diff options
| -rw-r--r-- | REFERENCE.md | 59 | ||||
| -rw-r--r-- | data/Archlinux.yaml | 3 | ||||
| -rw-r--r-- | data/RedHat.yaml | 3 | ||||
| -rw-r--r-- | data/Ubuntu.yaml | 1 | ||||
| -rw-r--r-- | data/common.yaml | 19 | ||||
| -rw-r--r-- | hiera.yaml | 3 | ||||
| -rw-r--r-- | manifests/init.pp | 59 |
7 files changed, 52 insertions, 95 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 5ab5f0b..75dfe6f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -76,129 +76,126 @@ The following parameters are available in the `ferm` class. Data type: `Boolean` Disable/Enable the management of the ferm daemon -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `manage_configfile` Data type: `Boolean` Disable/Enable the management of the ferm default config -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `manage_initfile` Data type: `Boolean` Disable/Enable the management of the ferm init script for RedHat-based OS -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `configfile` Data type: `Stdlib::Absolutepath` Path to the config file -Default value: /etc/ferm.conf -Allowed values: Stdlib::Absolutepath ##### `configdirectory` Data type: `Stdlib::Absolutepath` Path to the directory where the module stores ferm configuration files -Default value: /etc/ferm.d or /etc/ferm/ferm.d -Allowed values: Stdlib::Absolutepath ##### `disable_conntrack` Data type: `Boolean` Disable/Enable the generation of conntrack rules -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `forward_policy` Data type: `Ferm::Policies` Default policy for the FORWARD chain -Default value: DROP -Allowed values: (ACCEPT|DROP) + +Default value: 'DROP' ##### `output_policy` Data type: `Ferm::Policies` Default policy for the OUTPUT chain -Default value: ACCEPT -Allowed values: (ACCEPT|DROP) + +Default value: 'ACCEPT' ##### `input_policy` Data type: `Ferm::Policies` Default policy for the INPUT chain -Default value: DROP -Allowed values: (ACCEPT|DROP) + +Default value: 'DROP' ##### `rules` Data type: `Hash` A hash that holds all data for ferm::rule -Default value: Empty Hash -Allowed value: Any Hash + +Default value: {} ##### `chains` Data type: `Hash` A hash that holds all data for ferm::chain -Default value: Empty Hash -Allowed value: Any Hash + +Default value: {} ##### `forward_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `output_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `input_log_dropped_packets` Data type: `Boolean` Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched -Default value: false -Allowed values: (true|false) + +Default value: `false` ##### `ip_versions` Data type: `Array[Enum['ip','ip6']]` Set list of versions of ip we want ot use. -Default value: ['ip', 'ip6'] + +Default value: ['ip','ip6'] ##### `preserve_chains_in_tables` Data type: `Hash[String[1],Array[String[1]]]` Hash with table:chains[] to use ferm @preserve for -Default value: Empty Hash -Allowed values: Hash with a list of tables and chains in it to preserve Example: {'nat' => ['PREROUTING', 'POSTROUTING']} +Default value: {} + ## Defined types ### ferm::chain diff --git a/data/Archlinux.yaml b/data/Archlinux.yaml new file mode 100644 index 0000000..6b05d2f --- /dev/null +++ b/data/Archlinux.yaml @@ -0,0 +1,3 @@ +--- +ferm::configfile: /etc/ferm.conf +ferm::configdirectory: /etc/ferm.d diff --git a/data/RedHat.yaml b/data/RedHat.yaml new file mode 100644 index 0000000..6b05d2f --- /dev/null +++ b/data/RedHat.yaml @@ -0,0 +1,3 @@ +--- +ferm::configfile: /etc/ferm.conf +ferm::configdirectory: /etc/ferm.d diff --git a/data/Ubuntu.yaml b/data/Ubuntu.yaml index f580a8f..cb30553 100644 --- a/data/Ubuntu.yaml +++ b/data/Ubuntu.yaml @@ -1,2 +1,3 @@ --- ferm::configfile: /etc/ferm/ferm.conf +ferm::configdirectory: /etc/ferm.d diff --git a/data/common.yaml b/data/common.yaml deleted file mode 100644 index 34392e9..0000000 --- a/data/common.