From 5cf59a05b7ec404b18ab95403759b363108061c6 Mon Sep 17 00:00:00 2001 From: danielpkrueger Date: Thu, 15 Sep 2022 09:44:09 -0500 Subject: [PATCH] [GH-253] Add filepath selection based on OS for nftables.conf (#255) * Add nftables.conf location based on OS to nftables resource --- CHANGELOG.md | 2 ++ README.md | 1 + kitchen.yml | 5 +++++ libraries/helpers_nftables.rb | 11 +++++++++++ resources/nftables.rb | 11 ++++++----- test/integration/nftables/inspec/nftables_spec.rb | 8 ++++++++ 6 files changed, 33 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 274e9816..b82d66ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ This file is used to list changes made in each version of the firewall cookbook. ## Unreleased +- Add filepath selection based on OS for nftables.conf + ## 6.0.2 - *2022-05-15* Standardise files with files in sous-chefs/repo-management diff --git a/README.md b/README.md index 8246722d..38fea9e0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ Tested on: - Debian 11 with new resources for firewalld - CentOS 6 with iptables - CentOS 7.1 with firewalld +- Oracle 8 with nftables - Windows Server 2012r2 with Windows Advanced Firewall By default, Ubuntu chooses ufw. To switch to iptables, set this in an attribute file: diff --git a/kitchen.yml b/kitchen.yml index ed08c680..4791d8d8 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -33,6 +33,7 @@ platforms: - name: freebsd-11 - name: freebsd-12 - name: opensuse-leap-15 + - name: oracle-8 - name: ubuntu-18.04 - name: ubuntu-20.04 - name: windows-2016 @@ -54,6 +55,7 @@ suites: - centos-8 - debian-9 - debian-10 + - oracle-8 - ubuntu-18.04 - ubuntu-20.04 - windows-2016 @@ -72,6 +74,7 @@ suites: - freebsd-11 - freebsd-12 - opensuse-leap-15 + - oracle-8 - windows-2016 - windows-2019 run_list: @@ -82,6 +85,7 @@ suites: excludes: - debian-9 - debian-10 + - oracle-8 - ubuntu-18.04 - ubuntu-20.04 - windows-2016 @@ -97,6 +101,7 @@ suites: - name: nftables includes: - debian-11 + - oracle-8 run_list: - recipe[nftables-test] diff --git a/libraries/helpers_nftables.rb b/libraries/helpers_nftables.rb index 1ac2dfd7..eeba4e22 100644 --- a/libraries/helpers_nftables.rb +++ b/libraries/helpers_nftables.rb @@ -154,6 +154,17 @@ def ensure_default_rules_exist(new_resource) input = new_resource.rules || {} input.merge!(default_ruleset(new_resource)) end + + def default_nftables_conf_path + case node['platform_family'] + when 'rhel' + '/etc/sysconfig/nftables.conf' + when 'debian' + '/etc/nftables.conf' + else + raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}." + end + end end end end diff --git a/resources/nftables.rb b/resources/nftables.rb index c6e1c440..7ddb3a2a 100644 --- a/resources/nftables.rb +++ b/resources/nftables.rb @@ -1,9 +1,7 @@ unified_mode true -action_class do - include FirewallCookbook::Helpers - include FirewallCookbook::Helpers::Nftables -end +include FirewallCookbook::Helpers +include FirewallCookbook::Helpers::Nftables provides :nftables, os: 'linux' @@ -29,6 +27,9 @@ property :table_ip6_nat, [true, false], default: false +property :nftables_conf_path, String, + description: 'nftables.conf filepath', + default: lazy { default_nftables_conf_path } action :install do package 'nftables' do @@ -40,7 +41,7 @@ action :rebuild do ensure_default_rules_exist(new_resource) - file '/etc/nftables.conf' do + file new_resource.nftables_conf_path do content <<~NFT #!/usr/sbin/nft -f flush ruleset diff --git a/test/integration/nftables/inspec/nftables_spec.rb b/test/integration/nftables/inspec/nftables_spec.rb index 286c9d1b..8090e853 100644 --- a/test/integration/nftables/inspec/nftables_spec.rb +++ b/test/integration/nftables/inspec/nftables_spec.rb @@ -38,3 +38,11 @@ it { should be_enabled } it { should be_running } end + +describe file('/etc/sysconfig/nftables.conf') do + it { should exist } +end if os.redhat? + +describe file('/etc/nftables.conf') do + it { should exist } +end if os.debian?