code clean-up

1f530aea · Max Adamo · e15e71e4 · 1f530aea · 1f530aea · 1f530aea
Unverified Commit 1f530aea authored 2 years ago by Max Adamo
--- a/manifests/chains.pp
+++ b/manifests/chains.pp
@@ -12,54 +12,67 @@
 # === Examples
 #
 class fw_builder::chains (
-  $ipv4_enable,
-  $ipv6_enable
+  $ipv4_enable = $fw_builder::params::ipv4_enable,
+  $ipv6_enable = $fw_builder::params::ipv6_enable
 ) {

  assert_private()

-  if ($ipv4_enable) {
-    ['udp', 'tcp', 'trust', 'public'].each | $chain | {
-      firewallchain { "INPUT_${chain}:filter:IPv4":
-        ensure  => present;
-      }
+  $fw_builder::ip_proto_array.each | String $provider | {
+    $trusted_net = $provider ? {
+      'iptables' => 'trusted_networks_v4',
+      'ip6tables' => 'trusted_networks_v6',
+    }
+    $icmp_proto = $provider ? {
+      'iptables' => 'icmp',
+      'ip6tables' => 'ipv6-icmp',
+    }
+    firewall { "001 accept all inbound to localhost for ${provider}":
+      chain    => 'INPUT',
+      proto    => all,
+      iniface  => 'lo',
+      action   => accept,
+      provider => $provider;
    }
    firewall {
      default:
        chain    => 'INPUT',
        action   => accept,
        provider => 'iptables';
-      '010 accept all icmp for provider iptables':
-        proto    => 'icmp';
-      '003 accept inbound related established rules for provider iptables':
+      "010 accept all icmp for ${provider}":
+        proto    => $icmp_proto;
+      "003 accept inbound related established rules for ${provider}":
        proto => all,
        state => ['RELATED', 'ESTABLISHED'];
    }
+
    firewall {
      default:
        chain    => 'INPUT',
        jump     => 'INPUT_public',
        state    => ['NEW'],
-        provider => 'ip6tables';
-      '090 IPv4 UDP INPUT_public for all public services':
+        provider => $provider;
+      "090 UDP INPUT_public for all public services for ${provider}":
        proto    => 'udp';
-      '090 IPv4 TCP INPUT_public for all public services':
+      "090 TCP INPUT_public for all public services for ${provider}":
        proto    => 'tcp';
    }
-    firewall { '095 IPv4 INPUT_trust this is for all ip ranges (mostly internal)':
+    firewall { "095 INPUT_trust this is for all ip ranges (mostly internal) for ${provider}":
      chain    => 'INPUT',
      proto    => all,
      state    => ['NEW'],
      jump     => 'INPUT_trust',
-      ipset    => 'trusted_networks_v4 src',
-      provider => 'iptables';
+      ipset    => "${trusted_net} src",
+      provider => $provider;
    }
-    firewall { '001 IPv4 accept all inbound to localhost':
-      chain    => 'INPUT',
-      proto    => all,
-      iniface  => 'lo',
-      action   => accept,
-      provider => 'iptables';
+
+  }
+
+  if ($ipv4_enable) {
+    ['udp', 'tcp', 'trust', 'public'].each | $chain | {
+      firewallchain { "INPUT_${chain}:filter:IPv4":
+        ensure  => present;
+      }
    }
  }

@@ -69,43 +82,6 @@ class fw_builder::chains (
        ensure  => present,
      }
    }
-    firewall {
-      default:
-        chain    => 'INPUT',
-        action   => accept,
-        provider => 'ip6tables';
-      '010 accept all icmp for provider ip6tables':
-        proto    => 'ipv6-icmp';
-      '003 accept inbound related established rules for provider ip6tables':
-        proto => all,
-        state => ['RELATED', 'ESTABLISHED'];
-    }
-    firewall {
-      default:
-        chain    => 'INPUT',
-        jump     => 'INPUT_public',
-        state    => ['NEW'],
-        provider => 'ip6tables';
-      '090 IPv6 UDP INPUT_public for all public services':
-        proto    => 'udp';
-      '090 IPv6 TCP INPUT_public for all public services':
-        proto    => 'tcp';
-    }
-    firewall { '095 IPv6 INPUT_trust this is for all ip ranges (mostly internal)':
-      chain    => 'INPUT',
-      proto    => all,
-      state    => ['NEW'],
-      jump     => 'INPUT_trust',
-      ipset    => 'trusted_networks_v6 src',
-      provider => 'ip6tables';
-    }
-    firewall { '001 IPv6 accept all inbound to localhost6':
-      chain    => 'INPUT',
-      proto    => all,
-      iniface  => 'lo',
-      action   => accept,
-      provider => 'ip6tables';
-    }
  }

