**Data types**
-* [`Ferm::Chains`](#fermchains): a type that allows the default iptables chains
* [`Ferm::Policies`](#fermpolicies): a list of allowed default policies for a chain
* [`Ferm::Protocols`](#fermprotocols): a list of allowed protocolls to match
Default value: /etc/ferm.conf
Allowed values: Stdlib::Absolutepath
+##### `configdirectory`
+
+Data type: `Stdlib::Absolutepath`
+
+Path to the directory where the module stores ferm configuration files
+Default value: /etc/ferm.d or /etc/ferm/ferm.d
+Allowed values: Stdlib::Absolutepath
+
##### `disable_conntrack`
Data type: `Boolean`
##### `chain`
-Data type: `Ferm::Chains`
+Data type: `String[1]`
Name of the chain that should be managed
##### `chain`
-Data type: `Ferm::Chains`
+Data type: `String[1]`
Configure the chain where we want to add the rule
## Data types
-### Ferm::Chains
-
-a type that allows the default iptables chains
-
-Alias of `Enum['INPUT', 'FORWARD', 'OUTPUT']`
-
### Ferm::Policies
a list of allowed default policies for a chain
--- /dev/null
+---
+ferm::configfile: /etc/ferm/ferm.conf
+ferm::configdirectory: /etc/ferm/ferm.d
ferm::manage_initfile: false
ferm::disable_conntrack: false
ferm::configfile: /etc/ferm.conf
+ferm::configdirectory: /etc/ferm.d
ferm::input_policy: DROP
ferm::forward_policy: DROP
ferm::output_policy: ACCEPT
Ferm::Policies $policy,
Boolean $disable_conntrack,
Boolean $log_dropped_packets,
- Ferm::Chains $chain = $name,
+ String[1] $chain = $name,
) {
# concat resource for the chain
$filename = downcase($chain)
- concat{"/etc/ferm.d/chains/${chain}.conf":
+ concat{"${ferm::configdirectory}/chains/${chain}.conf":
ensure => 'present',
}
concat::fragment{"${chain}-policy":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => epp(
"${module_name}/ferm_chain_header.conf.epp", {
'policy' => $policy,
if $log_dropped_packets {
concat::fragment{"${chain}-footer":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
order => 'zzzzzzzzzzzzzzzzzzzzz',
}
# copy static files to ferm
# on a long term point of view, we want to package this
- file{'/etc/ferm.d':
+ file{$ferm::configdirectory:
ensure => 'directory',
}
- -> file{'/etc/ferm.d/definitions':
+ -> file{"${ferm::configdirectory}/definitions":
ensure => 'directory',
}
- -> file{'/etc/ferm.d/chains':
+ -> file{"${ferm::configdirectory}/chains":
ensure => 'directory',
}
}
concat::fragment{'ferm_header.conf':
target => $ferm::configfile,
- content => epp("${module_name}/ferm_header.conf.epp"),
+ content => epp("${module_name}/ferm_header.conf.epp", {'configdirectory' => $ferm::configdirectory}),
order => '01',
}
target => $ferm::configfile,
content => epp(
"${module_name}/ferm.conf.epp", {
- 'ip' => $_ip,
+ 'ip' => $_ip,
+ 'configdirectory' => $ferm::configdirectory,
}
),
order => '50',
# @param configfile Path to the config file
# Default value: /etc/ferm.conf
# Allowed values: Stdlib::Absolutepath
+# @param configdirectory Path to the directory where the module stores ferm configuration files
+# Default value: /etc/ferm.d or /etc/ferm/ferm.d
+# Allowed values: Stdlib::Absolutepath
# @param disable_conntrack Disable/Enable the generation of conntrack rules
# Default value: false
# Allowed values: (true|false)
Boolean $manage_configfile,
Boolean $manage_initfile,
Stdlib::Absolutepath $configfile,
+ Stdlib::Absolutepath $configdirectory,
Boolean $disable_conntrack,
Ferm::Policies $forward_policy,
Ferm::Policies $output_policy,
# @param interface an Optional interface where this rule should be applied
# @param ensure Set the rule to present or absent
define ferm::rule (
- Ferm::Chains $chain,
+ String[1] $chain,
Ferm::Policies $policy,
Ferm::Protocols $proto,
String $comment = $name,
if $interface {
unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) {
concat::fragment{"${chain}-${interface}-aaa":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "interface ${interface} {\n",
order => $interface,
}
}
concat::fragment{"${chain}-${interface}-${name}":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => " ${rule}\n",
order => $interface,
}
unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) {
concat::fragment{"${chain}-${interface}-zzz":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "}\n",
order => $interface,
}
}
} else {
concat::fragment{"${chain}-${name}":
- target => "/etc/ferm.d/chains/${chain}.conf",
+ target => "${ferm::configdirectory}/chains/${chain}.conf",
content => "${rule}\n",
}
}
"operatingsystem": "Debian",
"operatingsystemrelease": [
"8",
- "9"
+ "9",
+ "10"
]
},
{
