>>> On 5/10/2009 at 4:33 pm, in message
<[email protected]>, Luke Kanies
<[email protected]> wrote:
> ruby -rpuppet <path/to/file.rb>
>
Tried removing the require line and still no luck. I also ran it with the line
above and that produced no syntax errors.
> If that doesn't work, can you resend the patch inline, rather than as
> an attachment?
Here you go.
diff --git a/lib/puppet/provider/firewall/iptables.rb
b/lib/puppet/provider/firewall/iptables.rb
new file mode 100644
index 0000000..d8e8ddb
--- /dev/null
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -0,0 +1,142 @@
+require 'puppet/type/firewall'
+
+Puppet::Type.type(:firewall).provide(:iptables) do
+ desc "Iptables firewall provider"
+ commands :iptables => "iptables"
+ commands :iptables_save => "iptables-save"
+
+ # Set this provider to be the default for the following operating systems
+# defaultfor :operatingsystem => [:redhat, :sles, :ubuntu]
+
+ @@rulens = Array.new
+
+ def create
+
+ puts "create has been called"
+
+ ipts = `which iptables`.strip
+ if ipts.nil then
+ `which /sbin/iptables`.strip
+ end
+
+ raise "iptables command not found" if ipts.nil
+
+ `#{ipts} -A #{command_string}`
+
+ end
+
+ def destroy
+
+ puts "destroy has been called"
+
+ strme = command_string
+
+ ipts = `which iptables`.strip
+ if ipts.nil then
+ `which /sbin/iptables`.strip
+ end
+
+ raise "iptables command not found" if ipts.nil
+
+ `#{ipts} -D #{strme}`
+
+ # remove from list of rules
+ end
+
+ def command_string(rule = @resource)
+ strme = ""
+ strme += rule[:chain].to_s
+ strme += " -i " + rule[:i].to_s if rule[:i]
+ strme += " -o " + rule[:o].to_s if rule[:o]
+ strme += " -p " + rule[:p].to_s if rule[:p]
+ strme += " -m state" if rule[:mstate]
+ strme += " --state " + rule[:state].to_s if rule[:state]
+ strme += " -m icmp" if rule[:micmp]
+ strme += " --icmp-type " + rule[:icmp_type].to_s if rule[:icmp_type]
+ strme += " -m limit" if rule[:mlimit]
+ strme += " --limit " + rule[:limit].to_s if rule[:limit]
+ strme += " -j " + rule[:j].to_s if rule[:j]
+ strme += " --log-prefix " + rule[:log_prefix].to_s if rule[:log_prefix]
+ strme += " --log-tcp-options " + rule[:log_tcp_options].to_s if
rule[:log_tcp_options]
+ strme += " --log-ip-options " + rule[:log_ip_options].to_s if
rule[:log_ip_options]
+ strme += " --reject-with " + rule[:reject_with].to_s if rule[:reject_with]
+
+ rule[:cmd] = strme.to_s
+ puts "Generated command of " + strme.to_s
+ strme.to_s
+ end
+
+ def exists?
+
+ puts "Checking if a rule exists"
+
+ populate if @@rulens.empty?
+ command_string if @resource[:cmd].empty?
+
+ @@rulens.each do |rule|
+ # Check if the rule exists
+ puts "Checking rule " + rule[:name].to_s + " against " +
@resource[:name].to_s
+ return true if rule[:cmd].equal? @resource[:cmd]
+ end
+
+ return false
+
+ end
+
+ def populate
+ ipts = `which iptables-save`.strip
+
+ puts "Populating iptables from iptables-save"
+
+ if ipts.empty? then
+ ipts = `which /sbin/iptables-save`.strip
+ end
+
+ raise "iptables-save not found" unless !ipts.empty?
