Filippo Giunchedi has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/373038 )
Change subject: ferm: introduce ferm::client
......................................................................
ferm: introduce ferm::client
This is the symmetric counterpart to ferm::service to explicitly allow
client traffic and optionally disable connection tracking for such
connections.
Note that at the time of this commit the OUTPUT policy is ALLOW, thus
the rules are always a noop. The define initial usage is to exclude
swift frontend -> backend client traffic from connection tracking,
though keeping the same parameters as ferm::service is more intuitive
and future-proof in case we decide to limit client traffic as well.
Additionally the rules counters provide basic accounting for client
traffic.
Bug: T173731
Change-Id: Ib769f70396062558e7b98e8e3c6c8f643fc959c7
---
M modules/ferm/files/functions.conf
A modules/ferm/manifests/client.pp
A modules/ferm/templates/client.erb
3 files changed, 66 insertions(+), 0 deletions(-)
Approvals:
Muehlenhoff: Looks good to me, but someone else must approve
Alexandros Kosiaris: Looks good to me, but someone else must approve
jenkins-bot: Verified
Filippo Giunchedi: Looks good to me, approved
diff --git a/modules/ferm/files/functions.conf
b/modules/ferm/files/functions.conf
index 5db4478..056a8e8 100644
--- a/modules/ferm/files/functions.conf
+++ b/modules/ferm/files/functions.conf
@@ -24,3 +24,30 @@
}
}
}
+
+# Explicitly allow client traffic towards a service
+@def &CLIENT($proto, $port) = {
+ domain (ip ip6) chain OUTPUT {
+ proto $proto dport $port ACCEPT;
+ }
+}
+
+@def &R_CLIENT($proto, $port, $drange) = {
+ domain (ip ip6) chain OUTPUT {
+ proto $proto dport $port daddr $drange ACCEPT;
+ }
+}
+
+# Don't track connections for clients of high traffic services
+@def &NO_TRACK_CLIENT($proto, $port) = {
+ domain (ip ip6) {
+ table raw {
+ chain PREROUTING {
+ proto $proto sport $port NOTRACK;
+ }
+ chain OUTPUT {
+ proto $proto dport $port NOTRACK;
+ }
+ }
+ }
+}
diff --git a/modules/ferm/manifests/client.pp b/modules/ferm/manifests/client.pp
new file mode 100644
index 0000000..02b3df0
--- /dev/null
+++ b/modules/ferm/manifests/client.pp
@@ -0,0 +1,27 @@
+# == Define ferm::client
+# Uses ferm def &CLIENT or &R_CLIENT to allow outbound
+# connections on the specific protocol and destination port.
+#
+# If $drange is not provided, all destination addresses will be allowed.
+# otherwise only traffic towards $drange will be allowed.
+#
+define ferm::client(
+ $proto,
+ $port,
+ $ensure = present,
+ $desc = '',
+ $prio = '10',
+ $drange = undef,
+ $notrack = false,
+) {
+ @file { "/etc/ferm/conf.d/${prio}_${name}_client":
+ ensure => $ensure,
+ owner => 'root',
+ group => 'root',
+ mode => '0400',
+ content => template('ferm/client.erb'),
+ require => File['/etc/ferm/conf.d'],
+ notify => Service['ferm'],
+ tag => 'ferm',
+ }
+}
diff --git a/modules/ferm/templates/client.erb
b/modules/ferm/templates/client.erb
new file mode 100644
index 0000000..5b7fbba
--- /dev/null
+++ b/modules/ferm/templates/client.erb
@@ -0,0 +1,12 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# <%= @desc %>
+<% if @drange -%>
+&R_CLIENT(<%= @proto %>, <%= @port %>, <%= @drange %>);
+<% else -%>
+&CLIENT(<%= @proto %>, <%= @port %>);
+<% end -%>
+
+<% if @notrack == true %>
+&NO_TRACK_CLIENT(<%= @proto %>, <%= @port %>);
+<% end -%>
--
To view, visit https://gerrit.wikimedia.org/r/373038
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib769f70396062558e7b98e8e3c6c8f643fc959c7
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Filippo Giunchedi <[email protected]>
Gerrit-Reviewer: Herron <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
