Merge pull request #156 from crayfishx/feature/log_denied

Added --set-log-denied option
voxpupuli · Sep 20, 2017 · 17bf8d8 · 17bf8d8
2 parents b48c3a7 + 2866717
commit 17bf8d8
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ class { 'firewalld': }
 * `service_ensure`: Whether the service should be running or not (default: running)
 * `service_enable`: Whether to enable the service
 * `default_zone`: Optional, set the default zone for interfaces (default: undef)
+* `log_denied`: Optional, (firewalld-0.4.3.2-8+) Log denied packets, can be one of `off`, `all`, `multicast`, `unicast`, `broadcast` (default: undef)
 * `zones`: A hash of [firewalld zones](#firewalld-zones) to configure
 * `ports`: A hash of [firewalld ports](#firewalld-ports) to configure
 * `services`: A hash of [firewalld services](#firewalld-service) to configure

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -57,7 +57,8 @@
   Boolean $purge_direct_rules        = false,
   Boolean $purge_direct_chains       = false,
   Boolean $purge_direct_passthroughs = false,
-  Optional[String]  $default_zone     = undef
+  Optional[String] $default_zone     = undef,
+  Optional[Enum['off','all','unicast','broadcast','multicast']] $log_denied = undef
 ) {
 
     package { $package:
@@ -174,6 +175,12 @@
       }
     }
 
+    if $log_denied {
+      exec { 'firewalld::set_log_denied':
+        command => "firewall-cmd --set-log-denied ${log_denied} && firewall-cmd --reload",
+        unless  => "[ $(firewall-cmd --get-log-denied) = ${log_denied} ]",
+      }
+    }
 
     # Set dependencies using resource chaining so that resource declarations made
     # outside of this class (eg: from the profile) also get their dependencies set

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -176,4 +176,36 @@
     end
   end
 
+  context 'with default_zone' do
+    let(:params) do
+      {
+        :default_zone => 'public'
+      }
+    end
+
+    it do
+      should contain_exec('firewalld::set_default_zone').with(
+        :command => 'firewall-cmd --set-default-zone public',
+        :unless  => '[ $(firewall-cmd --get-default-zone) = public ]',
+      ).that_requires('Exec[firewalld::reload]')
+    end
+  end
+
+  [ 'unicast', 'broadcast', 'multicast', 'all', 'off' ].each do |cond|
+    context "with log_denied set to #{cond}" do
+      let(:params) do
+        {
+          :log_denied => cond
+        }
+      end
+
+      it do
+        should contain_exec('firewalld::set_log_denied').with(
+          :command => "firewall-cmd --set-log-denied #{cond} && firewall-cmd --reload",
+          :unless => "[ \$\(firewall-cmd --get-log-denied) = #{cond} ]"
+        )
+      end
+    end
+  end
+
 end
diff --git a/tests/test.pp b/tests/test.pp
@@ -1,6 +1,6 @@
 
 class { 'firewalld':
-  default_zone => 'restricted',
+  log_denied => 'multicast'
 }
 
 firewalld_zone { 'restricted':
@@ -9,3 +9,13 @@
   purge_rich_rules => true,
 }
 
+firewalld_rich_rule { 'McAffee':
+  ensure => present,
+  source => '10.10.10.50',
+  port   => {
+    'port'     => 8803,
+    'protocol' => 'tcp',
+  },
+  zone   => 'public',
+  action => 'accept',
+}