From adf0ede08cfa1ca0d7318e6fad3ee78dea7f4bfa Mon Sep 17 00:00:00 2001 From: "James T. Lee" Date: Sun, 26 Sep 2021 21:49:38 -0400 Subject: [PATCH] Replace iptables resources with firewalld --- data/common.yaml | 1 + manifests/base/openvpn.pp | 51 +------------------ manifests/base/ssh.pp | 17 +------ manifests/lib/port_forward.pp | 87 +++++++++------------------------ manifests/lib/virtual_host.pp | 18 ++----- manifests/node/falcon.pp | 56 --------------------- manifests/node/web.pp | 9 ---- manifests/service/apache.pp | 17 +------ manifests/service/barrier.pp | 9 ++-- manifests/service/kubernetes.pp | 46 ++++++++--------- manifests/service/libvirt.pp | 16 +++--- manifests/service/plex.pp | 4 ++ metadata.json | 8 +-- 13 files changed, 76 insertions(+), 263 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 944c6c1c..e38fe4ab 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -84,6 +84,7 @@ nest::kernel_config: CONFIG_NETFILTER: y CONFIG_NETFILTER_ADVANCED: y CONFIG_NF_CONNTRACK: m + CONFIG_NF_CONNTRACK_NETBIOS_NS: m CONFIG_NF_CONNTRACK_TFTP: m CONFIG_NF_TABLES: m CONFIG_NF_TABLES_INET: y diff --git a/manifests/base/openvpn.pp b/manifests/base/openvpn.pp index 569990c3..a674af99 100644 --- a/manifests/base/openvpn.pp +++ b/manifests/base/openvpn.pp @@ -170,30 +170,8 @@ ], } - firewall { - default: - proto => udp, - dport => 1194, - state => 'NEW', - action => accept, - ; - - '100 openvpn (v4)': - provider => iptables, - ; - - '100 openvpn (v6)': - provider => ip6tables, - ; - } - - # Forwarding rules to control access to VPN - firewall { '100 nest vpn: allow kvm guests': - chain => 'FORWARD', - proto => all, - iniface => 'virbr0', - outiface => $device, - action => accept, + firewalld_service { 'openvpn': + ensure => present, } } else { $mode = 'client' @@ -209,31 +187,6 @@ mode => '0755', require => Package[$openvpn_package_name], } - - # Allow and forward all VPN traffic - firewall { - default: - proto => all, - ; - - '001 nest vpn': - iniface => $device, - action => accept, - ; - - '001 nest vpn: forward all': - chain => 'FORWARD', - iniface => $device, - action => accept, - ; - - '002 nest vpn: allow return packets': - chain => 'FORWARD', - outiface => $device, - ctstate => ['RELATED', 'ESTABLISHED'], - action => accept, - ; - } } 'windows': { diff --git a/manifests/base/ssh.pp b/manifests/base/ssh.pp index 14ee1e61..9b68db66 100644 --- a/manifests/base/ssh.pp +++ b/manifests/base/ssh.pp @@ -45,21 +45,8 @@ } if $::nest::public_ssh { - firewall { - default: - proto => tcp, - dport => 22, - state => 'NEW', - action => accept, - ; - - '100 ssh (v4)': - provider => iptables, - ; - - '100 ssh (v6)': - provider => ip6tables, - ; + firewalld_service { 'ssh': + ensure => present, } } } diff --git a/manifests/lib/port_forward.pp b/manifests/lib/port_forward.pp index 797c0f03..b27a863a 100644 --- a/manifests/lib/port_forward.pp +++ b/manifests/lib/port_forward.pp @@ -1,3 +1,6 @@ +# +# XXX Refactor or remove this class for better firewalld support +# define nest::lib::port_forward ( Enum['tcp', 'udp'] $proto, Stdlib::Port $from_port, @@ -7,71 +10,29 @@ Optional[Stdlib::IP::Address::V6] $source_ip6 = undef, Optional[Stdlib::IP::Address::V6] $destination_ip6 = undef, ) { - $combined_spec = { - 'v4' => { - 'source' => $source_ip4, - 'destination' => $destination_ip4, - 'provider' => iptables, - }, - - 'v6' => { - 'source' => $source_ip6, - 'destination' => $destination_ip6, - 'provider' => ip6tables, - }, + if $destination_ip4 { + firewalld_rich_rule { "${name} (v4)": + family => ipv4, + dest => $source_ip4, + forward_port => { + port => $from_port, + protocol => $proto, + to_addr => $destination_ip4, + to_port => $to_port, + }, + } } - $combined_spec.each |$comment, $spec| { - if $spec['source'] and $spec['destination'] { - firewall { - default: - provider => $spec['provider'], - ; - - "100 ${name} (${comment}): modify destination on incoming packets": - table => nat, - chain => 'PREROUTING', - destination => $spec['source'], - proto => $proto, - dport => $from_port, - jump => 'DNAT', - todest => "${spec['destination']}:${to_port}", - ; - - "100 ${name} (${comment}): modify destination on generated packets": - table => nat, - chain => 'OUTPUT', - destination => $spec['source'], - proto => $proto, - dport => $from_port, - jump => 'DNAT', - todest => "${spec['destination']}:${to_port}", - ; - - "100 ${name} (${comment}): allow forwarding": - chain => 'FORWARD', - destination => $spec['destination'], - proto => $proto, - dport => $to_port, - action => accept, - ; - - "100 ${name} (${comment}): allow return packets": - chain => 'FORWARD', - source => $spec['destination'], - ctstate => ['RELATED', 'ESTABLISHED'], - action => accept, - ; - - "100 ${name} (${comment}): modify source for return routing": - table => nat, - chain => 'POSTROUTING', - destination => $spec['destination'], - proto => $proto, - dport => $to_port, - jump => 'MASQUERADE', - ; - } + if $destination_ip6 { + firewalld_rich_rule { "${name} (v6)": + family => ipv6, + dest => $source_ip6, + forward_port => { + port => $from_port, + protocol => $proto, + to_addr => $destination_ip6, + to_port => $to_port, + }, } } } diff --git a/manifests/lib/virtual_host.pp b/manifests/lib/virtual_host.pp index 93ba8caf..e82e329c 100644 --- a/manifests/lib/virtual_host.pp +++ b/manifests/lib/virtual_host.pp @@ -26,21 +26,9 @@ } if $port and $::nest::service::apache::manage_firewall { - firewall { - default: - proto => tcp, - dport => $port, - state => 'NEW', - action => accept, - ; - - "100 ${name} (v4)": - provider => iptables, - ; - - "100 ${name} (v6)": - provider => ip6tables, - ; + firewalld_port { $name: + port => $port, + protocol => tcp, } } diff --git a/manifests/node/falcon.pp b/manifests/node/falcon.pp index 226bcc5e..37870e95 100644 --- a/manifests/node/falcon.pp +++ b/manifests/node/falcon.pp @@ -1,60 +1,4 @@ class nest::node::falcon { - firewall { - '012 multicast': - proto => udp, - pkttype => 'multicast', - action => accept, - ; - - '100 podman to apache': - iniface => 'cni-podman0', - proto => tcp, - dport => [80, 443], - state => 'NEW', - action => accept, - ; - - '100 podman to distccd': - iniface => 'cni-podman0', - proto => tcp, - dport => 3632, - state => 'NEW', - action => accept, - ; - - '100 podman to dnsmasq': - iniface => 'cni-podman0', - proto => udp, - dport => 53, - state => 'NEW', - action => accept, - ; - - '100 podman to smtp': - iniface => 'cni-podman0', - proto => udp, - dport => 25, - state => 'NEW', - action => accept, - ; - - '100 plex': - proto => tcp, - dport => 32400, - state => 'NEW', - action => accept, - ; - - '100 puppet from local network': - chain => 'FORWARD', - source => "${facts['networking']['network']}/${facts['networking']['netmask']}", - proto => tcp, - dport => 8140, - state => 'NEW', - action => accept, - ; - } - nest::lib::toolchain { [ 'aarch64-unknown-linux-gnu', diff --git a/manifests/node/web.pp b/manifests/node/web.pp index 3655cd55..65dee219 100644 --- a/manifests/node/web.pp +++ b/manifests/node/web.pp @@ -8,13 +8,4 @@ host => '%', before => Class['nest::service::bitwarden'], } - - firewall { '100 podman to mysql': - iniface => 'cni-podman0', - proto => tcp, - dport => 3306, - state => 'NEW', - action => accept, - before => Class['nest::service::bitwarden'], - } } diff --git a/manifests/service/apache.pp