Class: Puppet::Provider::Firewall::Firewall
- Inherits:
-
Object
- Object
- Puppet::Provider::Firewall::Firewall
- Defined in:
- lib/puppet/provider/firewall/firewall.rb
Overview
Implementation for the iptables type using the Resource API.
Class Method Summary collapse
- .create_absent(namevar, title) ⇒ Object private
-
.get_rules(context, basic, protocols = ['IPv4', 'IPv6']) ⇒ Object
private
Retrieve the rules Optional values lets you return a simplified set of data, used for determining order when adding/updating/deleting rules, while also allowing for the protocols used to retrieve the rules to be limited.
-
.hash_to_rule(_context, _name, rule) ⇒ Object
private
Converts a given hash value to a command line argument.
-
.insert_order(context, name, chain, table, protocol) ⇒ Object
private
Find the correct position for our new rule in its chain This has been lifted from the previous provider in order to maintain the logic between them.
-
.process_get(_context, rule_hash, rule, counter) ⇒ Object
private
Certain attributes need custom logic to ensure that they are returning the correct information.
-
.process_input(should) ⇒ Object
private
Certain attributes need processed in ways that can vary between IPv4 and IPv6.
-
.rule_to_hash(_context, rule, table_name, protocol) ⇒ Object
private
Converts a given rule to a hash value.
-
.rule_to_name(_context, rule, table_name, protocol) ⇒ Object
private
Simplified version of ‘self.rules_to_hash’ meant to return name, chain and table only.
-
.validate_get(_context, rules) ⇒ Object
private
Verify that the information being retrieved is correct.
-
.validate_input(_is, should) ⇒ Object
private
Verify that the information being set is correct.
Instance Method Summary collapse
- #create(context, name, should) ⇒ Object
- #delete(context, name, is) ⇒ Object
-
#get(context) ⇒ Object
PUBLIC METHODS ######.
-
#insync?(context, _name, property_name, is_hash, should_hash) ⇒ Boolean
Custom insync method Needed for uid and gid.
- #set(context, changes) ⇒ Object
- #update(context, name, should) ⇒ Object
Class Method Details
.create_absent(namevar, title) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
726 727 728 729 730 731 732 733 734 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 726 def self.create_absent(namevar, title) result = if title.is_a? Hash title.dup else { namevar => title } end result[:ensure] = 'absent' result end |
.get_rules(context, basic, protocols = ['IPv4', 'IPv6']) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Retrieve the rules Optional values lets you return a simplified set of data, used for determining order when adding/updating/deleting rules,
while also allowing for the protocols used to retrieve the rules to be limited.
462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 462 def self.get_rules(context, basic, protocols = ['IPv4', 'IPv6']) # Create empty return array rules = [] counter = 1 # For each protocol protocols.each do |protocol| # Retrieve String containing all information iptables_list = Puppet::Provider.execute($list_command[protocol]) # Scan String to retrieve all Rules iptables_list.scan($table_regex).each do |table| table_name = table[0].scan($table_name_regex)[0][0] table[0].scan($rules_regex).each do |rule| raw_rules = if basic Puppet::Provider::Firewall::Firewall.rule_to_name(context, rule[0], table_name, protocol) else Puppet::Provider::Firewall::Firewall.rule_to_hash(context, rule[0], table_name, protocol) end # Process the returned values so that it is correct for our purposes rules << Puppet::Provider::Firewall::Firewall.process_get(context, raw_rules, rule[0], counter) counter += 1 end end # Return array end rules end |
.hash_to_rule(_context, _name, rule) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Converts a given hash value to a command line argument
917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 917 def self.hash_to_rule(_context, _name, rule) arguments = '' # We loop through an ordered list of all flags as the order that they are added is important $resource_list.each do |key| next unless rule[key] value = rule[key] # Ensure that the necesary module (`-m`) arguments are added when needed # addrtype and ipset are exceptions as they need to preface each instance @module_to_argument_mapping.each do |modules| # Skip unless the key is part of the module next unless modules[1].include?(key) # Skip if the module flag has already been added next if arguments.match(Regexp.new("-m #{modules[0]}")) # Add the module flag arguments += " -m #{modules[0]}" end # if resource is known_boolean if $known_booleans.include?(key) # If value is true, append command to arguments arguments += " #{$resource_map[key]}" if value next end # check for existence, retrieve string that follows if it is # certain resources may need special rules case key when :name, :string, :string_hex, :bytecode, :u32, :nflog_prefix, :log_prefix arguments += " #{[$resource_map[key], "'#{rule[key]}'"].join(' ')}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], "'#{rule[key].gsub(%r{^!\s?}, '')}'"].join(' ')}" if rule[key].match?(%r{^!}) # if negated when :sport, :dport if rule[key].is_a?(Array) && rule[key][0].to_s.match(%r{^!