# @summary This class handles the configuration file. Avoid modifying private classes.
#
class ferm::config {
-
# this is a private class
assert_private("You're not supposed to do that!")
# copy static files to ferm
# on a long term point of view, we want to package this
- file{$ferm::configdirectory:
+ file { $ferm::configdirectory:
ensure => 'directory',
}
- -> file{"${ferm::configdirectory}/definitions":
+ -> file { "${ferm::configdirectory}/definitions":
ensure => 'directory',
}
- -> file{"${ferm::configdirectory}/chains":
+ -> file { "${ferm::configdirectory}/chains":
ensure => 'directory',
}
if $ferm::manage_configfile {
- concat{$ferm::configfile:
+ concat { $ferm::configfile:
ensure => 'present',
}
- concat::fragment{'ferm_header.conf':
+ concat::fragment { 'ferm_header.conf':
target => $ferm::configfile,
- content => epp("${module_name}/ferm_header.conf.epp", {'configdirectory' => $ferm::configdirectory}),
+ content => epp("${module_name}/ferm_header.conf.epp", { 'configdirectory' => $ferm::configdirectory }),
order => '01',
}
- concat::fragment{'ferm.conf':
+ concat::fragment { 'ferm.conf':
target => $ferm::configfile,
content => epp(
"${module_name}/ferm.conf.epp", {
'ip' => $_ip,
'configdirectory' => $ferm::configdirectory,
'preserve_chains_in_tables' => $ferm::preserve_chains_in_tables,
- }
+ }
),
order => '50',
}
}
- ferm::chain{'INPUT':
+ ferm::chain { 'INPUT':
policy => $ferm::input_policy,
disable_conntrack => $ferm::input_disable_conntrack,
log_dropped_packets => $ferm::input_log_dropped_packets,
drop_invalid_packets_with_conntrack => $ferm::input_drop_invalid_packets_with_conntrack,
}
- ferm::chain{'FORWARD':
+ ferm::chain { 'FORWARD':
policy => $ferm::forward_policy,
disable_conntrack => $ferm::forward_disable_conntrack,
log_dropped_packets => $ferm::forward_log_dropped_packets,
}
- ferm::chain{'OUTPUT':
+ ferm::chain { 'OUTPUT':
policy => $ferm::output_policy,
disable_conntrack => $ferm::output_disable_conntrack,
log_dropped_packets => $ferm::output_log_dropped_packets,
# initialize default tables and chains
['PREROUTING', 'OUTPUT'].each |$raw_chain| {
- ferm::chain{"raw-${raw_chain}":
+ ferm::chain { "raw-${raw_chain}":
chain => $raw_chain,
policy => 'ACCEPT',
disable_conntrack => true,
$domains = ['ip']
}
}
- ferm::chain{"nat-${nat_chain}":
+ ferm::chain { "nat-${nat_chain}":
chain => $nat_chain,
policy => 'ACCEPT',
disable_conntrack => true,
}
}
['PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING'].each |$mangle_chain| {
- ferm::chain{"mangle-${mangle_chain}":
+ ferm::chain { "mangle-${mangle_chain}":
chain => $mangle_chain,
policy => 'ACCEPT',
disable_conntrack => true,
~> Class['ferm::service']
$chains.each |$chainname, $attributes| {
- ferm::chain{$chainname:
+ ferm::chain { $chainname:
* => $attributes,
}
}
$rules.each |$rulename, $attributes| {
- ferm::rule{$rulename:
+ ferm::rule { $rulename:
* => $attributes,
}
}
# @summary This class handles the configuration file. Avoid modifying private classes.
#
class ferm::install {
-
# this is a private class
assert_private("You're not supposed to do that!")