 }

--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -11,15 +11,14 @@
 #
 # === Examples
 #
-class fw_builder::docker (
-  $manage_docker,
-  $ipv4_enable,
-  $ipv6_enable
-) {
+# === ToDo
+#
+# ADD SUPPORT FOR IPv6
+#
+class fw_builder::docker {

  assert_private()

-  # IPv6 IS STILL MISSING

  firewallchain { ['INPUT:filter:IPv4', 'OUTPUT:filter:IPv4']:
    purge  => true,

--- a/manifests/init.pp
+++ b/manifests/init.pp
 # == Class: fw_builder
 #
+# == Parameters
+#
+# [*trusted_networks*] Fw_builder::Iplist
+# Array of ipv4 and/or ipv6 CIDR
+#
+# [*purge_rules*] Boolean
+# Purge rules not defined via Puppet
+#
+# [*manage_docker*] Boolean
+# If purge rules is set to true, avoid purging rules set by Docker
+#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
+# [*logging*] Boolean
+# enable logging
+#
+# [*log_rotation_days*] Integer
+# define log retention in days
+#
+# [*ipset_package_ensure*] String
+# ipset version
+#
+# [*limit*] Variant[Undef, String]
+# define limit for RST and Dropped connection on post.pp
+#
 # == Authors:
 #
 #   Pete Pedersen<pete.pedersen@geant.org>
@@ -7,21 +36,19 @@
 #
 class fw_builder (
  Fw_builder::Iplist $trusted_networks,
-  Boolean $manage_docker     = false,
-  Boolean $ipv4_enable       = true,
-  Boolean $ipv6_enable       = true,
-  Boolean $logging           = true,
-  Boolean $purge_rules       = true,
-  Integer $log_rotation_days = '7',
-  $ipset_package_ensure      = 'present',
-  $limit                     = '1000/sec'
+  Boolean $manage_docker     = $fw_builder::params::manage_docker,
+  Boolean $ipv4_enable       = $fw_builder::params::ipv4_enable,
+  Boolean $ipv6_enable       = $fw_builder::params::ipv6_enable,
+  Boolean $logging           = $fw_builder::params::logging,
+  Boolean $purge_rules       = $fw_builder::params::purge_rules,
+  Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
+  Optional[String] $limit    = $fw_builder::params::limit,
+  $ipset_package_ensure      = $fw_builder::params::ipset_package_ensure
 ) {

  if ! ($purge_rules) and ($manage_docker) {
    fail('cannot set purge_rules to false and manage_docker to true')
-  }
-
-  if ! ($ipv4_enable) and ! ($ipv6_enable) {
+  } elsif ! ($ipv4_enable) and ! ($ipv6_enable) {
    fail('you cannot disable ipv4 and ipv6 at the same time')
  }

@@ -33,34 +60,14 @@ class fw_builder (
    $ip_proto_array = ['iptables']
  }

-
  anchor { 'fw_builder::begin': }
-  -> class {
-    'firewall':;
-  }
-  -> class { 'fw_builder::ipset':
-    ipset_package_ensure => $ipset_package_ensure,
-    trusted_networks     => $trusted_networks,
-    ipv4_enable          => $ipv4_enable,
-    ipv6_enable          => $ipv6_enable,
-    require              => Class['firewall'];
-  }
-  -> class { 'fw_builder::chains':
-    ipv4_enable => $ipv4_enable,
-    ipv6_enable => $ipv6_enable,
-    require     => Class['fw_builder::ipset'];
-  }
-  -> class { 'fw_builder::post':
-    ipv4_enable => $ipv4_enable,
-    ipv6_enable => $ipv6_enable,
-    limit       => $limit;
-  }
+  -> class { 'firewall':; }
+  -> class { 'fw_builder::ipset':; }
+  -> class { 'fw_builder::chains':; }
+  -> class { 'fw_builder::post':; }
  -> anchor { 'fw_builder::end': }

