DEVOPS-203 move fw_builder code onto this module

dfcd6366 · Massimiliano Adamo · 4a1fc452 · dfcd6366 · dfcd6366 · dfcd6366
Commit dfcd6366 authored 2 years ago by Massimiliano Adamo
--- a/lib/facter/fw_builder_is_docker.rb
+++ b/lib/facter/fw_builder_is_docker.rb
+Facter.add(:fw_builder_is_docker) do
+  setcode do
+    if Facter::Util::Resolution.which('docker')
+      true
+    else
+      false
+    end
+  end
+end
--- a/manifests/chains.pp
+++ b/manifests/chains.pp
+# == Class: fw_builder::chains
+#
+# Pre IPtables allows several icmp type, loopback connection
+# either on IPv6 and IPv4
+#
+# This class opens the firewall to Geant specific servers
+#
+# === Parameters
+#
+# === Requires
+#
+# === Examples
+#
+class fw_builder::chains (
+  $ipv4_enable = $fw_builder::params::ipv4_enable,
+  $ipv6_enable = $fw_builder::params::ipv6_enable
+) {
+
+  assert_private()
+
+  $fw_builder::ip_proto_array.each | String $provider | {
+    $trusted_net = $provider ? {
+      'iptables' => 'trusted_networks_v4',
+      'ip6tables' => 'trusted_networks_v6',
+    }
+    $icmp_proto = $provider ? {
+      'iptables' => 'icmp',
+      'ip6tables' => 'ipv6-icmp',
+    }
+    firewall { "001 accept all inbound to localhost for ${provider}":
+      chain    => 'INPUT',
+      proto    => all,
+      iniface  => 'lo',
+      action   => accept,
+      provider => $provider;
+    }
+    firewall {
+      default:
+        chain    => 'INPUT',
+        action   => accept,
+        provider => 'iptables';
+      "010 accept all icmp for ${provider}":
+        proto    => $icmp_proto;
+      "003 accept inbound related established rules for ${provider}":
+        proto => all,
+        state => ['RELATED', 'ESTABLISHED'];
+    }
+
+    firewall {
+      default:
+        chain    => 'INPUT',
+        jump     => 'INPUT_public',
+        state    => ['NEW'],
+        provider => $provider;
+      "090 UDP INPUT_public for all public services for ${provider}":
+        proto    => 'udp';
+      "090 TCP INPUT_public for all public services for ${provider}":
+        proto    => 'tcp';
+    }
+    firewall { "095 INPUT_trust this is for all ip ranges (mostly internal) for ${provider}":
+      chain    => 'INPUT',
+      proto    => all,
+      state    => ['NEW'],
+      jump     => 'INPUT_trust',
+      ipset    => "${trusted_net} src",
+      provider => $provider;
+    }
+
+  }
+
+  if ($ipv4_enable) {
+    ['udp', 'tcp', 'trust', 'public'].each | $chain | {
+      firewallchain { "INPUT_${chain}:filter:IPv4":
+        ensure  => present;
+      }
+    }
+  }
+
+  if ($ipv6_enable) {
+    ['udp', 'tcp', 'trust', 'public'].each | $chain | {
+      firewallchain { "INPUT_${chain}:filter:IPv6":
+        ensure  => present,
+      }
+    }
+  }
+
+}
+# vim:ts=2:sw=2
--- a/manifests/docker.pp
+++ b/manifests/docker.pp
+# == Class: fw_builder::docker
+#
+# Pre IPtables allows several icmp type, loopback connection
+# either on IPv6 and IPv4
+#
+# This class opens the firewall to Geant specific servers
+#
+# === Parameters
+#
+# === Requires
+#
+# === Examples
+#
+# === ToDo
+#
+# ADD SUPPORT FOR IPv6
+#
+class fw_builder::docker {
+
+  assert_private()
+
+
+  firewallchain { ['INPUT:filter:IPv4', 'OUTPUT:filter:IPv4']:
+    purge  => true,
+    ignore => ['docker', 'br-', 'cali-', 'KUBE'],
+  }
+
+  firewallchain { 'FORWARD:filter:IPv4':
+    purge  => true,
+    ignore => ['docker', 'br-', 'cali-', 'KUBE'],
+  }
+
+  firewallchain { ['DOCKER:nat:IPv4', 'DOCKER:filter:IPv4']:
+    purge  => false,
+  }
+
+  firewallchain { 'POSTROUTING:nat:IPv4':
+    purge  => false,
+  }
+
+  firewallchain { [
+    'INPUT:nat:IPv4', 'PREROUTING:nat:IPv4',
+    'OUTPUT:nat:IPv4', 'PREROUTING:mangle:IPv4',
+    'POSTROUTING:mangle:IPv4', 'INPUT:mangle:IPv4',
+    'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4',