}) # Negated Multiport split_comannd = $resource_map[key][0].split(%r{ }) negated_command = [split_comannd[0], split_comannd[1], '!', split_comannd[2]].join(' ') value = rule[key].join(',').gsub(%r{^!\s?}, '') arguments += " #{[negated_command, value].join(' ')}" elsif rule[key].is_a?(Array) # Standard Multiport arguments += " #{[$resource_map[key][0], rule[key].join(',')].join(' ')}" elsif rule[key].to_s.match?(%r{^!}) # Negated Standard arguments += " #{['!', $resource_map[key][1], rule[key].gsub(%r{^!\s?}, '')].join(' ')}" else # Standard arguments += " #{[$resource_map[key][1], rule[key]].join(' ')}" end when :src_type, :dst_type, :ipset, :match_mark, :mss, :connmark # Code for if value requires it's own flag each time it is applied split_command = $resource_map[key].split(%r{ }) negated_command = [split_command[0], split_command[1], '!', split_command[2]].join(' ') # If a string, wrap as an array to simplify the code rule[key] = [rule[key]] if rule[key].is_a?(String) rule[key].each do |ru| arguments += " #{$resource_map[key]} #{ru}" unless ru.match?(%r{^!}) arguments += " #{negated_command} #{ru.gsub(%r{^!\s?}, '')}" if ru.match?(%r{^!}) end when :state, :ctstate, :ctstatus, :month_days, :week_days # Code for if value is an array and all values are joined together and passed as part of a single flag # If not an array, wrap as an array to simplify the code rule[key] = [rule[key]] unless rule[key].is_a?(Array) int_attr = [:month_days] arguments += " #{[$resource_map[key], rule[key].join(',')].join(' ')}" if int_attr.include?(key) || rule[key][0].match(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], rule[key].join(',').gsub(%r{^!\s?}, '')].join(' ')}" if !int_attr.include?(key) && rule[key][0].match(%r{^!}) # if negated when :icmp case rule[:protocol] when 'IPv4', 'iptables' proto = 0 when 'IPv6', 'ip6tables' proto = 1 end # Retrieve the correct command for the protocol # A command is generated to be used for negation split_comannd = $resource_map[key][proto].split(%r{ }) negated_command = [split_comannd[0], split_comannd[1], '!', split_comannd[2]].join(' ') arguments += " #{[$resource_map[key][proto], rule[key]].join(' ')}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{[negated_command, rule[key].gsub(%r{^!\s?}, '')].join(' ')}" if rule[key].match?(%r{^!}) # if negated when :recent # Add value after command, if negated add negation before command # Preface the value of recent with `--` arguments += " #{$resource_map[key]} --#{rule[key]}" if rule[key].match?(%r{^[^!]}) # if standard arguments += " #{$resource_map[key]} ! --#{rule[key].gsub(%r{^!\s?}, '')}" if rule[key].match?(%r{^!}) # if negated when :rpfilter # Add value after command # Preface the value of recent with `--` # If a string, wrap as an array to simplify the code rule[key] = [rule[key]] if rule[key].is_a?(String) arguments += " #{$resource_map[key]} --#{rule[key].join(' --')}" when :proto, :source, :destination, :iniface, :outiface, :physdev_in, :physdev_out, :src_range, :dst_range, :tcp_option, :tcp_flags, :uid, :gid, :mac_source, :pkttype, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctexpire, :cgroup, :hop_limit # Add value after command, if negated add negation before command arguments += " #{[$resource_map[key], rule[key]].join(' ')}" if rule[key].is_a?(Integer) || rule[key].match?(%r{^[^!]}) # if standard arguments += " #{['!', $resource_map[key], rule[key].gsub(%r{^!\s?}, '')].join(' ')}" if rule[key].is_a?(String) && rule[key].match?(%r{^!}) # if negated else # :chain, stat_mode, stat_every, stat_packet, stat_probability, socket, ipsec_dir, ipsec_policy, :ctdir, # :limit, :burst, :length, :rseconds, :rhitcount, :rname, :mask, :string_algo, :string_from, :string_to, # :jump, :goto, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, # :clusterip_hash_init, :queue_num, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, # :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :log_level, # :reject, :set_mark, :connlimit_upto, :connlimit_above, :connlimit_mask, :time_start, :time_stop, :date_start, # :date_stop, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, # :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, # :hashlimit_htable_gcinterval, :zone, :helper, :condition # Add value after command arguments += " #{[$resource_map[key], rule[key]].join(' ')}" end end arguments end |
.insert_order(context, name, chain, table, protocol) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Find the correct position for our new rule in its chain This has been lifted from the previous provider in order to maintain the logic between them
