Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix276 #289

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

Fix276 #289

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
5e5743d
FIX #276 for firewalld_service
isqo Mar 30, 2020
45c82b1
FIX #276 for firewalld_direct_rule
isqo Apr 1, 2020
fb15e44
fix offenses
isqo Apr 1, 2020
653fe34
FIX #276 for firewalld_direct_chain
isqo Apr 1, 2020
03a83b5
FIX #276 for firewalld_direct_passthrough
isqo Apr 1, 2020
07c2c4d
FIX #276 fix all offences
isqo Apr 1, 2020
ae4561a
FIX 276 for firewalld_rich_rule
isqo Apr 3, 2020
0288630
FIX #276 for firewalld_rich_rule
isqo Apr 3, 2020
6e471be
FIX #276 for firewalld_port
isqo Apr 3, 2020
3d84bfe
fix offences
isqo Apr 3, 2020
e1c8ddc
ipsets should be considered present only if they are in runtime stage
Apr 23, 2020
176d188
fix offenses
Apr 23, 2020
ff6cf8a
fix tests
Apr 23, 2020
af9a840
fix tests
Apr 24, 2020
28e3228
fix tests
Apr 24, 2020
27d3d02
fix tests
Apr 24, 2020
3e97483
fix offenses
Apr 24, 2020
ce81bd7
revert service resource because it uses the transient reload
Apr 24, 2020
558d8ee
Fix getting ipsets from firewalld's runtime
Apr 24, 2020
2e364dd
Revert travis.yml to its master's content
Apr 27, 2020
37359fd
Revert travis.yml to its master's content
Apr 27, 2020
3973cb7
Merge branch 'master' of https://github.com/voxpupuli/puppet-firewall…
isqo Jul 8, 2020
883703d
build all refs
isqo Jul 8, 2020
36a0fb4
fix failing tests
isqo Jul 8, 2020
4fa4690
build only master and tags
isqo Jul 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions lib/puppet/provider/firewalld_direct_chain/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,31 @@
Puppet::Type.type(:firewalld_direct_chain).provide(:firewall_cmd, parent: Puppet::Provider::Firewalld) do
desc 'Provider for managing firewalld direct chains using firewall-cmd'

def initialize(value = {})
super(value)
@in_perm = false
@in_run = false
end

def exists?
@chain_args ||= generate_raw
output = execute_firewall_cmd(['--direct', '--query-chain', @chain_args], nil, true, false)
output.include?('yes')
@in_perm = execute_firewall_cmd(['--direct', '--query-chain', @chain_args], nil, true, false).include?('yes')
@in_run = execute_firewall_cmd(['--direct', '--query-chain', @chain_args], nil, false, false).include?('yes')
if @resource[:ensure] == :present
@in_perm && @in_run
else
@in_perm || @in_run
end
end

def create
@chain_args ||= generate_raw
execute_firewall_cmd(['--direct', '--add-chain', @chain_args], nil)
execute_firewall_cmd(['--direct', '--add-chain', @chain_args], nil) unless @in_perm
end

def destroy
@chain_args ||= generate_raw
execute_firewall_cmd(['--direct', '--remove-chain', @chain_args], nil)
execute_firewall_cmd(['--direct', '--remove-chain', @chain_args], nil) if @in_perm
end

def generate_raw
Expand Down
19 changes: 15 additions & 4 deletions lib/puppet/provider/firewalld_direct_passthrough/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,31 @@
) do
desc 'Interact with firewall-cmd'

def initialize(value = {})
super(value)
@in_perm = false
@in_run = false
end

def exists?
@passt_args ||= generate_raw
output = execute_firewall_cmd(['--direct', '--query-passthrough', @passt_args], nil, true, false)
output.include?('yes')
@in_perm = execute_firewall_cmd(['--direct', '--query-passthrough', @passt_args], nil, true, false).include?('yes')
@in_run = execute_firewall_cmd(['--direct', '--query-passthrough', @passt_args], nil, false, false).include?('yes')
if @resource[:ensure] == :present
@in_perm && @in_run
else
@in_perm || @in_run
end
end

def create
@passt_args ||= generate_raw
execute_firewall_cmd(['--direct', '--add-passthrough', @passt_args], nil)
execute_firewall_cmd(['--direct', '--add-passthrough', @passt_args], nil) unless @in_perm
end

def destroy
@passt_args ||= generate_raw
execute_firewall_cmd(['--direct', '--remove-passthrough', @passt_args], nil)
execute_firewall_cmd(['--direct', '--remove-passthrough', @passt_args], nil) if @in_perm
end

def generate_raw
Expand Down
19 changes: 15 additions & 4 deletions lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,31 @@
) do
desc 'Interact with firewall-cmd'