it { is_expected.to contain_class('ferm::service') }
it { is_expected.to contain_class('ferm::install') }
it { is_expected.to contain_package('ferm') }
- it { is_expected.to contain_file('/etc/ferm.d') }
- it { is_expected.to contain_file('/etc/ferm.d/definitions') }
- it { is_expected.to contain_file('/etc/ferm.d/chains') }
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_file('/etc/ferm/ferm.d') }
+ it { is_expected.to contain_file('/etc/ferm/ferm.d/definitions') }
+ it { is_expected.to contain_file('/etc/ferm/ferm.d/chains') }
+ else
+ it { is_expected.to contain_file('/etc/ferm.d') }
+ it { is_expected.to contain_file('/etc/ferm.d/definitions') }
+ it { is_expected.to contain_file('/etc/ferm.d/chains') }
+ end
+
it { is_expected.not_to contain_service('ferm') }
it { is_expected.not_to contain_file('/etc/ferm.conf') }
if facts[:os]['family'] == 'RedHat' && facts[:os]['release']['major'].to_i <= 6
{ manage_configfile: true }
end
- if facts[:os]['name'] == 'Ubuntu'
+ if facts[:os]['name'] == 'Ubuntu' || facts[:os]['release']['major'].to_i == 10
it { is_expected.to contain_concat('/etc/ferm/ferm.conf') }
else
it { is_expected.to contain_concat('/etc/ferm.conf') }
it { is_expected.to contain_concat__fragment('FORWARD-policy') }
it { is_expected.to contain_concat__fragment('INPUT-policy') }
it { is_expected.to contain_concat__fragment('OUTPUT-policy') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') }
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/OUTPUT.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/FORWARD.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/OUTPUT.conf') }
+ end
it { is_expected.to contain_ferm__chain('FORWARD') }
it { is_expected.to contain_ferm__chain('OUTPUT') }
it { is_expected.to contain_ferm__chain('INPUT') }
let :facts do
facts
end
- let(:title) { 'INPUT' }
+ let(:title) { 'INPUT2' }
- context 'default params creates INPUT chain' do
+ let :pre_condition do
+ 'include ferm'
+ end
+
+ context 'default params creates INPUT2 chain' do
let :params do
{
policy: 'DROP',
it { is_expected.to compile.with_all_deps }
it do
- is_expected.to contain_concat__fragment('INPUT-policy'). \
+ is_expected.to contain_concat__fragment('INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.to contain_concat__fragment('INPUT-footer'). \
- with_content(%r{LOG log-prefix 'INPUT: ';})
+ is_expected.to contain_concat__fragment('INPUT2-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT2: ';})
+ end
+ if facts[:os]['release']['major'].to_i == 10
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/INPUT2.conf') }
+ else
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT2.conf') }
end
- it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
- it { is_expected.to contain_ferm__chain('INPUT') }
+ it { is_expected.to contain_ferm__chain('INPUT2') }
end
context 'without conntrack' do
it { is_expected.to compile.with_all_deps }
it do
- is_expected.to contain_concat__fragment('INPUT-policy')
- is_expected.not_to contain_concat__fragment('INPUT-policy'). \
+ is_expected.to contain_concat__fragment('INPUT2-policy')
+ is_expected.not_to contain_concat__fragment('INPUT2-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
it do
- is_expected.not_to contain_concat__fragment('INPUT-footer'). \
- with_content(%r{LOG log-prefix 'INPUT: ';})
+ is_expected.not_to contain_concat__fragment('INPUT2-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT2: ';})
end
end
end
facts
end
+ let :pre_condition do
+ 'include ferm'
+ end
+
context 'without a specific interface' do
let(:title) { 'filter-ssh' }
let :params do
-<%- | String[1] $ip | -%>
+<%- | String[1] $ip,
+Stdlib::Absolutepath $configdirectory,
+| -%>
# End custom section
domain (<%= $ip %>) table filter {
chain INPUT {
interface lo ACCEPT;
- @include '/etc/ferm.d/chains/INPUT.conf';
+ @include '<%= $configdirectory %>/chains/INPUT.conf';
}
chain OUTPUT {
- @include '/etc/ferm.d/chains/OUTPUT.conf';
+ @include '<%= $configdirectory %>/chains/OUTPUT.conf';
}
chain FORWARD {
- @include '/etc/ferm.d/chains/FORWARD.conf';
+ @include '<%= $configdirectory %>/chains/FORWARD.conf';
}
}
+<%- | Stdlib::Absolutepath $configdirectory | -%>
# Currently managed by Puppet
# Author: Tim Meusel <tim@bastelfreak.de>
#
# get all ip definitions
-@include '/etc/ferm.d/definitions/';
+@include '<%= $configdirectory %>/definitions/';
# Begin custom section
+++ /dev/null
-# @summary a type that allows the default iptables chains
-type Ferm::Chains = Enum['INPUT', 'FORWARD', 'OUTPUT']
projects / puppet-ferm.git / commitdiff