+    'OUTPUT:raw:IPv4', 'PREROUTING:raw:IPv4'
+    ]:
+    purge  => true,
+    ignore => ['DOCKER', 'cali-', 'KUBE'],
+  }
+
+  # this is is for kube / cali
+  firewallchain { [
+    'cali-PREROUTING:mangle:IPv4', 'cali-failsafe-in:mangle:IPv4',
+    'cali-from-host-endpoint:mangle:IPv4', 'cali-failsafe-in:raw:IPv4',
+    'cali-failsafe-out:raw:IPv4', 'cali-from-host-endpoint:raw:IPv4',
+    'cali-to-host-endpoint:raw:IPv4', 'KUBE-SERVICES:filter:IPv4'
+    ]:
+    purge  => false,
+  }
+
+}
+# vim:ts=2:sw=2
--- a/manifests/init.pp
+++ b/manifests/init.pp
 # == Class: fw_builder
 #
+# == Parameters
+#
+# [*trusted_networks*] Fw_builder::Iplist
+# Array of ipv4/ipv6 CIDR/Address
+#
+# [*purge_rules*] Boolean
+# Purge rules not defined via Puppet
+#
+# [*manage_docker*] Boolean
+# If purge rules is set to true, avoid purging rules set by Docker
+#
+# [*ipv4_enable*] Boolean
+# enable iptables provider
+#
+# [*ipv6_enable*] Boolean
+# enable ip6tables provider
+#
+# [*logging*] Boolean
+# enable logging
+#
+# [*log_rotation_days*] Integer
+# define log retention in days
+#
+# [*ipset_package_ensure*] String
+# ipset version
+#
+# [*limit*] Variant[Undef, String]
+# define limit for RST and Dropped connection on post.pp
+#
 # == Authors:
 #
 #   Pete Pedersen<pete.pedersen@geant.org>
 #   Massimiliano Adamo<massimiliano.adamo@geant.org>
 #
-class fw_builder {
-  # resources
+class fw_builder (
+  Fw_builder::Iplist $trusted_networks,
+  Boolean $manage_docker     = $fw_builder::params::manage_docker,
+  Boolean $ipv4_enable       = $fw_builder::params::ipv4_enable,
+  Boolean $ipv6_enable       = $fw_builder::params::ipv6_enable,
+  Boolean $logging           = $fw_builder::params::logging,
+  Boolean $purge_rules       = $fw_builder::params::purge_rules,
+  Integer $log_rotation_days = $fw_builder::params::log_rotation_days,
+  Optional[String] $limit    = $fw_builder::params::limit,
+  $ipset_package_ensure      = $fw_builder::params::ipset_package_ensure
+) {
+
+  if ! ($purge_rules) and ($manage_docker) {
+    fail('cannot set purge_rules to false and manage_docker to true')
+  } elsif ! ($ipv4_enable) and ! ($ipv6_enable) {
+    fail('you cannot disable ipv4 and ipv6 at the same time')
+  }
+
+  if ($ipv4_enable) and ($ipv6_enable) {
+    $ip_proto_array = ['ip6tables', 'iptables']
+  } elsif ($ipv4_enable) and ! ($ipv6_enable) {
+    $ip_proto_array = ['iptables']
+  } elsif ! ($ipv4_enable) and ($ipv6_enable) {
+    $ip_proto_array = ['iptables']
+  }
+
+  anchor { 'fw_builder::begin': }
+  -> class { 'firewall':; }
+  -> class { 'fw_builder::ipset':; }
+  -> class { 'fw_builder::chains':; }
+  -> class { 'fw_builder::post':; }
+  -> anchor { 'fw_builder::end': }
+
+  include fw_builder::logrotate
+
+  if ($purge_rules) {
+    if ($facts['fw_builder_is_docker']) and ($manage_docker) {
+      echo { 'Docker detected':
+        message => 'not purging iptables rules set by docker';
+      }
+      resources { 'firewallchain':
+        purge => false;
+      }
+      class { 'fw_builder::docker':
+        before  => Class['fw_builder::post'],
+        require => Class['fw_builder::ipset'];
+      }
+    } else {
+      if ($ipv4_enable) {
+        firewallchain { 'FORWARD:filter:IPv4':
+          ensure => present,
+          policy => drop,
+          purge  => true;
+        }
+      }
+      if ($ipv6_enable) {
+        firewallchain { 'FORWARD:filter:IPv6':
+          ensure => present,
+          policy => drop,
+          purge  => true;
+        }
+      }
+      resources { 'firewall':
+        purge => true;
+      }
+    }
+  }
+
 }
--- a/manifests/ipset.pp
+++ b/manifests/ipset.pp
+# Class: fw_builder::ipset
+#
+#
+class fw_builder::ipset (
+  $ipv4_enable = $fw_builder::params::ipv4_enable,
+  $ipv6_enable = $fw_builder::params::ipv6_enable
+) {
+
+  assert_private()
+