def initialize(value = {})
super(value)
@in_perm = false
@in_run = false
end

def exists?
@rule_args ||= generate_raw
output = execute_firewall_cmd(['--direct', '--query-rule', @rule_args], nil, true, false)
output.include?('yes')
@in_perm = execute_firewall_cmd(['--direct', '--query-rule', @rule_args], nil, true, false).include?('yes')
@in_run = execute_firewall_cmd(['--direct', '--query-rule', @rule_args], nil, false, false).include?('yes')
if @resource[:ensure] == :present
@in_perm && @in_run
else
@in_perm || @in_run
end
end

def create
@rule_args ||= generate_raw
execute_firewall_cmd(['--direct', '--add-rule', @rule_args], nil)
execute_firewall_cmd(['--direct', '--add-rule', @rule_args], nil) unless @in_perm
end

def destroy
@rule_args ||= generate_raw
execute_firewall_cmd(['--direct', '--remove-rule', @rule_args], nil)
execute_firewall_cmd(['--direct', '--remove-rule', @rule_args], nil) if @in_perm
end

def generate_raw
Expand Down
38 changes: 21 additions & 17 deletions lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@
mk_resource_methods

def self.instances
ipset_ids = execute_firewall_cmd(['--get-ipsets'], nil).split(' ')
ipset_ids = execute_firewall_cmd(['--get-ipsets'], nil, false).split(' ')
ipset_ids.map do |ipset_id|
ipset_raw = execute_firewall_cmd(["--info-ipset=#{ipset_id}"], nil)
ipset_raw = execute_firewall_cmd(["--info-ipset=#{ipset_id}"], nil, false)
raw_options = ipset_raw.match(%r{options: (.*)})
options = {}
if raw_options
Expand Down Expand Up @@ -44,20 +44,23 @@ def exists?
end

def create
args = []
args << ["--new-ipset=#{@resource[:name]}"]
args << ["--type=#{@resource[:type]}"]
options = {
family: @resource[:family],
hashsize: @resource[:hashsize],
maxelem: @resource[:maxelem],
timeout: @resource[:timeout]
}
options = options.merge(@resource[:options]) if @resource[:options]
options.each do |option_name, value|
args << ["--option=#{option_name}=#{value}"] if value
ipsets_in_perm = execute_firewall_cmd(['--get-ipsets'], nil).split(' ')
unless ipsets_in_perm.include?(@resource[:name])
args = []
args << ["--new-ipset=#{@resource[:name]}"]
args << ["--type=#{@resource[:type]}"]
options = {
family: @resource[:family],
hashsize: @resource[:hashsize],
maxelem: @resource[:maxelem],
timeout: @resource[:timeout]
}
options = options.merge(@resource[:options]) if @resource[:options]
options.each do |option_name, value|
args << ["--option=#{option_name}=#{value}"] if value
end
execute_firewall_cmd(args.flatten, nil)
end
execute_firewall_cmd(args.flatten, nil)
@resource[:entries].each { |e| add_entry(e) } if @resource[:manage_entries]
end

Expand All @@ -72,7 +75,7 @@ def create

def entries
if @resource[:manage_entries]
execute_firewall_cmd(["--ipset=#{@resource[:name]}", '--get-entries'], nil).split("\n").sort
execute_firewall_cmd(["--ipset=#{@resource[:name]}", '--get-entries'], nil, false).split("\n").sort
else
@resource[:entries]
end
Expand All @@ -99,6 +102,7 @@ def entries=(should_entries)
end

def destroy
execute_firewall_cmd(["--delete-ipset=#{@resource[:name]}"], nil)
ipsets_in_perm = execute_firewall_cmd(['--get-ipsets'], nil).split(' ')
execute_firewall_cmd(["--delete-ipset=#{@resource[:name]}"], nil) if ipsets_in_perm.include?(@resource[:name])
end
end
21 changes: 17 additions & 4 deletions lib/puppet/provider/firewalld_port/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,25 @@
) do
desc 'Interact with firewall-cmd'

attr_accessor :in_perm, :in_run

mk_resource_methods

def initialize(value = {})
super(value)
@in_perm = false
@in_run = false
end

def exists?
@rule_args ||= build_port_rule
output = execute_firewall_cmd(['--query-port', @rule_args], @resource[:zone], true, false)
output.exitstatus.zero?
@in_perm = execute_firewall_cmd(['--query-port', @rule_args], @resource[:zone], true, false).exitstatus.zero?
@in_run = execute_firewall_cmd(['--query-port', @rule_args], @resource[:zone], false, false).exitstatus.zero?
if @resource[:ensure] == :present
@in_perm && @in_run
else
@in_perm || @in_run
end
end

def quote_keyval(key, val)
Expand All @@ -32,10 +45,10 @@ def build_port_rule
end