-  class { 'fw_builder::logrotate':
-    logging           => $logging,
-    log_rotation_days => $log_rotation_days,
-  }
+  include fw_builder::logrotate

  if ($purge_rules) {
    if ($facts['fw_builder_is_docker']) and ($manage_docker) {
@@ -71,10 +78,8 @@ class fw_builder (
        purge => false;
      }
      class { 'fw_builder::docker':
-        ipv4_enable => $ipv4_enable,
-        ipv6_enable => $ipv6_enable,
-        before      => Class['fw_builder::post'],
-        require     => Class['fw_builder::ipset'];
+        before  => Class['fw_builder::post'],
+        require => Class['fw_builder::ipset'];
      }
    } else {
      if ($ipv4_enable) {

--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -2,14 +2,14 @@
 #
 #
 class fw_builder::ipset (
-  $trusted_networks,
-  $ipset_package_ensure,
-  $ipv4_enable,
-  $ipv6_enable
+  $ipv4_enable = $fw_builder::params::ipv4_enable,
+  $ipv6_enable = $fw_builder::params::ipv6_enable
 ) {

  assert_private()

+  $trusted_net = $fw_builder::trusted_networks
+
  $firewall_service = $facts['os']['family'] ? {
    'Debian' => 'netfilter-persistent.service',
    default => undef
@@ -22,12 +22,12 @@ class fw_builder::ipset (

  class { 'ipset':
    packages         => $packages,
-    package_ensure   => $ipset_package_ensure,
+    package_ensure   => $fw_builder::ipset_package_ensure,
    firewall_service => $firewall_service
  }

  if ($ipv4_enable) {
-    $trusted_networks_v4 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
+    $trusted_networks_v4 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
    ipset::set { 'trusted_networks_v4':
      ensure => 'present',
      type   => 'hash:net',
@@ -36,7 +36,7 @@ class fw_builder::ipset (
  }

  if ($ipv6_enable) {
-    $trusted_networks_v6 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
+    $trusted_networks_v6 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
    ipset::set { 'trusted_networks_v6':
      ensure  => 'present',
      type    => 'hash:net',

--- a/manifests/logrotate.pp
+++ b/manifests/logrotate.pp
@@ -6,15 +6,15 @@
 #   Massimiliano Adamo<massimiliano.adamo@geant.org>
 #
 class fw_builder::logrotate (
-  $logging,
-  $log_rotation_days,
+  $logging           = $fw_builder::params::logging,
+  $log_rotation_days = $fw_builder::params::log_rotation_days
 ) {

  assert_private()

  file { ['/var/log/iptables.log', '/var/log/ip6tables.log']: ensure => file; }

-  if ($logging) {
+  if ($fw_builder::logging) {
    logrotate::rule { 'iptables':
      rotate       => $log_rotation_days,
      dateext      => true,

--- a/manifests/params.pp
+++ b/manifests/params.pp
+# == Class: fw_builder
+#
+# == Authors:
+#
+#   Pete Pedersen<pete.pedersen@geant.org>
+#   Massimiliano Adamo<massimiliano.adamo@geant.org>
+#
+class fw_builder::params {
+
+  # whether to purge rule not defined in puppet
+  $purge_rules = true
+
+  # avoid that docker rules are being overwritten if purge is set to true
+  $manage_docker = false
+
+  # enable iptables provider
+  $ipv4_enable = true
+
+  # enable ip6tables provider
+  $ipv6_enable = true
+
+  # enable logging
+  $logging = true
+
+  # define log retention daysn
+  $log_rotation_days = 7
+
+  # ipset package version
+  $ipset_package_ensure = 'present'
+
+  # whether to limit RST and dropped connections on post.pp
+  $limit = '1000/sec'
+
+}
--- a/manifests/post.pp
+++ b/manifests/post.pp
 # == Class: fw_builder::post
 #
 class fw_builder::post (
-  $ipv4_enable,
-  $ipv6_enable,
-  $logging,
-  $limit
+  $logging = $fw_builder::params::logging
 ) {

  assert_private()
@@ -16,7 +13,7 @@ class fw_builder::post (
          chain     => 'INPUT',
          provider  => $provider,
          jump      => 'LOG',
-          limit     => $limit,
+          limit     => $fw_builder::limit,
          log_level => '4';
        "889 log RST dropped inbound chain for provider ${provider}":
          log_prefix => "[${provider.upcase()} RST RST] dropped";