Merge branch 'mr-firewall-destination-ips' into 'master'

Add support for arrays of destination ips. See merge request !43

Merge branch 'mr-firewall-destination-ips' into 'master'
Add support for arrays of destination ips. See merge request !43
ef445b7e · m.pausch · 1833db09 · 13945983 · ef445b7e · ef445b7e
Commit ef445b7e authored Mar 28, 2022 by m.pausch
--- a/libraries/sys_helpers_firewall.rb
+++ b/libraries/sys_helpers_firewall.rb
@@ -42,6 +42,19 @@ module Sys
        end
      end

+      def build_set_of_ips(ips)
+        set_of_ips = Array(ips).map { |ip| IPAddr.new(ip) }
+
+        # Only works on buster and newer. In older debian-versions
+        # there is no prefix-method for IPv4-addresses.
+        addrs = set_of_ips.map { |ip| "#{ip}/#{ip.prefix}" }
+        if addrs.length == 1
+          addrs.first
+        else
+          "{#{addrs.join(', ')}}"
+        end
+      end
+
      def port_to_s(p)
        if p.is_a?(String)
          p
@@ -116,19 +129,14 @@ module Sys
        firewall_rule << "oif #{rule_resource.dest_interface} " if rule_resource.dest_interface

        if rule_resource.source
-          source_ips = Array(rule_resource.source).map { |ip| IPAddr.new(ip) }
-          source_ips.delete(IPAddr.new('0.0.0.0/0'))
-          source_ips.delete(IPAddr.new('::/128'))
-          # Only works on buster and newer. In older debian-versions
-          # there is no prefix-method for IPv4-addresses.
-          addrs = source_ips.map { |ip| "#{ip}/#{ip.prefix}" }
-          if addrs.length == 1
-            firewall_rule << "#{ip_family} saddr #{addrs.first} "
-          elsif addrs.length > 1
-            firewall_rule << "#{ip_family} saddr {#{addrs.join(',')}} "
-          end
+          source_set = build_set_of_ips(rule_resource.source)
+          firewall_rule << "#{ip_family} saddr #{source_set} "
+        end
+
+        if rule_resource.destination
+          destination_set = build_set_of_ips(rule_resource.destination)
+          firewall_rule << "#{ip_family} daddr #{destination_set} "
        end
-        firewall_rule << "#{ip_family} daddr #{rule_resource.destination} " if rule_resource.destination

        case rule_resource.protocol
        when :icmp

--- a/metadata.rb
+++ b/metadata.rb
@@ -16,4 +16,4 @@ supports         'debian'
 depends          'line', '< 1.0'
 depends          'chef-vault'

-version          '1.64.1'
+version          '1.64.2'
--- a/recipes/firewall.rb
+++ b/recipes/firewall.rb
@@ -45,7 +45,6 @@ end

 firewall_rule 'allow world to ssh' do
  port 22
-  source '0.0.0.0/0'
  only_if { node['sys']['firewall']['allow_ssh'] }
 end


--- a/test/fixtures/cookbooks/firewall-test/recipes/default.rb
+++ b/test/fixtures/cookbooks/firewall-test/recipes/default.rb
@@ -68,6 +68,17 @@ firewall_rule 'block ip-range' do
  command :drop
 end

+firewall_rule "block single destination ip" do
+  destination '192.168.99.99'
+  position 49
+  command :reject
+end
+
+firewall_rule 'block destination ip-range' do
+  destination ['192.168.99.99', '192.168.100.100']
+  command :drop
+end
+
 firewall_rule 'ipv6-source' do
  port 80
  family :ip6

--- a/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb
+++ b/test/integration/sys_firewall/serverspec/localhost/firewall_spec.rb
@@ -30,13 +30,14 @@ expected_rules = [
  /\s+tcp dport 7788 accept.*/,
  /\s+ip saddr 192.168.99.99 reject.*/,
  /\s+ip saddr { 192.168.99.99, 192.168.100.100 } drop.*/,
+  /\s+ip daddr 192.168.99.99 reject.*/,
+  /\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/,
  /\s+iif "lo" accept comment "allow loopback"/,
  /\s+icmp type echo-request accept.*$/,
  /\s+tcp dport 22 accept.*$/,
  /\s+udp dport 60000-61000 accept.*$/,
  /\s+ct state established,related accept.*$/,
  /\s+icmpv6 type { echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept.*$/,
-  /\s+tcp dport 22 accept.*$/,
  /\s+tcp dport { 2200, 2222 } accept.*$/,
  /\s+tcp dport 1234 drop.*$/,
  /\s+tcp dport 1235 reject.*$/,