def create
execute_firewall_cmd(['--add-port', build_port_rule])
execute_firewall_cmd(['--add-port', build_port_rule]) unless @in_perm
end

def destroy
execute_firewall_cmd(['--remove-port', build_port_rule])
execute_firewall_cmd(['--remove-port', build_port_rule]) if @in_perm
end
end
21 changes: 17 additions & 4 deletions lib/puppet/provider/firewalld_rich_rule/firewall_cmd.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,25 @@
) do
desc 'Interact with firewall-cmd'

attr_accessor :in_perm, :in_run

mk_resource_methods

def initialize(value = {})
super(value)
@in_perm = false
@in_run = false
end

def exists?
@rule_args ||= build_rich_rule
output = execute_firewall_cmd(['--query-rich-rule', @rule_args], @resource[:zone], true, false)
output.exitstatus.zero?
@in_perm = execute_firewall_cmd(['--query-rich-rule', @rule_args], @resource[:zone], true, false).exitstatus.zero?
@in_run = execute_firewall_cmd(['--query-rich-rule', @rule_args], @resource[:zone], false, false).exitstatus.zero?
if @resource[:ensure] == :present
@in_perm && @in_run
else
@in_perm || @in_run
end
end

def quote_keyval(key, val)
Expand Down Expand Up @@ -124,10 +137,10 @@ def build_rich_rule
end

def create
execute_firewall_cmd(['--add-rich-rule', build_rich_rule])
execute_firewall_cmd(['--add-rich-rule', build_rich_rule]) unless @in_perm
end

def destroy
execute_firewall_cmd(['--remove-rich-rule', build_rich_rule])
execute_firewall_cmd(['--remove-rich-rule', build_rich_rule]) if @in_perm
end
end
1 change: 0 additions & 1 deletion manifests/init.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,6 @@
Firewalld_ipset <||> ~> Class['firewalld::reload']
Firewalld_port <||> ~> Class['firewalld::reload']
Firewalld_rich_rule <||> ~> Class['firewalld::reload']
Firewalld_service <||> ~> Class['firewalld::reload']

if $purge_unknown_ipsets {
Firewalld_ipset <||>
Expand Down
1 change: 0 additions & 1 deletion spec/classes/init_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,6 @@
is_expected.to contain_firewalld_service('mysql').
with_ensure('present').
with_zone('public').
that_notifies('Class[firewalld::reload]').
that_requires('Service[firewalld]')
end
end
Expand Down
76 changes: 76 additions & 0 deletions spec/unit/puppet/provider/firewalld_direct_chain_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
require 'spec_helper'

provider_class = Puppet::Type.type(:firewalld_direct_chain).provider(:firewall_cmd)

describe provider_class do
let(:resource) do
@resource = Puppet::Type.type(:firewalld_direct_chain).new(
ensure: :present,
name: 'LOG_DROPS',
inet_protocol: 'ipv4',
table: 'filter'
)
end
let(:provider) { resource.provider }
let(:chain_args) { [%w[ipv4 filter LOG_DROPS]] }

describe 'when creating' do
it 'direct rule should not be created if rule exists in permanent' do
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('yes')
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('no')
provider.expects(:execute_firewall_cmd).with(['--direct', '--add-chain', chain_args]).never
provider.exists?
provider.create
end

it 'creates' do
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('no')
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('no')
provider.expects(:execute_firewall_cmd).with(['--direct', '--add-chain', chain_args], nil)
provider.exists?
provider.create
end
end

describe 'when destroying' do
it 'destroys' do
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('yes')
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('yes')
provider.expects(:execute_firewall_cmd).with(['--direct', '--remove-chain', chain_args], nil)
provider.exists?
provider.destroy
end

it 'direct rule should not be destroyed if it doesnt exist in permanent' do
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('no')
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('yes')
provider.expects(:execute_firewall_cmd).with(['--direct', '--remove-chain', chain_args]).never
provider.exists?
provider.destroy
end
end

describe 'exists?' do
let(:resource_absent) do
@resource_absent = Puppet::Type.type(:firewalld_direct_chain).new(
ensure: :absent,
name: 'LOG_DROPS',
inet_protocol: 'ipv4',
table: 'filter'
)
end
let(:provider_absent) { resource_absent.provider }

it 'direct rule creation should be triggered if rule exists in runtime but not in permanent' do
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('no')
provider.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('yes')
expect(provider.exists?).to eq(false)
end

it 'direct rule deletion should be triggered if rule exists in runtime but not in permanent' do
provider_absent.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, true, false).returns('no')
provider_absent.expects(:execute_firewall_cmd).with(['--direct', '--query-chain', chain_args], nil, false, false).returns('yes')
expect(provider_absent.exists?).to eq(true)
end
end
end
Loading