+  $trusted_net = $fw_builder::trusted_networks
+
+  $firewall_service = $facts['os']['family'] ? {
+    'Debian' => 'netfilter-persistent.service',
+    default => undef
+  }
+
+  $packages = "${facts['os']['family']}_${facts['os']['release']['major']}" ? {
+    'RedHat_6' => ['ipset'],
+    default => undef
+  }
+
+  class { 'ipset':
+    packages         => $packages,
+    package_ensure   => $fw_builder::ipset_package_ensure,
+    firewall_service => $firewall_service
+  }
+
+  if ($ipv4_enable) {
+    $trusted_networks_v4 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
+    ipset::set { 'trusted_networks_v4':
+      ensure => 'present',
+      type   => 'hash:net',
+      set    => $trusted_networks_v4;
+    }
+  }
+
+  if ($ipv6_enable) {
+    $trusted_networks_v6 = $trusted_net.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
+    ipset::set { 'trusted_networks_v6':
+      ensure  => 'present',
+      type    => 'hash:net',
+      set     => $trusted_networks_v6,
+      options => {'family' => 'inet6'}
+    }
+  }
+
+}
+# vim:ts=2:sw=2
--- a/manifests/logrotate.pp
+++ b/manifests/logrotate.pp
+# == Class: fw_builder
+#
+# == Authors:
+#
+#   Pete Pedersen<pete.pedersen@geant.org>
+#   Massimiliano Adamo<massimiliano.adamo@geant.org>
+#
+class fw_builder::logrotate (
+  $logging           = $fw_builder::params::logging,
+  $log_rotation_days = $fw_builder::params::log_rotation_days
+) {
+
+  assert_private()
+
+  file { ['/var/log/iptables.log', '/var/log/ip6tables.log']: ensure => file; }
+
+  if ($fw_builder::logging) {
+    logrotate::rule { 'iptables':
+      rotate       => $log_rotation_days,
+      dateext      => true,
+      copytruncate => true,
+      missingok    => true,
+      compress     => true,
+      ifempty      => false,
+      path         => '/var/log/ip*tables.log';
+    }
+  }
+
+}
--- a/manifests/params.pp
+++ b/manifests/params.pp
+# == Class: fw_builder
+#
+# == Authors:
+#
+#   Pete Pedersen<pete.pedersen@geant.org>
+#   Massimiliano Adamo<massimiliano.adamo@geant.org>
+#
+class fw_builder::params {
+
+  # whether to purge rule not defined in puppet
+  $purge_rules = true
+
+  # avoid that docker rules are being overwritten if purge is set to true
+  $manage_docker = false
+
+  # enable iptables provider
+  $ipv4_enable = true
+
+  # enable ip6tables provider
+  $ipv6_enable = true
+
+  # enable logging
+  $logging = true
+
+  # define log retention daysn
+  $log_rotation_days = 7
+
+  # ipset package version
+  $ipset_package_ensure = 'present'
+
+  # whether to limit RST and dropped connections on post.pp
+  $limit = '1000/sec'
+
+}
--- a/manifests/post.pp
+++ b/manifests/post.pp
+# == Class: fw_builder::post
+#
+class fw_builder::post (
+  $logging = $fw_builder::params::logging
+) {
+
+  assert_private()
+
+  if ($logging) {
+    $fw_builder::ip_proto_array.each | String $provider | {
+      firewall {
+        default:
+          chain     => 'INPUT',
+          provider  => $provider,
+          jump      => 'LOG',
+          limit     => $fw_builder::limit,
+          log_level => '4';
+        "889 log RST dropped inbound chain for provider ${provider}":
+          log_prefix => "[${provider.upcase()} RST RST] dropped";
+        "900 log dropped inbound chain for provider ${provider}":
+          proto      => all,
+          log_prefix => "[${provider.upcase()} INPUT] dropped ",
+      }
+    }
+  }
+
+  $fw_builder::ip_proto_array.each | String $provider | {
+    firewall {
+      default:
+        chain    => 'INPUT',
+        provider => $provider;
+      "910 deny all other inbound requests for provider ${provider}":
+        before => undef,
+        proto  => all,
+        action => 'drop';
+      "890 drop RST RST connections for provider ${provider}":
+        tcp_flags => 'RST RST',
+        action    => 'drop';
+    }
+  }
+
+}
+# vim:ts=2:sw=2