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -ferm::manage_service: false -ferm::manage_configfile: false -ferm::manage_initfile: false -ferm::disable_conntrack: false -ferm::configfile: /etc/ferm.conf -ferm::configdirectory: /etc/ferm.d -ferm::input_policy: DROP -ferm::forward_policy: DROP -ferm::output_policy: ACCEPT -ferm::preserve_chains_in_tables: {} -ferm::rules: {} -ferm::chains: {} -ferm::input_log_dropped_packets: false -ferm::forward_log_dropped_packets: false -ferm::output_log_dropped_packets: false -ferm::ip_versions: - - ip - - ip6 @@ -15,5 +15,8 @@ hierarchy: - name: 'Distribution Name' path: '%{facts.os.name}.yaml' + - name: 'Operating System Family' + path: '%{facts.os.family}.yaml' + - name: 'common' path: 'common.yaml' diff --git a/manifests/init.pp b/manifests/init.pp index 2f5e1ef..d8fd06a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -26,70 +26,39 @@ # } # # @param manage_service Disable/Enable the management of the ferm daemon -# Default value: false -# Allowed values: (true|false) # @param manage_configfile Disable/Enable the management of the ferm default config -# Default value: false -# Allowed values: (true|false) # @param manage_initfile Disable/Enable the management of the ferm init script for RedHat-based OS -# Default value: false -# Allowed values: (true|false) # @param configfile Path to the config file -# Default value: /etc/ferm.conf -# Allowed values: Stdlib::Absolutepath # @param configdirectory Path to the directory where the module stores ferm configuration files -# Default value: /etc/ferm.d or /etc/ferm/ferm.d -# Allowed values: Stdlib::Absolutepath # @param disable_conntrack Disable/Enable the generation of conntrack rules -# Default value: false -# Allowed values: (true|false) # @param forward_policy Default policy for the FORWARD chain -# Default value: DROP -# Allowed values: (ACCEPT|DROP) # @param output_policy Default policy for the OUTPUT chain -# Default value: ACCEPT -# Allowed values: (ACCEPT|DROP) # @param input_policy Default policy for the INPUT chain -# Default value: DROP -# Allowed values: (ACCEPT|DROP) # @param rules A hash that holds all data for ferm::rule -# Default value: Empty Hash -# Allowed value: Any Hash # @param chains A hash that holds all data for ferm::chain -# Default value: Empty Hash -# Allowed value: Any Hash # @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched -# Default value: false -# Allowed values: (true|false) # @param output_log_dropped_packets Enable/Disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched -# Default value: false -# Allowed values: (true|false) # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched -# Default value: false -# Allowed values: (true|false) # @param ip_versions Set list of versions of ip we want ot use. -# Default value: ['ip', 'ip6'] # @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for -# Default value: Empty Hash -# Allowed values: Hash with a list of tables and chains in it to preserve # Example: {'nat' => ['PREROUTING', 'POSTROUTING']} class ferm ( - Boolean $manage_service, - Boolean $manage_configfile, - Boolean $manage_initfile, Stdlib::Absolutepath $configfile, Stdlib::Absolutepath $configdirectory, - Boolean $disable_conntrack, - Ferm::Policies $forward_policy, - Ferm::Policies $output_policy, - Ferm::Policies $input_policy, - Boolean $forward_log_dropped_packets, - Boolean $output_log_dropped_packets, - Boolean $input_log_dropped_packets, - Hash $rules, - Hash $chains, - Array[Enum['ip','ip6']] $ip_versions, - Hash[String[1],Array[String[1]]] $preserve_chains_in_tables, + Boolean $manage_service = false, + Boolean $manage_configfile = false, + Boolean $manage_initfile = false, + Boolean $disable_conntrack = false, + Ferm::Policies $forward_policy = 'DROP', + Ferm::Policies $output_policy = 'ACCEPT', + Ferm::Policies $input_policy = 'DROP', + Boolean $forward_log_dropped_packets = false, + Boolean $output_log_dropped_packets = false, + Boolean $input_log_dropped_packets = false, + Hash $rules = {}, + Hash $chains = {}, + Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'], + Hash[String[1],Array[String[1]]] $preserve_chains_in_tables = {}, ) { contain ferm::install contain ferm::config |