[MediaWiki-commits] [Gerrit] udp2log: replace iptables with ferm - change (operations/puppet)

[Dzahn (Code Review)]

Dzahn has submitted this change and it was merged.

Change subject: udp2log: replace iptables with ferm
......................................................................


udp2log: replace iptables with ferm

Change-Id: I5859dbce6da06a5e27da90859ad33a400fbb3912
---
M manifests/misc/udp2log.pp
M manifests/role/logging.pp
2 files changed, 16 insertions(+), 60 deletions(-)

Approvals:
  jenkins-bot: Verified
  Dzahn: Looks good to me, approved



diff --git a/manifests/misc/udp2log.pp b/manifests/misc/udp2log.pp
index b25eb2b..1f76f05 100644
--- a/manifests/misc/udp2log.pp
+++ b/manifests/misc/udp2log.pp
@@ -23,7 +23,7 @@
     if $monitor {
     # TODO: Should probably include icincga package here.
         include misc::udp2log::monitoring
-        include misc::udp2log::iptables
+        include misc::udp2log::firewall
     }
 
     system::role { 'udp2log::logger':
@@ -316,7 +316,7 @@
 # includes scripts and iptables rules
 # needed for udp2log monitoring.
 class misc::udp2log::monitoring {
-    include misc::udp2log::iptables
+    include misc::udp2log::firewall
 
     package { 'ganglia-logtailer':
         ensure => latest,
@@ -377,66 +377,22 @@
     include misc::monitoring::net::udp
 }
 
+class misc::udp2log::firewall {
+    include base::firewall
 
-class misc::udp2log::iptables_purges {
-    require iptables::tables
-    # The deny rule must always be purged,
-    # otherwise ACCEPTs can be placed below it
-    iptables_purge_service{ 'udp2log_drop_udp':
-        service => 'udp',
+    ferm::rule { 'udp2log_accept_all_wikimedia':
+        rule => 'saddr ($ALL_NETWORKS) proto udp ACCEPT;',
+        prio => 10,
     }
-    # When removing or modifying a rule, place the old rule here,
-    # otherwise it won't be purged, and will stay in the iptables forever
-}
 
-class misc::udp2log::iptables_accepts {
-    require misc::udp2log::iptables_purges
-    # Rememeber to place modified or removed rules into purges!
-    # common services for all hosts
-    iptables_add_service{ 'udp2log_accept_all_private':
-        service => 'all',
-        source  => '10.0.0.0/8',
-        jump    => 'ACCEPT',
+    # FIXME: this is purely for compatibility with pre-ferm rules
+    # and the difference in default policies
+    ferm::rule { 'udp2log_drop_rest':
+        rule => 'proto udp DROP;',
+        prio => 11,
     }
-    iptables_add_service{ 'udp2log_accept_all_US':
-        service => 'all',
-        source  => '208.80.152.0/22',
-        jump    => 'ACCEPT',
-    }
-    iptables_add_service{ 'udp2log_accept_all_AMS':
-        service => 'all',
-        source  => '91.198.174.0/24',
-        jump    => 'ACCEPT',
-    }
-    iptables_add_service{ 'udp2log_accept_all_localhost':
-        service => 'all',
-        source  => '127.0.0.1/32',
-        jump    => 'ACCEPT',
-    }
-}
-
-class misc::udp2log::iptables_drops {
-    require misc::udp2log::iptables_accepts
-    # Rememeber to place modified or removed rules into purges!
-    iptables_add_service{ 'udp2log_drop_udp':
-        service => 'udp',
-        source  => '0.0.0.0/0',
-        jump    => 'DROP',
-    }
-}
-
-class misc::udp2log::iptables  {
-# only allow UDP packets from our IP space into these machines
-# to prevent malicious information injections
-
-    # We use the following requirement chain:
-    # iptables -> iptables-drops -> iptables-accepts -> iptables-purges
-    #
-    # This ensures proper ordering of the rules
-    require misc::udp2log::iptables_drops
-    # This exec should always occur last in the requirement chain.
-    ## creating iptables rules but not enabling them to test.
-    iptables_add_exec{ 'udp2log':
-        service => 'udp2log',
+    ferm::rule { 'udp2log_accept_all_nonudp':
+        rule => 'proto !udp ACCEPT;',
+        prio => 12,
     }
 }
diff --git a/manifests/role/logging.pp b/manifests/role/logging.pp
index 3c91b02..d379591 100644
--- a/manifests/role/logging.pp
+++ b/manifests/role/logging.pp
@@ -37,7 +37,7 @@
 
     class { "misc::udp2log": monitor => $monitor }
     include misc::udp2log::utilities,
-        misc::udp2log::iptables
+        misc::udp2log::firewall
 
     $error_processor_host = $::realm ? {
         production => 'vanadium.eqiad.wmnet',

-- 
To view, visit https://gerrit.wikimedia.org/r/169691
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5859dbce6da06a5e27da90859ad33a400fbb3912
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Matanya <mata...@foss.co.il>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Gage <jger...@wikimedia.org>
Gerrit-Reviewer: Ottomata <o...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits