File Coverage

lib/Rex/Resource/firewall.pm

Criterion	Covered	Total	%
statement	20	20	100.0
branch			n/a
condition			n/a
subroutine	7	7	100.0
pod			n/a
total	27	27	100.0

line	stmt	sub	time	code
1				#
2				# (c) Jan Gehring
3				#
4
5				=head1 NAME
6
7				Rex::Resource::firewall - Firewall functions
8
9				=head1 DESCRIPTION
10
11				With this module it is easy to manage different firewall systems.
12
13				=head1 SYNOPSIS
14
15				# Configure a particular rule
16				task "configure_firewall", "server01", sub {
17				firewall "some-name",
18				ensure => "present",
19				proto => "tcp",
20				action => "accept",
21				source => "192.168.178.0/24",
22				destination => "192.168.1.0/24",
23				sport => 80,
24				sapp => 'www', # source application, if provider supports it
25				port => 80, # same as dport
26				dport => 80,
27				app => 'www', # same as dapp, destination application, if provider supports it
28				dapp => 'www', # destination application, if provider supports it
29				tcp_flags => ["FIN", "SYN", "RST"],
30				chain => "INPUT",
31				table => "nat",
32				jump => "LOG",
33				iniface => "eth0",
34				outiface => "eth1",
35				reject_with => "icmp-host-prohibited",
36				log => "new\|all", # if provider supports it
37				log_level => "", # if provider supports it
38				log_prefix => "FW:", # if provider supports it
39				state => "NEW",
40				ip_version => -4; # for iptables provider. valid options -4 and -6
41				};
42
43				# Add overall logging (if provider supports)
44				firewall "some-name",
45				provider => 'ufw',
46				logging => "medium";
47
48				=head1 EXPORTED RESOURCES
49
50				=over 4
51
52				=cut
53
54				package Rex::Resource::firewall;
55
56	32	32	471	use v5.12.5;
	32		124
57	32	32	161	use warnings;
	32		66
	32		1683
58
59				our $VERSION = '1.14.2.3'; # TRIAL VERSION
60
61	32	32	229	use Data::Dumper;
	32		90
	32		2005
62
63	32	32	234	use Rex -minimal;
	32		75
	32		648
64
65	32	32	260	use Rex::Commands::Gather;
	32		120
	32		327
66	32	32	443	use Rex::Resource::Common;
	32		171
	32		2080
67
68	32	32	242	use Carp;
	32		72
	32		16640
69
70				my $__provider = { default => "Rex::Resource::firewall::Provider::iptables", };
71
72				=item firewall($name, %params)
73
74				=cut
75
76				resource "firewall", { export => 1 }, sub {
77				my $rule_name = resource_name;
78
79				my $rule_config = {
80				action => param_lookup("action"),
81				ensure => param_lookup( "ensure", "present" ),
82				proto => param_lookup( "proto", undef ),
83				source => param_lookup( "source", undef ),
84				destination => param_lookup( "destination", undef ),
85				port => param_lookup( "port", undef ),
86				app => param_lookup( "app", undef ),
87				sport => param_lookup( "sport", undef ),
88				sapp => param_lookup( "sapp", undef ),
89				dport => param_lookup( "dport", undef ),
90				dapp => param_lookup( "dapp", undef ),
91				tcp_flags => param_lookup( "tcp_falgs", undef ),
92				chain => param_lookup( "chain", "input" ),
93				table => param_lookup( "table", "filter" ),
94				iniface => param_lookup( "iniface", undef ),
95				outiface => param_lookup( "outiface", undef ),
96				reject_with => param_lookup( "reject_with", undef ),
97				logging => param_lookup( "logging", undef ), # overall logging
98				log => param_lookup( "log", undef ), # logging for rule
99				log_level => param_lookup( "log_level", undef ), # logging for rule
100				log_prefix => param_lookup( "log_prefix", undef ),
101				state => param_lookup( "state", undef ),
102				ip_version => param_lookup( "ip_version", -4 ),
103				};
104
105				my $provider =
106				param_lookup( "provider", case ( lc(operating_system), $__provider ) );
107
108				if ( $provider !~ m/::/ ) {
109				$provider = "Rex::Resource::firewall::Provider::$provider";
110				}
111
112				$provider->require;
113				my $provider_o = $provider->new();
114
115				my $changed = 0;
116				if ( my $logging = $rule_config->{logging} ) {
117				if ( $provider_o->logging($logging) ) {
118				emit changed, "Firewall logging updated.";
119				}
120				}
121				elsif ( $rule_config->{ensure} eq "present" ) {
122				if ( $provider_o->present($rule_config) ) {
123				emit created, "Firewall rule created.";
124				}
125				}
126				elsif ( $rule_config->{ensure} eq "absent" ) {
127				if ( $provider_o->absent($rule_config) ) {
128				emit removed, "Firewall rule removed.";
129				}
130				}
131				elsif ( $rule_config->{ensure} eq "disabled" ) {
132				if ( $provider_o->disable($rule_config) ) {
133				emit changed, "Firewall disabled.";
134				}
135				}
136				elsif ( $rule_config->{ensure} eq "enabled" ) {
137				if ( $provider_o->enable($rule_config) ) {
138				emit changed, "Firewall enabled.";
139				}
140				}
141				else {
142				die "Error: $rule_config->{ensure} not a valid option for 'ensure'.";
143				}
144
145				};
146
147				=back
148
149				=cut
150
151				1;