b/manifests/service/apache.pp index 04000e0a..6098a5e1 100644 --- a/manifests/service/apache.pp +++ b/manifests/service/apache.pp @@ -40,21 +40,8 @@ } if $manage_firewall { - firewall { - default: - proto => tcp, - dport => [80, 443], - state => 'NEW', - action => accept, - ; - - '100 http (v4)': - provider => iptables, - ; - - '100 http (v6)': - provider => ip6tables, - ; + firewalld_service { ['http', 'https']: + ensure => present, } } } diff --git a/manifests/service/barrier.pp b/manifests/service/barrier.pp index 88cd241b..6a2852e2 100644 --- a/manifests/service/barrier.pp +++ b/manifests/service/barrier.pp @@ -4,12 +4,9 @@ use => '-gui', } - firewall { '100 barrier': - proto => tcp, - dport => 24800, - iniface => 'virbr0', - state => 'NEW', - action => accept, + firewalld_service { 'synergy': + ensure => present, + zone => 'libvirt', } # XXX: Cleanup from previous dependency on avahi diff --git a/manifests/service/kubernetes.pp b/manifests/service/kubernetes.pp index 72b59a49..c5c071c5 100644 --- a/manifests/service/kubernetes.pp +++ b/manifests/service/kubernetes.pp @@ -58,35 +58,35 @@ ensure => installed, } - firewall { '100 vxlan': - source => "${facts['networking']['network']}/${facts['networking']['netmask']}", - dport => 8472, - proto => udp, - state => 'NEW', - action => accept, - } + # firewall { '100 vxlan': + # source => "${facts['networking']['network']}/${facts['networking']['netmask']}", + # dport => 8472, + # proto => udp, + # state => 'NEW', + # action => accept, + # } sysctl { 'net.ipv4.ip_forward': ensure => present, value => '1', } - if $control_plane { - firewall { - default: - dport => 6443, - proto => tcp, - state => 'NEW', - action => accept, - ; + # if $control_plane { + # firewall { + # default: + # dport => 6443, + # proto => tcp, + # state => 'NEW', + # action => accept, + # ; - '100 kubernetes from local network': - source => "${facts['networking']['network']}/${facts['networking']['netmask']}", - ; + # '100 kubernetes from local network': + # source => "${facts['networking']['network']}/${facts['networking']['netmask']}", + # ; - '100 kubernetes from pod network': - iniface => 'cni0', - ; - } - } + # '100 kubernetes from pod network': + # iniface => 'cni0', + # ; + # } + # } } diff --git a/manifests/service/libvirt.pp b/manifests/service/libvirt.pp index 0330bc12..c7ac07e1 100644 --- a/manifests/service/libvirt.pp +++ b/manifests/service/libvirt.pp @@ -90,13 +90,13 @@ ::nest::lib::systemd_reload { 'libvirt': } - if $::nest::fileserver { - firewall { '100 fileserver': - proto => tcp, - dport => [139, 445, 2049], - iniface => 'virbr0', - state => 'NEW', - action => accept, - } + $fileserver_service_ensure = $::nest::fileserver ? { + true => present, + default => absent, + } + + firewalld_service { ['nfs', 'samba']: + ensure => $fileserver_service_ensure, + zone => 'libvirt', } } diff --git a/manifests/service/plex.pp b/manifests/service/plex.pp index b300691a..9ba608c5 100644 --- a/manifests/service/plex.pp +++ b/manifests/service/plex.pp @@ -26,4 +26,8 @@ '/nest/tv:/tv', ], } + + firewalld_service { 'plex': + ensure => present, + } } diff --git a/metadata.json b/metadata.json index bb9ad8a6..ac169f53 100644 --- a/metadata.json +++ b/metadata.json @@ -32,10 +32,6 @@ "name": "puppetlabs-concat", "version_requirement": "4.x" }, - { - "name": "puppetlabs-firewall", - "version_requirement": "1.x" - }, { "name": "puppetlabs-mysql", "version_requirement": "5.x" @@ -52,6 +48,10 @@ "name": "puppetlabs-vcsrepo", "version_requirement": "2.x" }, + { + "name": "puppet-firewalld", + "version_requirement": "4.x" + }, { "name": "puppet-nodejs", "version_requirement": ">= 9.0.0 < 10.0.0"