From 1f530aea9093e717d5208d75751d8a9446a12435 Mon Sep 17 00:00:00 2001
From: Massimiliano Adamo <maxadamo@gmail.com>
Date: Thu, 19 Jan 2023 14:50:05 +0100
Subject: [PATCH] code clean-up
---
manifests/chains.pp | 94 ++++++++++++++++--------------------------
manifests/docker.pp | 11 +++--
manifests/init.pp | 85 ++++++++++++++++++++------------------
manifests/ipset.pp | 14 +++----
manifests/logrotate.pp | 6 +--
manifests/params.pp | 34 +++++++++++++++
manifests/post.pp | 7 +---
7 files changed, 131 insertions(+), 120 deletions(-)
create mode 100644 manifests/params.pp
diff --git a/manifests/chains.pp b/manifests/chains.pp
index 4b21c21..ff81dcd 100644
--- a/manifests/chains.pp
+++ b/manifests/chains.pp
@@ -12,54 +12,67 @@
# === Examples
#
class fw_builder::chains (
- $ipv4_enable,
- $ipv6_enable
+ $ipv4_enable = $fw_builder::params::ipv4_enable,
+ $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
- if ($ipv4_enable) {
- ['udp', 'tcp', 'trust', 'public'].each | $chain | {
- firewallchain { "INPUT_${chain}:filter:IPv4":
- ensure => present;
- }
+ $fw_builder::ip_proto_array.each | String $provider | {
+ $trusted_net = $provider ? {
+ 'iptables' => 'trusted_networks_v4',
+ 'ip6tables' => 'trusted_networks_v6',
+ }
+ $icmp_proto = $provider ? {
+ 'iptables' => 'icmp',
+ 'ip6tables' => 'ipv6-icmp',
+ }
+ firewall { "001 accept all inbound to localhost for ${provider}":
+ chain => 'INPUT',
+ proto => all,
+ iniface => 'lo',
+ action => accept,
+ provider => $provider;
}
firewall {
default:
chain => 'INPUT',
action => accept,
provider => 'iptables';
- '010 accept all icmp for provider iptables':
- proto => 'icmp';
- '003 accept inbound related established rules for provider iptables':
+ "010 accept all icmp for ${provider}":
+ proto => $icmp_proto;
+ "003 accept inbound related established rules for ${provider}":
proto => all,
state => ['RELATED', 'ESTABLISHED'];
}
+
firewall {
default:
chain => 'INPUT',
jump => 'INPUT_public',
state => ['NEW'],
- provider => 'ip6tables';
- '090 IPv4 UDP INPUT_public for all public services':
+ provider => $provider;
+ "090 UDP INPUT_public for all public services for ${provider}":
proto => 'udp';
- '090 IPv4 TCP INPUT_public for all public services':
+ "090 TCP INPUT_public for all public services for ${provider}":
proto => 'tcp';
}
- firewall { '095 IPv4 INPUT_trust this is for all ip ranges (mostly internal)':
+ firewall { "095 INPUT_trust this is for all ip ranges (mostly internal) for ${provider}":
chain => 'INPUT',
proto => all,
state => ['NEW'],
jump => 'INPUT_trust',
- ipset => 'trusted_networks_v4 src',
- provider => 'iptables';
+ ipset => "${trusted_net} src",
+ provider => $provider;
}
- firewall { '001 IPv4 accept all inbound to localhost':
- chain => 'INPUT',
- proto => all,
- iniface => 'lo',
- action => accept,
- provider => 'iptables';
+
+ }
+
+ if ($ipv4_enable) {
+ ['udp', 'tcp', 'trust', 'public'].each | $chain | {
+ firewallchain { "INPUT_${chain}:filter:IPv4":
+ ensure => present;
+ }
}
}
@@ -69,43 +82,6 @@ class fw_builder::chains (
ensure => present,
}
}
- firewall {
- default:
- chain => 'INPUT',
- action => accept,
- provider => 'ip6tables';
- '010 accept all icmp for provider ip6tables':
- proto => 'ipv6-icmp';
- '003 accept inbound related established rules for provider ip6tables':
- proto => all,
- state => ['RELATED', 'ESTABLISHED'];
- }
- firewall {
- default:
- chain => 'INPUT',
- jump => 'INPUT_public',
- state => ['NEW'],
- provider => 'ip6tables';
- '090 IPv6 UDP INPUT_public for all public services':
- proto => 'udp';
- '090 IPv6 TCP INPUT_public for all public services':
- proto => 'tcp';
- }
- firewall { '095 IPv6 INPUT_trust this is for all ip ranges (mostly internal)':