case $ferm::install_method {
'package': {
- package{'ferm':
+ package { 'ferm':
ensure => 'latest',
}
}
$_source_path = '/opt/ferm'
ensure_packages (['git', 'iptables', 'perl', 'make'], { ensure => present })
- package{'ferm':
+ package { 'ferm':
ensure => absent,
}
-> vcsrepo { $_source_path :
if $ferm::manage_initfile {
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '6') <= 0 {
- file{'/etc/init.d/ferm':
- ensure => 'present',
+ file { '/etc/init.d/ferm':
+ ensure => 'file',
mode => '0755',
source => "puppet:///modules/${module_name}/ferm",
}
Enum['ip','ip6'] $ip_version = 'ip',
Boolean $prepend_to_chain = true,
) {
-
$suffix = $prepend_to_chain ? {
true => 'aaa',
false => 'ccc',
}
# make sure the generated snippet is actually included
- concat::fragment{"${table}-${chain}-${name}":
+ concat::fragment { "${table}-${chain}-${name}":
target => $ferm::configfile,
content => epp(
"${module_name}/ferm-chain-ipset.epp", {
Optional[String[1]] $interface = undef,
Enum['absent','present'] $ensure = 'present',
Ferm::Tables $table = 'filter',
-){
-
+) {
if $policy and $action {
fail('Cannot specify both policy and action. Do not provide policy when using the new action param.')
} elsif $policy and ! $action {
fail('Exactly one of "action" or the deprecated "policy" param is required.')
}
- if $action_temp in ['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG',
- 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'] {
+ if $action_temp in ['RETURN', 'ACCEPT', 'DROP', 'REJECT', 'NOTRACK', 'LOG', 'MARK', 'DNAT', 'SNAT', 'MASQUERADE', 'REDIRECT'] {
$action_real = $action_temp
} else {
# assume the action contains a target chain, so prefix it with the "jump" statement
String => "proto ${proto}",
}
-
if $dport =~ Array {
$dports = join($dport, ' ')
$dport_real = "mod multiport destination-ports (${dports})"
$upper = Integer($portrange[1])
assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| {
fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.")
- ''
+ ''
}
if $lower > $upper {
fail("Lower port number of the port range is larger than upper. ${lower}:${upper}")
$upper = Integer($portrange[1])
assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| {
fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.")
- ''
+ ''
}
if $lower > $upper {
fail("Lower port number of the port range is larger than upper. ${lower}:${upper}")
fail("invalid source-port: ${sport}")
}
-
if $saddr =~ Array {
assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| {
fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." )
- ''
+ ''
}
}
$saddr_real = $saddr ? {
if $daddr =~ Array {
assert_type(Array[Stdlib::IP::Address], flatten($daddr)) |$expected, $actual| {
fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($daddr)}." )
- ''
+ ''
}
}
$daddr_real = $daddr ? {
default => '',
}
$proto_options_real = $proto_options ? {
- undef => '',
+ undef => '',
default => $proto_options
}
$comment_real = "mod comment comment '${comment}'"
if $ensure == 'present' {
if $interface {
unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) {
- concat::fragment{"${chain}-${interface}-aaa":
+ concat::fragment { "${chain}-${interface}-aaa":
target => $filename,
content => "interface ${interface} {\n",
order => $interface,
}
}
- concat::fragment{"${chain}-${interface}-${name}":
+ concat::fragment { "${chain}-${interface}-${name}":
target => $filename,
content => " ${rule}\n",
order => $interface,
}
unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) {
- concat::fragment{"${chain}-${interface}-zzz":
+ concat::fragment { "${chain}-${interface}-zzz":
target => $filename,
content => "}\n",
order => $interface,
}
}
} else {
- concat::fragment{"${chain}-${name}":
+ concat::fragment { "${chain}-${name}":
target => $filename,
content => "${rule}\n",
}
# @summary This class handles the configuration file. Avoid modifying private classes.
#
class ferm::service {
-
# this is a private class
assert_private("You're not supposed to do that!")
if $ferm::manage_service {
- service{'ferm':
+ service { 'ferm':
ensure => 'running',
enable => true,
}
# on Ubuntu, we can't start the service, unless we set ENABLED=true in /etc/default/ferm...
if ($facts['os']['name'] in ['Ubuntu', 'Debian']) and ($ferm::install_method == 'package') {
- file_line{'enable_ferm':
+ file_line { 'enable_ferm':
path => '/etc/default/ferm',
line => 'ENABLED="yes"',
match => 'ENABLED=',
notify => Service['ferm'],
}
- file_line{'disable_ferm_cache':
+ file_line { 'disable_ferm_cache':
path => '/etc/default/ferm',
line => 'CACHE="no"',
match => 'CACHE=',
projects / puppet-ferm.git / commitdiff