From 75f9437dff7f59c67392dbbfab4d193520a4a7cd Mon Sep 17 00:00:00 2001 From: "Krueger,Daniel" Date: Thu, 8 Sep 2022 14:41:49 -0500 Subject: [PATCH 1/4] Add nftables.conf location resource -Added a resource to set the nftables.conf filepath based on OS platform. -Updated inspec tests --- kitchen.yml | 5 +++++ libraries/helpers_nftables.rb | 11 +++++++++++ resources/nftables.rb | 2 +- test/integration/nftables/inspec/nftables_spec.rb | 8 ++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/kitchen.yml b/kitchen.yml index ed08c680..4791d8d8 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -33,6 +33,7 @@ platforms: - name: freebsd-11 - name: freebsd-12 - name: opensuse-leap-15 + - name: oracle-8 - name: ubuntu-18.04 - name: ubuntu-20.04 - name: windows-2016 @@ -54,6 +55,7 @@ suites: - centos-8 - debian-9 - debian-10 + - oracle-8 - ubuntu-18.04 - ubuntu-20.04 - windows-2016 @@ -72,6 +74,7 @@ suites: - freebsd-11 - freebsd-12 - opensuse-leap-15 + - oracle-8 - windows-2016 - windows-2019 run_list: @@ -82,6 +85,7 @@ suites: excludes: - debian-9 - debian-10 + - oracle-8 - ubuntu-18.04 - ubuntu-20.04 - windows-2016 @@ -97,6 +101,7 @@ suites: - name: nftables includes: - debian-11 + - oracle-8 run_list: - recipe[nftables-test] diff --git a/libraries/helpers_nftables.rb b/libraries/helpers_nftables.rb index 1ac2dfd7..1d108f46 100644 --- a/libraries/helpers_nftables.rb +++ b/libraries/helpers_nftables.rb @@ -154,6 +154,17 @@ def ensure_default_rules_exist(new_resource) input = new_resource.rules || {} input.merge!(default_ruleset(new_resource)) end + + def nftables_conf_location + case node['platform_family'] + when 'rhel' + '/etc/sysconfig/nftables.conf' + when 'debian' + '/etc/nftables.conf' + else + raise "nftables_conf_location: Unsupported platform #{node['platform']}." + end + end end end end diff --git a/resources/nftables.rb b/resources/nftables.rb index c6e1c440..0f2413d1 100644 --- a/resources/nftables.rb +++ b/resources/nftables.rb @@ -40,7 +40,7 @@ action :rebuild do ensure_default_rules_exist(new_resource) - file '/etc/nftables.conf' do + file nftables_conf_location do content <<~NFT #!/usr/sbin/nft -f flush ruleset diff --git a/test/integration/nftables/inspec/nftables_spec.rb b/test/integration/nftables/inspec/nftables_spec.rb index 286c9d1b..8090e853 100644 --- a/test/integration/nftables/inspec/nftables_spec.rb +++ b/test/integration/nftables/inspec/nftables_spec.rb @@ -38,3 +38,11 @@ it { should be_enabled } it { should be_running } end + +describe file('/etc/sysconfig/nftables.conf') do + it { should exist } +end if os.redhat? + +describe file('/etc/nftables.conf') do + it { should exist } +end if os.debian? From eddf34eee9b5a5b6f7797dc896c122cc38909107 Mon Sep 17 00:00:00 2001 From: "Krueger,Daniel" Date: Thu, 8 Sep 2022 14:50:11 -0500 Subject: [PATCH 2/4] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8246722d..38fea9e0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ Tested on: - Debian 11 with new resources for firewalld - CentOS 6 with iptables - CentOS 7.1 with firewalld +- Oracle 8 with nftables - Windows Server 2012r2 with Windows Advanced Firewall By default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file: From 88d5730321865918b987aa4ea617a41ac302496f Mon Sep 17 00:00:00 2001 From: "Krueger,Daniel" Date: Thu, 8 Sep 2022 15:48:43 -0500 Subject: [PATCH 3/4] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 274e9816..b82d66ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ This file is used to list changes made in each version of the firewall cookbook. ## Unreleased +- Add filepath selection based on OS for nftables.conf + ## 6.0.2 - *2022-05-15* Standardise files with files in sous-chefs/repo-management From 8761bc2309ec4a923f00597095d72577f1434130 Mon Sep 17 00:00:00 2001 From: "Krueger,Daniel" Date: Tue, 13 Sep 2022 17:13:48 -0500 Subject: [PATCH 4/4] make nftables.conf filepath use a property --- libraries/helpers_nftables.rb | 4 ++-- resources/nftables.rb | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/libraries/helpers_nftables.rb b/libraries/helpers_nftables.rb index 1d108f46..eeba4e22 100644 --- a/libraries/helpers_nftables.rb +++ b/libraries/helpers_nftables.rb @@ -155,14 +155,14 @@ def ensure_default_rules_exist(new_resource) input.merge!(default_ruleset(new_resource)) end - def nftables_conf_location + def default_nftables_conf_path case node['platform_family'] when 'rhel' '/etc/sysconfig/nftables.conf' when 'debian' '/etc/nftables.conf' else - raise "nftables_conf_location: Unsupported platform #{node['platform']}." + raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}." end end end diff --git a/resources/nftables.rb b/resources/nftables.rb index 0f2413d1..7ddb3a2a 100644 --- a/resources/nftables.rb +++ b/resources/nftables.rb @@ -1,9 +1,7 @@ unified_mode true -action_class do - include FirewallCookbook::Helpers - include FirewallCookbook::Helpers::Nftables -end +include FirewallCookbook::Helpers +include FirewallCookbook::Helpers::Nftables provides :nftables, os: 'linux' @@ -29,6 +27,9 @@ property :table_ip6_nat, [true, false], default: false +property :nftables_conf_path, String, + description: 'nftables.conf filepath', + default: lazy { default_nftables_conf_path } action :install do package 'nftables' do @@ -40,7 +41,7 @@ action :rebuild do ensure_default_rules_exist(new_resource) - file nftables_conf_location do + file new_resource.nftables_conf_path do content <<~NFT #!/usr/sbin/nft -f flush ruleset