Filippo Giunchedi has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/373038 )
Change subject: ferm: introduce ferm::client
......................................................................
ferm: introduce ferm::client
This is the symmetric counterpart to ferm::service to explicitly allow
client traffic and optionally disable connection tracking for such
connections.
Note that at the time of this commit the OUTPUT policy is ALLOW, thus
the rules are always a noop. The define initial usage is to exclude
swift frontend -> backend client traffic from connection tracking,
though keeping the same parameters as ferm::service is more intuitive
and future-proof in case we decide to limit client traffic as well.
Additionally the rules counters provide basic accounting for client
traffic.
Bug: T173731
Change-Id: Ib769f70396062558e7b98e8e3c6c8f643fc959c7
---
M modules/ferm/files/functions.conf
A modules/ferm/manifests/client.pp
A modules/ferm/templates/client.erb
3 files changed, 66 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/38/373038/1
diff --git a/modules/ferm/files/functions.conf
b/modules/ferm/files/functions.conf
index 5db4478..056a8e8 100644
--- a/modules/ferm/files/functions.conf
+++ b/modules/ferm/files/functions.conf
@@ -24,3 +24,30 @@
}
}
}
+
+# Explicitly allow client traffic towards a service
+@def &CLIENT($proto, $port) = {
+ domain (ip ip6) chain OUTPUT {
+ proto $proto dport $port ACCEPT;
+ }
+}
+
+@def &R_CLIENT($proto, $port, $drange) = {
+ domain (ip ip6) chain OUTPUT {
+ proto $proto dport $port daddr $drange ACCEPT;
+ }
+}
+
+# Don't track connections for clients of high traffic services
+@def &NO_TRACK_CLIENT($proto, $port) = {
+ domain (ip ip6) {
+ table raw {
+ chain PREROUTING {
+ proto $proto sport $port NOTRACK;
+ }
+ chain OUTPUT {
+ proto $proto dport $port NOTRACK;
+ }
+ }
+ }
+}
diff --git a/modules/ferm/manifests/client.pp b/modules/ferm/manifests/client.pp
new file mode 100644
index 0000000..02b3df0
--- /dev/null
+++ b/modules/ferm/manifests/client.pp
@@ -0,0 +1,27 @@
+# == Define ferm::client
+# Uses ferm def &CLIENT or &R_CLIENT to allow outbound
+# connections on the specific protocol and destination port.
+#
+# If $drange is not provided, all destination addresses will be allowed.
+# otherwise only traffic towards $drange will be allowed.
+#
+define ferm::client(
+ $proto,
+ $port,
+ $ensure = present,
+ $desc = '',
+ $prio = '10',
+ $drange = undef,
+ $notrack = false,
+) {
+ @file { "/etc/ferm/conf.d/${prio}_${name}_client":
+ ensure => $ensure,
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ content => template('ferm/client.erb'),
+ require => File['/etc/ferm/conf.d'],
+ notify => Service['ferm'],
+ tag => 'ferm',
+ }
+}
diff --git a/modules/ferm/templates/client.erb
b/modules/ferm/templates/client.erb
new file mode 100644
index 0000000..5b7fbba
--- /dev/null
+++ b/modules/ferm/templates/client.erb
@@ -0,0 +1,12 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# <%= @desc %>
+<% if @drange -%>
+&R_CLIENT(<%= @proto %>, <%= @port %>, <%= @drange %>);
+<% else -%>
+&CLIENT(<%= @proto %>, <%= @port %>);
+<% end -%>
+
+<% if @notrack == true %>
+&NO_TRACK_CLIENT(<%= @proto %>, <%= @port %>);
+<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/373038
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib769f70396062558e7b98e8e3c6c8f643fc959c7
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