1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 1036 def self.insert_order(context, name, chain, table, protocol) rules = [] # Find any rules that match the given chain and table pairing Puppet::Provider::Firewall::Firewall.get_rules(context, true, [protocol]).each do |rule| rules << rule[:name] if rule[:chain] == chain && rule[:table] == table end # If no rules found, return 1 return 1 if rules.empty? # Find if this is a new or eisting rule if rules.include? name # If the rule already exists, use it as the offset offset_rule = name else # If it doesn't add it to the list and find it's ordered location rules << name new_rule_location = rules.sort.uniq.index(name) offset_rule = if new_rule_location.zero? # First and only rule rules[0] else # This rule will come after other managed rules, so find the rule # immediately preceeding it. rules.sort.uniq[new_rule_location - 1] end end # Count how many unmanaged rules are ahead of the target rule so we know # how much to add to the insert order unnamed_offset = rules[0..rules.index(offset_rule)].reduce(0) do |sum, rule| # This regex matches the names given to unmanaged rules (a number # 9000-9999 followed by an MD5 hash). sum + (rule.match($unmanaged_rule_regex) ? 1 : 0) end # We want our rule to come before unmanaged rules if it's not a 9-rule unnamed_offset -= 1 if offset_rule.match($unmanaged_rule_regex) && !name.match(%r{^9}) # Insert our new or updated rule in the correct order of named rules, but # offset for unnamed rules. sorted_rules = rules.reject { |r| r.match($unmanaged_rule_regex) }.sort sorted_rules.index(name) + 1 + unnamed_offset end |
.process_get(_context, rule_hash, rule, counter) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Certain attributes need custom logic to ensure that they are returning the correct information
703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 703 def self.process_get(_context, rule_hash, rule, counter) # Puppet-firewall requires that all rules have structured comments (resource names) and will fail if a # rule in iptables does not have a matching comment. if !rule_hash.key?(:name) num = 9000 + counter rule_hash[:name] = "#{num} #{Digest::SHA256.hexdigest(rule)}" elsif !rule_hash[:name].match(%r{(^\d+(?:[ \t-]\S+)+$)}) num = 9000 + counter rule_hash[:name] = "#{num} #{rule_hash[:name]}" end # If no specific proto has been set we treat it as having `all` set rule_hash[:proto] = 'all' unless rule_hash[:proto] # Certain OS can return the proto as it;s equivalent number and we make sure to convert it in that case rule_hash[:proto] = PuppetX::Firewall::Utility.proto_number_to_name(rule_hash[:proto]) # If a dscp numer is found, also return it as it's valid class name rule_hash[:set_dscp_class] = PuppetX::Firewall::Utility.dscp_number_to_class(rule_hash[:set_dscp]) if rule_hash[:set_dscp] rule_hash end |
.process_input(should) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Certain attributes need processed in ways that can vary between IPv4 and IPv6
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 854 def self.process_input(should) # `dport`, `sport` `state` `ctstate` and `ctstatus` arrays should only have the first value negated. [:dport, :sport, :state, :ctstate, :ctstatus].each do |key| next unless should[key].is_a?(Array) negated = true if %r{^!\s}.match?(should[key][0].to_s) should[key].each_with_index do |_value, _index| should[key] = should[key].map { |value| value.to_s.tr('! ', '') } end should[key][0] = ['!', should[key][0]].join(' ') if negated end # `jump` common values should always be uppercase jump_common_values = ['accept', 'reject', 'drop', 'queue', 'return', 'dnat', 'snat', 'log', 'nflog', 'netmp', 'masquerade', 'redirect', 'mark', 'ct'] should[:jump] = should[:jump].upcase if should[:jump] && jump_common_values.include?(should[:jump].downcase) # `source` and `destination` must be put through host_to_mask should[:source] = PuppetX::Firewall::Utility.host_to_mask(should[:source], should[:protocol]) if should[:source] should[:destination] = PuppetX::Firewall::Utility.host_to_mask(should[:destination], should[:protocol]) if should[:destination] # ct attributes must be put through host_to_mask with certain masks then being removed ct = [:ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst] ct.each do |c| break unless should[c] value = PuppetX::Firewall::Utility.host_to_mask(should[c], should[:protocol]) should[c] = if should[:protocol] == 'IPv4' value.chomp('/32') else value.chomp('/128') end end # `icmp` needs to be converted to a number if passed as a string should[:icmp] = PuppetX::Firewall::Utility.icmp_name_to_number(should[:icmp], should[:protocol]) if should[:icmp] # `log_level` needs to be converted to a number if passed as a string should[:log_level] = PuppetX::Firewall::Utility.log_level_name_to_number(should[:log_level]) if should[:log_level] # `set_mark`, `match_mark` and `connmark` must be applied in hexidecimal format should[:set_mark] = PuppetX::Firewall::Utility.mark_mask_to_hex(should[:set_mark]) if should[:set_mark] should[:match_mark] = PuppetX::Firewall::Utility.mark_to_hex(should[:match_mark]) if should[:match_mark] should[:connmark] = PuppetX::Firewall::Utility.mark_to_hex(should[:connmark]) if should[:connmark] # `time_start` and `time_stop` must be applied in full HH:MM:SS format time = [:time_start, :time_stop] time.each do |t| should[t] = "0#{should[t]}" if %r{^([0-9]):}.match?(should[t]) should[t] = "#{should[t]}:00" if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(should[t]) end # If `sport/dport` range has been passed with `-`, replace with `:` should[:sport] = should[:sport].to_s.tr('-', ':') if should[:sport].is_a?(String) should[:dport] = should[:dport].to_s.tr('-', ':') if should[:dport].is_a?(String) should[:sport] = should[:sport].map { |port| port.to_s.tr('-', ':') } if should[:sport].is_a?(Array) should[:dport] = should[:dport].map { |port| port.to_s.tr('-', ':') } if should[:dport].is_a?(Array) should end |
