Method: PuppetX::SIMP::IPTables#report

Defined in:
lib/puppetx/simp/iptables.rb

#report(to_ignore = [], enable_tracking = true) ⇒ Hash

Produces a hash-based report on the number of iptables rules, and type of operation in a given chain.

The report hash is simply a key to count match of each of the different rule types for ease of comparison.

You may optionally pass an array of compiled regular expressions. If this array is present, all items with an interface, chain, or jump matching the regex will be ignored.

Parameters:

  • to_ignore (Array[Regexp]) (defaults to: [])

    Regular expressions that should be ignored

Returns:

  • (Hash) 


364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
 
# File 'lib/puppetx/simp/iptables.rb', line 364

def report(to_ignore = [], enable_tracking = true)
  result = {}

  tables.each do |table|
    result[table] ||= {}

    rules(table).each do |rule|
      ignore_rule = false
      to_ignore.each do |ignore|
        if [rule.chain, rule.jump, rule.input_interface, rule.output_interface].find { |x| ignore.match(x) }
          ignore_rule = true
          break
        end
      end

      next if ignore_rule

      result[table][rule.chain] ||= {}

      # Need a unique key target for precise matches
      tgt_key = [rule.input_interface, rule.output_interface, rule.jump].compact.join('|')

      next if tgt_key.empty?
      result[table][rule.chain][tgt_key] ||= {}
      result[table][rule.chain][tgt_key][:count] ||= 0
      result[table][rule.chain][tgt_key][:count] += 1

      # Better effort matching that just counts which should pick up
      # basic changes but isn't near perfect

      # These get stripped out by the underlying iptables
      listen_all = [ '0.0.0.0/0', '::/0', '::0/0' ]
      rule_parts = rule.to_s.scan(%r{(?:\s(?:tcp|udp|udplite|icmp|esp|ah|sctp|mh|(?:\d\.|\S:).+?/\d+)|-\S+?port.+?\d+)(?:\s|$)}).map(&:strip) - listen_all

      unless rule_parts.empty?
        result[table][rule.chain][:parts] ||= Set.new
        result[table][rule.chain][:parts] = Set.new(rule_parts)
      end

      next unless enable_tracking
      # Best, but fragile, matching
      result[table][rule.chain][:tracking] ||= Set.new
      result[table][rule.chain][:tracking] << rule.rule_hash
    end
  end

  result
end