- chain => 'INPUT',
- proto => all,
- state => ['NEW'],
- jump => 'INPUT_trust',
- ipset => 'trusted_networks_v6 src',
- provider => 'ip6tables';
- }
- firewall { '001 IPv6 accept all inbound to localhost6':
- chain => 'INPUT',
- proto => all,
- iniface => 'lo',
- action => accept,
- provider => 'ip6tables';
- }
}
}
diff --git a/manifests/docker.pp b/manifests/docker.pp
index 0ba5dc2..2a13aca 100644
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
@@ -11,15 +11,14 @@
#
# === Examples
#
-class fw_builder::docker (
- $manage_docker,
- $ipv4_enable,
- $ipv6_enable
-) {
+# === ToDo
+#
+# ADD SUPPORT FOR IPv6
+#
+class fw_builder::docker {
assert_private()
- # IPv6 IS STILL MISSING
firewallchain { ['INPUT:filter:IPv4', 'OUTPUT:filter:IPv4']:
purge => true,
diff --git a/manifests/init.pp b/manifests/init.pp
index e5d75ea..53b7f93 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,5 +1,34 @@
# == Class: fw_builder
#
+# == Parameters
+#
+# [*trusted_networks*] Fw_builder::Iplist
+# Array of ipv4 and/or ipv6 CIDR
+#
+# [*purge_rules*] Boolean
+# Purge rules not defined via Puppet
+#
+# [*manage_docker*] Boolean
+# If purge rules is set to true, avoid purging rules set by Docker
+#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
+# [*logging*] Boolean
+# enable logging
+#
+# [*log_rotation_days*] Integer
+# define log retention in days
+#
+# [*ipset_package_ensure*] String
+# ipset version
+#
+# [*limit*] Variant[Undef, String]
+# define limit for RST and Dropped connection on post.pp
+#
# == Authors:
#
# Pete Pedersen<pete.pedersen@geant.org>
@@ -7,21 +36,19 @@
#
class fw_builder (
Fw_builder::Iplist $trusted_networks,
- Boolean $manage_docker = false,
- Boolean $ipv4_enable = true,
- Boolean $ipv6_enable = true,
- Boolean $logging = true,
- Boolean $purge_rules = true,
- Integer $log_rotation_days = '7',
- $ipset_package_ensure = 'present',
- $limit = '1000/sec'
+ Boolean $manage_docker = $fw_builder::params::manage_docker,
+ Boolean $ipv4_enable = $fw_builder::params::ipv4_enable,
+ Boolean $ipv6_enable = $fw_builder::params::ipv6_enable,
+ Boolean $logging = $fw_builder::params::logging,
+ Boolean $purge_rules = $fw_builder::params::purge_rules,
+ Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
+ Optional[String] $limit = $fw_builder::params::limit,
+ $ipset_package_ensure = $fw_builder::params::ipset_package_ensure
) {
if ! ($purge_rules) and ($manage_docker) {
fail('cannot set purge_rules to false and manage_docker to true')
- }
-
- if ! ($ipv4_enable) and ! ($ipv6_enable) {
+ } elsif ! ($ipv4_enable) and ! ($ipv6_enable) {
fail('you cannot disable ipv4 and ipv6 at the same time')
}
@@ -33,34 +60,14 @@ class fw_builder (
$ip_proto_array = ['iptables']
}
-
anchor { 'fw_builder::begin': }
- -> class {
- 'firewall':;
- }
- -> class { 'fw_builder::ipset':
- ipset_package_ensure => $ipset_package_ensure,
- trusted_networks => $trusted_networks,
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- require => Class['firewall'];
- }
- -> class { 'fw_builder::chains':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- require => Class['fw_builder::ipset'];
- }
- -> class { 'fw_builder::post':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- limit => $limit;
- }
+ -> class { 'firewall':; }
+ -> class { 'fw_builder::ipset':; }
+ -> class { 'fw_builder::chains':; }
+ -> class { 'fw_builder::post':; }
-> anchor { 'fw_builder::end': }
- class { 'fw_builder::logrotate':
- logging => $logging,
- log_rotation_days => $log_rotation_days,
- }
+ include fw_builder::logrotate
if ($purge_rules) {
if ($facts['fw_builder_is_docker']) and ($manage_docker) {
@@ -71,10 +78,8 @@ class fw_builder (