.rule_to_hash(_context, rule, table_name, protocol) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Converts a given rule to a hash value
510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 510 def self.rule_to_hash(_context, rule, table_name, protocol) # loop through resource map rule_hash = {} rule_hash[:ensure] = 'present' rule_hash[:table] = table_name rule_hash[:protocol] = protocol rule_hash[:line] = rule # Add the ensure parameter first $resource_map.each do |key, value| if $known_booleans.include?(key) # check for flag with regex, add a space/line end to ensure accuracy with the more simplistic flags; i.e. `-f`, `--random` rule_hash[key] = if rule.match(Regexp.new("#{value}(\\s|$)")) true else false end next end case key when :name, :string, :string_hex, :bytecode, :u32, :nflog_prefix, :log_prefix # When :name/:string/:string_hex/:bytecode, return everything inside the double quote pair following the key value # When only a single word comment is returned no quotes are given, so we must check for this as well # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!\\s))?#{value}\\s(?:\"([^\"]*)|([^\"\\s]*))") key_value = rule.scan(value_regex)[0] # Combine the returned values and remove and trailing or leading whitespace key_value[1] = [key_value[0], key_value[1], key_value[2]].join rule_hash[key] = key_value[1] if key_value[1] end when :sport, :dport split_value_regex = value[0].split(%r{ }) negated_multi_regex = [split_value_regex[0], split_value_regex[1], '!', split_value_regex[2]].join(' ') if rule.match(value[0]) # First check against the multiport value, if found split and return as an array value_regex = Regexp.new("#{value[0]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] rule_hash[key] = key_value[0].split(%r{,}) elsif rule.match(negated_multi_regex) # Next check against a negated multiport value, if found split and return as an array with the first value negated value_regex = Regexp.new("#{negated_multi_regex}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # Add '!' to the beginning of the first value to show it as negated split_value = key_value[0].split(%r{,}) split_value[0] = "! #{split_value[0]}" rule_hash[key] = split_value elsif rule.match(value[1]) # If no multi value matches, check against the regular value instead value_regex = Regexp.new("(?:(!)\\s)?#{value[1]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If it is negated, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = key_value[1] end when :tcp_flags # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If a negation is found combine it with the first retrieved value, then combine both values key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = [key_value[1], key_value[2]].join(' ') end when :src_type, :dst_type, :ipset, :match_mark, :mss, :connmark split_regex = value.split(%r{ }) if rule.match(Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s")) # The exact information retrieved changes dependeing on the key type_attr = [:src_type, :dst_type] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+)\\s?(--limit-iface-(?:in|out))?") if type_attr.include?(key) ip_attr = [:ipset] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+\\s\\S+)") if ip_attr.include?(key) mark_attr = [:match_mark, :mss, :connmark] value_regex = Regexp.new("#{split_regex[1]}\\s(?:(!)\\s)?#{split_regex[2]}\\s(\\S+)") if mark_attr.include?(key) # Since multiple values can be recovered, we must loop through each instance type_value = [] key_value = rule.scan(value_regex) key_value.length.times do |i| type_value.append(key_value[i].join(' ').strip) if key_value[i] end # If only a single value was found return as a string rule_hash[key] = type_value[0] if type_value.length == 1 rule_hash[key] = type_value if type_value.length > 1 end when :state, :ctstate, :ctstatus, :month_days, :week_days if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)") key_value = rule.scan(value_regex) split_value = key_value[0][1].split(%r{,}) # If negated add to first value split_value[0] = [key_value[0][0], split_value[0]].join(' ') unless key_value[0][0].nil? # If value is meant to be Int, return as such int_attr = [:month_days] split_value = split_value.map(&:to_i) if int_attr.include?(key) # If only a single value is found, strip the Array wrapping split_value = split_value[0] if split_value.length == 1 rule_hash[key] = split_value end when :icmp case protocol when 'IPv4', 'iptables' proto = 0 when 'IPv6', 'ip6tables' proto = 1 end if rule.match(Regexp.new("#{value[proto]}\\s")) value_regex = Regexp.new("#{value[proto]}\\s(\\S+)") key_value = rule.scan(value_regex)[0] rule_hash[key] = key_value[0] end when :recent if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("#{value}\\s(!\\s)?