+
+ `#{ipts}`.each do |rule|
+ unless rule.index('#').eql? 0 or rule.index(':').eql? 0 or
rule.index('*').eql? 0 then
+ # Use regex to obtain the chain and other rules
+ exp = /(\-[A-Za-z\-]+\s)([\w\-\"\/]+\s?\"?)/
+ matches = rule.strip.scan(exp)
+
+ if matches then
+
+ # return create a new hash
+ rulen = Puppet::Type.type(:firewall).new(:name => rule.to_s)
+
+ matches.each do |component|
+ key = ""
+ value = ""
+ strme = component.to_s
+
+ while strme.index(/\-/).eql? 0 do
+ strme = strme[1,strme.length - 1]
+ end
+
+ # Split the string based upon the first occurance of /\s/
+ splitloc = strme.index(/\s/)
+
+ key = strme[0, splitloc].strip
+ value = strme[splitloc + 1, strme.length - 1]
+ # Check if key is 'm' and change to key + value
+ key = key + value.strip if key.to_s.eql? "m"
+ key.gsub! "-", "_"
+ key = "chain" if key.to_s.eql? "A"
+
+ # Insert the value for the specific key
+ rulen[key] = value.strip unless key.empty? or value.empty?
+
+ end
+
+ # Store the rule in an array
+ @@rulens << rulen
+ end
+
+ end
+
+ end
+
+ end
+
+end
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
new file mode 100644
index 0000000..2f8d0b0
--- /dev/null
+++ b/lib/puppet/type/firewall.rb
@@ -0,0 +1,159 @@
+module Puppet
+
+ newtype(:firewall) do
+ @doc = "Define, manipulate, add and remove iptables rules"
+
+ ensurable
+
+ newparam(:name) do
+ desc "The name of the resource"
+ isnamevar
+ end
+
+ newparam(:chain) do
+ desc "holds value of iptables -A parameter.
+ Possible values are: 'INPUT', 'FORWARD', 'OUTPUT',
'PREROUTING', 'POSTROUTING'.
+ Default value is 'INPUT'"
+ defaultto ""
+ end
+
+ newparam(:t) do
+ desc "one of the following tables: 'nat', 'mangle',
+ 'filter' and 'raw'. Default one is 'filter'"
+ newvalues(:nat, :mangle, :filter, :raw)
+ defaultto "filter"
+ end
+
+ newparam(:p) do
+ desc "holds value of iptables --protocol parameter.
+ Possible values are: 'tcp', 'udp', 'icmp', 'esp', 'ah',
'vrrp', 'igmp', 'all'.
+ Default value is 'all'"
+ newvalues(:tcp, :udp, :icmp, :esp, :ah, :vrrp, :igmp, :all)
+ defaultto :all
+ end
+
+ newparam(:j) do
+ desc "holds value of iptables --jump target
+ Possible values are: 'ACCEPT', 'DROP', 'REJECT', 'DNAT',
'LOG'."
+ defaultto ""
+ end
+
+ newparam(:source) do
+ desc "value for iptables --source parameter"
+ end
+
+ newparam(:destination) do
+ desc "value for iptables --destination parameter"
+ end
+
+ newparam(:sport) do
+ desc "holds value of iptables [..] --source-port parameter.
+ If array is specified, values will be passed to multiport
module.
+ Only applies to tcp/udp."
+ defaultto ""
+ end
+
+ newparam(:dport) do
+ desc "holds value of iptables [..] --destination-port parameter.
+ If array is specified, values will be passed to multiport
module.
+ Only applies to tcp/udp."
