we want ot use.
 Default value: ['ip', 'ip6']
 
+##### `preserve_chains_in_tables`
+
+Data type: `Hash[String[1],Array[String[1]]]`
+
+Hash with table:chains[] to use ferm @preserve for
+Default value: Empty Hash
+Allowed values: Hash with a list of tables and chains in it to preserve
+Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
+
 ## Defined types
 
 ### ferm::chain

diff --git a/data/common.yaml b/data/common.yaml
index e68d41a4b3668ec43972044d33fc1f3685d4e536..d40c155dc4929c2a5a0f4aadab7b1a3930944ca7 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -8,6 +8,7 @@ ferm::configdirectory: /etc/ferm.d
 ferm::input_policy: DROP
 ferm::forward_policy: DROP
 ferm::output_policy: ACCEPT
+ferm::preserve_chains_in_tables: {}
 ferm::rules: {}
 ferm::input_log_dropped_packets: false
 ferm::forward_log_dropped_packets: false

diff --git a/manifests/config.pp b/manifests/config.pp
index 88fff15bc54b5b64c9a942c3de9c3fc3ef3c5c60..25607ad9ff6bc74e01f530e751795418b8d76ee7 100644 (file)
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -33,8 +33,9 @@ class ferm::config {
       target  => $ferm::configfile,
       content => epp(
         "${module_name}/ferm.conf.epp", {
-          'ip'              => $_ip,
-          'configdirectory' => $ferm::configdirectory,
+          'ip'                        => $_ip,
+          'configdirectory'           => $ferm::configdirectory,
+          'preserve_chains_in_tables' => $ferm::preserve_chains_in_tables,
           }
       ),
       order   => '50',

diff --git a/manifests/init.pp b/manifests/init.pp
index f1f9aa9c09bf83dbca2a3425083f06f07a571770..221e1487a0463e909b9524a5a81e9b53e0e2bd87 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,12 +1,29 @@
 # Class: ferm
 #
-# This class manages ferm installation and rule generation on modern linux systems
+# @summary This class manages ferm installation and rule generation on modern linux systems
 #
-# @example deploy ferm and start it, on node with only ipv6 enabled
-# class{'ferm':
-#   manage_service => true,
-#   ip_versions    =>  ['ip6'],
-# }
+# @example deploy ferm without any configured rules, but also don't start the service or modify existing config files
+#   include ferm
+#
+# @example deploy ferm and start it, on nodes with only ipv6 enabled
+#   class{'ferm':
+#     manage_service  => true,
+#     ip_versions     => ['ip6'],
+#   }
+#
+# @example deploy ferm and don't touch chains from other software, like fail2ban and docker
+#   class{'ferm':
+#     manage_service            => true,
+#     preserve_chains_in_tables => {
+#       'filter' => [
+#         'f2b-sshd',
+#         'DOCKER',
+#         'DOCKER-ISOLATION-STAGE-1',
+#         'DOCKER-ISOLATION-STAGE-2',
+#         'DOCKER-USER',
+#       ]
+#     }
+#   }
 #
 # @param manage_service Disable/Enable the management of the ferm daemon
 #   Default value: false
@@ -49,6 +66,10 @@
 #   Allowed values: (true|false)
 # @param ip_versions Set list of versions of ip we want ot use.
 #   Default value: ['ip', 'ip6']
+# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for
+#   Default value: Empty Hash
+#   Allowed values: Hash with a list of tables and chains in it to preserve
+#   Example: {'nat' => ['PREROUTING', 'POSTROUTING']}
 class ferm (
   Boolean $manage_service,
   Boolean $manage_configfile,
@@ -64,6 +85,7 @@ class ferm (
   Boolean $input_log_dropped_packets,
   Hash $rules,
   Array[Enum['ip','ip6']] $ip_versions,
+  Hash[String[1],Array[String[1]]] $preserve_chains_in_tables,
 ) {
   contain ferm::install
   contain ferm::config

diff --git a/spec/classes/ferm_spec.rb b/spec/classes/ferm_spec.rb
index 55e67399f163eb72aa70db520330298f80fc95c3..e5669b8b860efee0f7755d1d0ed6ccfce3839415 100644 (file)
--- a/spec/classes/ferm_spec.rb
+++ b/spec/classes/ferm_spec.rb
@@ -59,6 +59,11 @@ describe 'ferm' do
         it { is_expected.to compile.with_all_deps }
         it { is_expected.to contain_concat__fragment('ferm_header.conf') }
         it { is_expected.to contain_concat__fragment('ferm.conf') }
+        # the following string exists only if we preserve chains
+        it do
+          is_expected.to contain_concat__fragment('ferm.conf'). \
+            without_content(%r{@preserve;})
+        end
       end
       context 'with managed initfile' do
         let :params do
@@ -88,6 +93,29 @@ describe 'ferm' do
         it { is_expected.to contain_ferm__chain('OUTPUT') }
         it { is_expected.to contain_ferm__chain('INPUT') }
       end
+
+      context 'it preserves chains' do
+        let :params do
+          {
+            manage_configfile: true,
+            preserve_chains_in_tables: { 'nat' => %w[PREROUTING POSTROUTING] }
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it do
+          is_expected.to contain_concat__fragment('ferm.conf'). \
+            with_content(%r{domain \(ip ip6\) table nat \{})
+        end
+        it do
+          is_expected.to contain_concat__fragment('ferm.conf'). \
+            with_content(%r{chain PREROUTING @preserve;})
+        end
+        it do
+          is_expected.to contain_concat__fragment('ferm.conf'). \
+            with_content(%r{chain POSTROUTING @preserve;})
+        end
+      end
     end
   end
 end

diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp
index b3aa0ce66c8661e291a17032142388b4adfe4648..0245a7066cebbe1f143f16bef7f43f9aa5aca160 100644 (file)
--- a/templates/ferm.conf.epp
+++ b/templates/ferm.conf.epp
@@ -1,8 +1,17 @@
 <%- | String[1] $ip,
 Stdlib::Absolutepath $configdirectory,
+Hash[String[1], Array[String[1]]] $preserve_chains_in_tables,
 | -%>
 # End custom section
 
+<%- $preserve_chains_in_tables.each |$table, $chains| { -%>
+domain (<%= $ip %>) table <%= $table %> {
+  <%- $chains.each |$chain| { -%>
+  chain <%= $chain %> @preserve;
+  <%- } -%>
+}
+<%- } -%>
+
 domain (<%= $ip %>) table filter {
   chain INPUT {
     interface lo ACCEPT;