--(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join unless key_value[0].nil? rule_hash[key] = key_value[1] if key_value end when :rpfilter if rule.match(Regexp.new("#{value}\\s--")) # Since the values are their own flags we can simply look for them directly value_regex = Regexp.new("(?:\s--(invert|validmark|loose|accept-local))") key_value = rule.scan(value_regex) return_value = [] key_value.each do |val| return_value << val[0] end rule_hash[key] = return_value[0] if return_value.length == 1 rule_hash[key] = return_value if return_value.length > 1 end when :proto, :source, :destination, :iniface, :outiface, :physdev_in, :physdev_out, :src_range, :dst_range, :tcp_option, :uid, :gid, :mac_source, :pkttype, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctexpire, :cgroup, :hop_limit # Values where negation is prior to the flag # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-i` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("(?:(!)\\s)?#{value}\\s(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? rule_hash[key] = key_value[1] if key_value end else # stat_mode, stat_every, stat_packet, stat_probability, socket, ipsec_dir, ipsec_policy, :ctdir, # :limit, :burst, :length, :rseconds, :rhitcount, :rname, :mask, :string_algo, :string_from, :string_to, # :jump, :goto, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, # :clusterip_hash_init, :queue_num, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, # :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :log_level, # :reject, :set_mark, :connlimit_upto, :connlimit_above, :connlimit_mask, :time_start, :time_stop, :date_start, # :date_stop, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, # :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, # :hashlimit_htable_gcinterval, :zone, :helper, :condition # Default return, retrieve first complete block following the key value # First find if flag is present, add a space to ensure accuracy with the more simplistic flags; i.e. `-j`, `--to` if rule.match(Regexp.new("#{value}\\s")) value_regex = Regexp.new("#{value}(?:\\s(!)\\s|\\s{1,2})(\\S+)") key_value = rule.scan(value_regex)[0] # If it has, combine the retrieved '!' with the actual value to make one string key_value[1] = [key_value[0], key_value[1]].join(' ') unless key_value[0].nil? # If value is meant to return as an integer/float ensure it does int_attr = [:stat_every, :stat_packet, :burst, :rseconds, :rhitcount, :string_from, :string_to, :clusterip_total_nodes, :clusterip_local_nodes, :nflog_group, :nflog_range, :nflog_size, :nflog_threshold, :set_mss, :connlimit_upto, :connlimit_above, :connlimit_mask, :hashlimit_burst, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :zone] key_value[1] = key_value[1].to_i if int_attr.include?(key) if key == :stat_probability && key_value[1].include?('.') key_value[1] = key_value[1].to_f elsif key == :stat_probability key_value[1] = key_value[1].to_i end rule_hash[key] = key_value[1] if key_value end end end rule_hash end |
.rule_to_name(_context, rule, table_name, protocol) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Simplified version of ‘self.rules_to_hash’ meant to return name, chain and table only
491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 491 def self.rule_to_name(_context, rule, table_name, protocol) rule_hash = {} rule_hash[:ensure] = 'present' rule_hash[:table] = table_name rule_hash[:protocol] = protocol name_regex = Regexp.new("#{$resource_map[:name]}\\s(?:\"([^\"]*)|([^\"\\s]*))") name_value = rule.scan(name_regex)[0] # Combine the returned values and remove and trailing or leading whitespace rule_hash[:name] = [name_value[0], name_value[1]].join(' ').strip if name_value chain_regex = Regexp.new("#{$resource_map[:chain]}\\s(\\S+)") rule_hash[:chain] = rule.scan(chain_regex)[0][0] rule_hash end |
.validate_get(_context, rules) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Verify that the information being retrieved is correct
691 692 693 694 695 696 697 698 699 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 691 def self.validate_get(_context, rules) # Verify that names are unique names = [] rules.each do |rule| names << rule[:name] end raise ArgumentError, 'Duplicate names have been found within your Firewalls. This prevents the module from working correctly and must be manually resolved.' if names.length != names.uniq.length # Verify that the current order of the retrieved puppet rules is correct end |
.validate_input(_is, should) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Verify that the information being set is correct
740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 740 def self.validate_input(_is, should) # Verify that name does not start with 9000-9999, this range has been reserved. Ignore check when deleting the rule raise ArgumentError, 'Rule name cannot start with 9000-9999, as this range is reserved for unmanaged rules.' if should[:name].match($unmanaged_rule_regex) && should[:ensure].to_s == 'present' # `isfragment` can only be set when `proto` is `tcp` raise ArgumentError, '`proto` must be set to `tcp` for `isfragment` to be true.' if should[:isfragment] && should[:proto] != 'tcp' # `stat_mode` must be set to `nth` for `stat_every` and `stat_packet` to be set raise ArgumentError, '`stat_mode` must be set to `nth` for `stat_every` to be set.' if should[:stat_every] && should[:stat_mode] != 'nth' raise ArgumentError, '`stat_mode` must be set to `nth` for `stat_packet` to be set.' if should[:stat_packet] && should[:stat_mode] != 'nth' # `stat_mode` must be set to `random` for `stat_probability` to be set raise ArgumentError, '`stat_mode` must be set to `random` for `stat_probability` to be set.' if should[:stat_probability] && should[:stat_mode] != 'random' # Verify that if dport/sport/state/ctstate/ctstatus is passed as an array, that any negation includes either the first value or al values [:dport, :sport, :state, :ctstate, :ctstatus].each do |key| next unless should[key].is_a?