+ defaultto ""
+ end
+
+ newparam(:i) do
+ desc "value for iptables --in-interface parameter"
+ end
+
+ newparam(:o) do
+ desc "value for iptables --out-interface parameter"
+ end
+
+ newparam(:to_dest) do
+ desc "value for iptables '-j DNAT --to-destination' parameter"
+ defaultto ""
+ end
+
+ newparam(:log_level) do
+ desc "value for iptables '--log-level' parameter"
+ defaultto ""
+ end
+
+ newparam(:log_prefix) do
+ desc "value for iptables '--log-prefix' parameter"
+ defaultto ""
+ end
+
+ newparam(:log_tcp_options) do
+ desc "value for iptables '--log-tcp-options' parameter"
+ defaultto ""
+ end
+
+ newparam(:log_ip_options) do
+ desc "value for iptables '--log-ip-options' parameter"
+ defaultto ""
+ end
+
+ newparam(:icmp_type) do
+ desc "value for iptables '--icmp-type' parameter"
+ defaultto ""
+ end
+
+ newparam(:mstate) do
+ desc "value for iptables '-m state' parameter"
+ defaultto ""
+ end
+
+ newparam(:micmp) do
+ desc "value for iptables '-m icmp' parameter"
+ defaultto ""
+ end
+
+ newparam(:mlimit) do
+ desc "value for iptables '-m limit' parameter"
+ defaultto ""
+ end
+
+ newparam(:mpkttype) do
+ desc "value for iptables '-m pkttype' parameter"
+ defaultto ""
+ end
+
+ newparam(:pkt_type) do
+ desc "value for iptables '-m pkttype --pkt-type' parameter"
+ defaultto ""
+ end
+
+ newparam(:mtcp) do
+ desc "value for iptables '-m tcp' parameter"
+ defaultto ""
+ end
+
+ newparam(:tcp_flags) do
+ desc "value for iptables '-m tcp --tcp-flags' parameter"
+ defaultto ""
+ end
+
+ newparam(:state) do
+ desc "value for iptables '--state' parameter.
+ Possible values are: 'INVALID', 'ESTABLISHED', 'NEW',
'RELATED'."
+ newvalues(:INVALID, :ESTABLISHED, :NEW, :RELATED)
+ end
+
+ newparam(:reject_with) do
+ desc "value for iptables '--reject-with' parameter"
+ defaultto ""
+ end
+
+ newparam(:limit) do
+ desc "value for iptables '--limit' parameter"
+ defaultto ""
+ end
+
+ newparam(:cmd) do
+ desc "The command line value for the iptables parameter"
+ defaultto ""
+ end
+
+ end
+
+end
diff --git a/spec/unit/provider/firewall/iptables.rb
b/spec/unit/provider/firewall/iptables.rb
new file mode 100755
index 0000000..57fd98b
--- /dev/null
+++ b/spec/unit/provider/firewall/iptables.rb
@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+
+require File.dirname(__FILE__) + '/../../../spec_helper'
+
+require 'puppet/provider/firewall/iptables'
+
+provider = Puppet::Type.type(:firewall).provide(:iptables)
+
+describe provider do
+
+ before :each do
+ @prov = provider.new
+ end
+
+ it "should have the puppet provider class as its baseclass" do
+ provider.superclass.should equal Puppet::Provider
+ end
+
+ it 'should know how to populate known rules' do
+ @prov.should respond_to :populate
+ end
+
+ it 'should ensure the absense of a specified simple rule' do
+ rule = Puppet::Type.type(:firewall).new(
+ :name => "INPUT -m state --sate ESTABLISHED -j ACCEPT",
+ :ensure => "absent",
+ :chain => "INPUT",
+ :mstate => "sate",
+ :state => "ESTABLISHED",
+ :j => "ACCEPT",
+ :provider => "iptables")
+ end
+
+end
diff --git a/spec/unit/type/firewall.rb b/spec/unit/type/firewall.rb
new file mode 100755
index 0000000..ce708f2
--- /dev/null
+++ b/spec/unit/type/firewall.rb
@@ -0,0 +1,24 @@
+#!/usr/bin/env ruby
+
+require File.dirname(__FILE__) + '/../../spec_helper'
+require 'puppet/type/firewall'
+require 'puppet/provider/firewall/iptables'
+
+describe Puppet::Type.type(:firewall) do
+
+ it "should ensure presense of specified simple route" do
+ rule = Puppet::Type.type(:firewall).new(
+ :name => "INPUT -m state --sate ESTABLISHED -j ACCEPT",
+ :ensure => "present",
+ :chain => "INPUT",
+ :mstate => "sate",
+ :state => "ESTABLISHED",
+ :j => "ACCEPT",
+ :provider => "iptables")
+ end
+
+ it "should ensure absense of specified simple route" do
+
+ end
+
+end
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