purge => false;
}
class { 'fw_builder::docker':
- ipv4_enable => $ipv4_enable,
- ipv6_enable => $ipv6_enable,
- before => Class['fw_builder::post'],
- require => Class['fw_builder::ipset'];
+ before => Class['fw_builder::post'],
+ require => Class['fw_builder::ipset'];
}
} else {
if ($ipv4_enable) {
diff --git a/manifests/ipset.pp b/manifests/ipset.pp
index 23f4459..491313e 100644
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
@@ -2,14 +2,14 @@
#
#
class fw_builder::ipset (
- $trusted_networks,
- $ipset_package_ensure,
- $ipv4_enable,
- $ipv6_enable
+ $ipv4_enable = $fw_builder::params::ipv4_enable,
+ $ipv6_enable = $fw_builder::params::ipv6_enable
) {
assert_private()
+ $trusted_net = $fw_builder::trusted_networks
+
$firewall_service = $facts['os']['family'] ? {
'Debian' => 'netfilter-persistent.service',
default => undef
@@ -22,12 +22,12 @@ class fw_builder::ipset (
class { 'ipset':
packages => $packages,
- package_ensure => $ipset_package_ensure,
+ package_ensure => $fw_builder::ipset_package_ensure,
firewall_service => $firewall_service
}
if ($ipv4_enable) {
- $trusted_networks_v4 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
+ $trusted_networks_v4 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
ipset::set { 'trusted_networks_v4':
ensure => 'present',
type => 'hash:net',
@@ -36,7 +36,7 @@ class fw_builder::ipset (
}
if ($ipv6_enable) {
- $trusted_networks_v6 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
+ $trusted_networks_v6 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
ipset::set { 'trusted_networks_v6':
ensure => 'present',
type => 'hash:net',
diff --git a/manifests/logrotate.pp b/manifests/logrotate.pp
index 1689163..db29cdd 100644
--- a/manifests/logrotate.pp
+++ b/manifests/logrotate.pp
@@ -6,15 +6,15 @@
# Massimiliano Adamo<massimiliano.adamo@geant.org>
#
class fw_builder::logrotate (
- $logging,
- $log_rotation_days,
+ $logging = $fw_builder::params::logging,
+ $log_rotation_days = $fw_builder::params::log_rotation_days
) {
assert_private()
file { ['/var/log/iptables.log', '/var/log/ip6tables.log']: ensure => file; }
- if ($logging) {
+ if ($fw_builder::logging) {
logrotate::rule { 'iptables':
rotate => $log_rotation_days,
dateext => true,
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000..623a667
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,34 @@
+# == Class: fw_builder
+#
+# == Authors:
+#
+# Pete Pedersen<pete.pedersen@geant.org>
+# Massimiliano Adamo<massimiliano.adamo@geant.org>
+#
+class fw_builder::params {
+
+ # whether to purge rule not defined in puppet
+ $purge_rules = true
+
+ # avoid that docker rules are being overwritten if purge is set to true
+ $manage_docker = false
+
+ # enable iptables provider
+ $ipv4_enable = true
+
+ # enable ip6tables provider
+ $ipv6_enable = true
+
+ # enable logging
+ $logging = true
+
+ # define log retention daysn
+ $log_rotation_days = 7
+
+ # ipset package version
+ $ipset_package_ensure = 'present'
+
+ # whether to limit RST and dropped connections on post.pp
+ $limit = '1000/sec'
+
+}
diff --git a/manifests/post.pp b/manifests/post.pp
index 08b5d43..529af4b 100644
--- a/manifests/post.pp
+++ b/manifests/post.pp
@@ -1,10 +1,7 @@
# == Class: fw_builder::post
#
class fw_builder::post (
- $ipv4_enable,
- $ipv6_enable,
- $logging,
- $limit
+ $logging = $fw_builder::params::logging
) {
assert_private()
@@ -16,7 +13,7 @@ class fw_builder::post (
chain => 'INPUT',
provider => $provider,
jump => 'LOG',
- limit => $limit,
+ limit => $fw_builder::limit,
log_level => '4';
"889 log RST dropped inbound chain for provider ${provider}":
log_prefix => "[${provider.upcase()} RST RST] dropped";
--
GitLab