(Array) negated_values = 0 should[key].each do |value| negated_values += 1 if %r{^!\s}.match?(value.to_s) end next unless (negated_values == 1 && !should[key][0].to_s.match(%r{^!\s})) || (negated_values >= 2 && negated_values != should[key].length) raise ArgumentError, "When negating a `#{key}` array, you must negate either the first given value only or all the given values." end raise ArgumentError, 'Value `any` is not valid. This behaviour should be achieved by omitting or undefining the ICMP parameter.' if should[:icmp] && should[:icmp] == 'any' raise ArgumentError, '`burst` cannot be set without `limit`.' if should[:burst] && !(should[:limit]) # Verify that a correct range has been passed for `length` if should[:length] match = should[:length].to_s.match('^([0-9]+)(?::)?([0-9]+)?$') low = match[1].to_i high = match[2].to_i if match[2] raise ArgumentError, '`length` values must be between 0 and 65535' if (low.negative? || low > 65_535) || (!high.nil? && (high.negative? || high > 65_535 || high < low)) end # Recent module raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rseconds` to be set.' if should[:rseconds] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`rseconds` must be set for `reap` to be set.' if should[:reap] && !should[:rseconds] raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rhitcount` to be set.' if should[:rhitcount] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`recent` must be set to `update` or `rcheck` for `rttl` to be set.' if should[:rttl] && (should[:recent] != 'update' && should[:recent] != 'rcheck') raise ArgumentError, '`recent` must be set for `rname` to be set.' if should[:rname] && !should[:recent] raise ArgumentError, '`recent` must be set for `rsource` to be set.' if should[:rsource] && !should[:recent] raise ArgumentError, '`recent` must be set for `rdest` to be set.' if should[:rdest] && !should[:recent] raise ArgumentError, '`rdest` and `rsource` are mutually exclusive, only one may be set at a time.' if should[:rsource] && should[:rdest] # String module raise ArgumentError, '`string_algo` must be set for `string` or `string_hex` to be set.' if (should[:string] || should[:string_hex]) && !(should[:string_algo]) # NFQUEUE raise ArgumentError, '`queue_num`` must be between 0 and 65535' if should[:queue_num] && (should[:queue_num].to_i > 65_535 || should[:queue_num].to_i.negative?) # Jump # `2^16-1` is equal to `65_535` raise ArgumentError, '`nflog_group` must be between 0 and 2^16-1' if should[:nflog_group] && (should[:nflog_group].to_i > 65_535 || should[:queue_num].to_i.negative?) raise ArgumentError, 'When setting `jump => TEE`, the gateway property is required' if should[:jump] == 'TEE' && !should[:gateway] raise ArgumentError, 'When setting `jump => TCPMSS`, the `set_mss` or `clamp_mss_to_pmtu` property is required' if should[:jump] == 'TCPMSS' && !(should[:set_mss] || should[:clamp_mss_to_pmtu]) raise ArgumentError, 'When setting `jump => DSCP`, the `set_dscp` or `set_dscp_class` property is required' if should[:jump] == 'DSCP' && !(should[:set_dscp] || should[:set_dscp_class]) raise ArgumentError, 'Parameter `jump => DNAT` only applies to `table => nat`' if should[:jump] == 'DNAT' && should[:table] != 'nat' raise ArgumentError, 'Parameter `jump => DNAT` must have `todest` parameter' if (should[:jump] == 'DNAT' && !should[:todest]) || (should[:jump] != 'DNAT' && should[:todest]) raise ArgumentError, 'Parameter `jump => SNAT` only applies to `table => nat`' if should[:jump] == 'SNAT' && should[:table] != 'nat' raise ArgumentError, 'Parameter `jump => SNAT` must have `tosource` parameter' if (should[:jump] == 'SNAT' && !should[:tosource]) || (should[:jump] != 'SNAT' && should[:tosource]) raise ArgumentError, 'Parameter `checksum_fill` requires `jump => CHECKSUM` and `table => mangle`' if should[:checksum_fill] && !(should[:jump] == 'CHECKSUM' && should[:table] == 'mangle') [:log_prefix, :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options].each do |log| raise ArgumentError, "Parameter `#{log}` requires `jump => LOG`" if should[log] && should[:jump] != 'LOG' end raise ArgumentError, 'Parameter `jump => CT` only applies to `table => raw`' if should[:jump] == 'CT' && should[:table] != 'raw' raise ArgumentError, 'Parameter `zone` requires `jump => CT`' if should[:zone] && should[:jump] != 'CT' raise ArgumentError, 'Parameter `helper` requires `jump => CT`' if should[:helper] && should[:jump] != 'CT' raise ArgumentError, 'Parameter `notrack` requires `jump => CT`' if should[:notrack] && should[:jump] != 'CT' # Connlimit raise ArgumentError, 'Parameter `connlimit_mask` requires either `connlimit_upto` or `connlimit_above`' if should[:connlimit_mask] && !(should[:connlimit_upto] || should[:connlimit_above]) # Hashlimit [:hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval].each do |hash| next unless should[hash] && (!should[:hashlimit_name] || !(should[:hashlimit_upto] || should[:hashlimit_above])) raise ArgumentError, 'Parameter `hashlimit_name` and either `hashlimit_upto` or `hashlimit_above` are required when setting any `hashlimit` attribute.' end raise ArgumentError, '`hashlimit_upto` and `hashlimit_above` are mutually exclusive, only one may be set at a time.' if should[:hashlimit_upto] && should[:hashlimit_above] # Protocol ipv4_only = [:clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init] ipv4_only.each do |ipv4| raise ArgumentError, "Parameter `#{ipv4}` is specific to the `IPv4` protocol" if should[ipv4] && !(should[:protocol] == 'IPv4' || should[:protocol] == 'iptables') end ipv6_only = [:hop_limit, :ishasmorefrags, :islastfrag, :isfirstfrag] ipv6_only.each do |ipv6| raise ArgumentError, "Parameter `#{ipv6}` is specific to the `IPv6` protocol" if should[ipv6] && !(should[:protocol] == 'IPv6' || should[:protocol] == 'ip6tables') end ## Array elements must be unique [:dst_type, :src_type].each do |key| next unless should[key].is_a?(Array) raise ArgumentError, "`#{key}` elements must be unique" if should[key].map { |type| type.to_s.gsub(%r{--limit-iface-(in|out)}, '') }.uniq.length != should[key].length end # Log prefix size is limited raise ArgumentError, 'Parameter `nflog_prefix`` must be less than 64 characters' if should[:nflog_prefix] && should[:nflog_prefix].length > 64 [:dst_range, :src_range].each do |key| next unless should[key] matches = %r{^([^\-/]+)-([^\-/]+)$}.match(should[key]) raise(ArgumentError, 'The IP range must be in `IP1-IP2` format.') unless matches [matches[1], matches[2]].each do |addr| begin # rubocop:disable Style/RedundantBegin PuppetX::Firewall::Utility.host_to_ip(addr, should[:protocol]) rescue StandardError raise(ArgumentError, "Invalid IP address `#{addr}` in range `#{should[key]}`") end end end end |
Instance Method Details
#create(context, name, should) ⇒ Object
298 299 300 301 302 303 304 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 298 def create(context, name, should) context.notice("Creating Rule '#{name}' with #{should.inspect}") position = Puppet::Provider::Firewall::Firewall.insert_order(context, name, should[:chain], should[:table], should[:protocol]) arguments = Puppet::Provider::Firewall::Firewall.hash_to_rule(context, name, should) Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $rule_create_command, should[:chain], position, arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end |
#delete(context, name, is) ⇒ Object
314 315 316 317 318 319 320 321 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 314 def delete(context, name, is) context.notice("Deleting Rule '#{name}'") # When deleting we use the retrieved iptables-save append command as a base # We do this to ensure accuracy when removing non-standard (i.e. uncommented) rules via the firewallchain purge function arguments = is[:line].gsub(%r{^-A}, $rule_delete_command) Puppet::Provider.execute([$base_command[is[:protocol]], is[:table], arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, is[:protocol]) end |
#get(context) ⇒ Object
PUBLIC METHODS ######
259 260 261 262 263 264 265 266 267 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 259 def get(context) # Call the private method which returns the rules # The method is seperated out in this way as it is re-used later in the code rules = Puppet::Provider::Firewall::Firewall.get_rules(context, false) # Verify the returned data Puppet::Provider::Firewall::Firewall.validate_get(context, rules) # Return array rules end |
#insync?(context, _name, property_name, is_hash, should_hash) ⇒ Boolean
Custom insync method Needed for uid and gid
325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 325 def insync?(context, _name, property_name, is_hash, should_hash) context.debug("Checking whether '#{property_name}' is out of sync") # If either value is nil, no custom logic is required return nil if is_hash[property_name].nil? || should_hash[property_name].nil? case property_name when :protocol is = is_hash[property_name] should = should_hash[property_name] # Ensure the should value accurately matches the is should = 'IPv4' if should == 'iptables' should = 'IPv6' if should == 'ip6tables' is == should when :source, :destination # Ensure source/destination has it's valid mask before you compare it is_hash[property_name] == PuppetX::Firewall::Utility.host_to_mask(should_hash[property_name], should_hash[:protocol]) when :tcp_option, :ctproto, :hop_limit # Ensure that the values are compared as strings is_hash[property_name] == should_hash[property_name].to_s when :tcp_flags # Custom logic to account for `ALL` being returned as `FIN,SYN,RST,PSH,ACK,URG` is = is_hash[property_name].split should = should_hash[property_name].split is = is.map { |x| (x == 'FIN,SYN,RST,PSH,ACK,URG') ? 'ALL' : x } should = should.map { |x| (x == 'FIN,SYN,RST,PSH,ACK,URG') ? 'ALL' : x } is.join(' ') == should.join(' ') when :uid, :gid require 'etc' # The following code allow us to take into consideration unix mappings # between string usernames and UIDs (integers). We also need to ignore # spaces as they are irrelevant with respect to rule sync. # Remove whitespace is = is_hash[property_name].to_s.gsub(%r{\s+}, '') should = should_hash[property_name].to_s.gsub(%r{\s+}, '') # Keep track of negation, but remove the '!' is_negate = '' should_negate = '' if is.start_with?('!') is = is.gsub(%r{^!}, '') is_negate = '!' end if should.start_with?('!') should = should.gsub(%r{^!}, '') should_negate = '!' end # If 'is' or 'should' contain anything other than digits or digit range, # we assume that we have to do a lookup to convert to UID is = Etc.getpwnam(is).uid unless is[%r{[0-9]+(-[0-9]+)?}] == is should = Etc.getpwnam(should).uid unless should[%r{[0-9]+(-[0-9]+)?}] == should "#{is_negate}#{is}" == "#{should_negate}#{should}" when :mac_source, :jump # Value of mac_source/jump may be downcased or upcased when returned depending on the OS is_hash[property_name].casecmp(should_hash[property_name]).zero? when :icmp # Ensure that the values are compared to each other as icmp code numbers is = PuppetX::Firewall::Utility.icmp_name_to_number(is_hash[property_name], is_hash[:protocol]) should = PuppetX::Firewall::Utility.icmp_name_to_number(should_hash[property_name], should_hash[:protocol]) is == should when :log_level # Ensure that the values are compared to each other as log level numbers is = PuppetX::Firewall::Utility.log_level_name_to_number(is_hash[property_name]) should = PuppetX::Firewall::Utility.log_level_name_to_number(should_hash[property_name]) is == should when :set_mark # Ensure that the values are compared to eachother in hexidecimal format is = PuppetX::Firewall::Utility.mark_mask_to_hex(is_hash[property_name]) should = PuppetX::Firewall::Utility.mark_mask_to_hex(should_hash[property_name]) is == should when :match_mark, :connmark # Ensure that the values are compared to eachother in hexidecimal format is = PuppetX::Firewall::Utility.mark_to_hex(is_hash[property_name]) should = PuppetX::Firewall::Utility.mark_to_hex(should_hash[property_name]) is == should when :time_start, :time_stop # Ensure the values are compared in full `00:00:00` format is = is_hash[property_name] should = should_hash[property_name] should = "0#{should}" if %r{^([0-9]):}.match?(should) should = "#{should}:00" if %r{^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$}.match?(should) is == should when :dport, :sport, :state, :ctstate, :ctstatus is = is_hash[property_name] should = should_hash[property_name] # Unique logic is only needed when both values are arrays return nil unless is.is_a?(Array) && should.is_a?(Array) # Ensure values are sorted # Ensure any negation includes only the first value is_negated = true if %r{^!\s}.match?(is[0].to_s) is.each_with_index do |_value, _index| is = is.map { |value| value.to_s.tr('! ', '') }.sort end is[0] = ['!', is[0]].join(' ') if is_negated should_negated = true if %r{^!\s}.match?(should[0].to_s) should.each_with_index do |_value, _index| should = should.map { |value| value.to_s.tr('! ', '') }.sort # Port range can be passed as `-` but will always be set/returned as `:` ports = [:dport, :sport] should = should.map { |value| value.to_s.tr('-', ':') }.sort if ports.include?(property_name) end should[0] = ['!', should[0]].join(' ') if should_negated is == should when :string_hex # Compare the values with any whitespace removed is = is_hash[property_name].to_s.gsub(%r{\s+}, '') should = should_hash[property_name].to_s.gsub(%r{\s+}, '') is == should else # Ensure that if both values are arrays, that they are sorted prior to comparison return nil unless is_hash[property_name].is_a?(Array) && should_hash[property_name].is_a?(Array) is_hash[property_name].sort == should_hash[property_name].sort end end |
#set(context, changes) ⇒ Object
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 269 def set(context, changes) changes.each do |name, change| is = change[:is] should = change[:should] is = PuppetX::Firewall::Utility.create_absent(:name, name) if is.nil? should = PuppetX::Firewall::Utility.create_absent(:name, name) if should.nil? # Run static verification against both sets of values Puppet::Provider::Firewall::Firewall.validate_input(is, should) # Process the intended values so that they are inputed as they should be should = Puppet::Provider::Firewall::Firewall.process_input(should) if is[:ensure].to_s == 'absent' && should[:ensure].to_s == 'present' context.creating(name) do create(context, name, should) end elsif is[:ensure].to_s == 'present' && should[:ensure].to_s == 'absent' context.deleting(name) do delete(context, name, is) end elsif is[:ensure].to_s == 'present' context.updating(name) do update(context, name, should) end end end end |
#update(context, name, should) ⇒ Object
306 307 308 309 310 311 312 |
# File 'lib/puppet/provider/firewall/firewall.rb', line 306 def update(context, name, should) context.notice("Updating Rule '#{name}' with #{should.inspect}") position = Puppet::Provider::Firewall::Firewall.insert_order(context, name, should[:chain], should[:table], should[:protocol]) arguments = Puppet::Provider::Firewall::Firewall.hash_to_rule(context, name, should) Puppet::Provider.execute([$base_command[should[:protocol]], should[:table], $rule_update_command, should[:chain], position, arguments].join(' ')) PuppetX::Firewall::Utility.persist_iptables(context, name, should[:protocol]) end |