Merge pull request #16 from lazyfrosch/master

Added protocol as parameter to fail2ban jails

.travis.yml

@@ -4,7 +4,7 @@ rvm:
   - 1.8.7
   - 1.9.3
   - 2.0.0
-script: "bundle exec rake spec SPEC_OPTS='--format documentation'"
+script: "bundle exec rake spec SPEC_OPTS='--format documentation' && bundle exec rake test"
 branches:
   only:
     master

Modulefile

@@ -1,5 +1,5 @@
 name    'netmanagers-fail2ban'
-version '1.2.1'
+version '1.4.0'
 author  'Javier Bertoli'
 license 'Apache2'
 project_page 'http://www.netmanagers.com.ar'

Rakefile

@@ -1,5 +1,41 @@
-require 'rubygems'
 require 'puppetlabs_spec_helper/rake_tasks'
 require 'puppet-lint/tasks/puppet-lint'
-PuppetLint.configuration.send('disable_80chars')
+require 'puppet-syntax/tasks/puppet-syntax'
+
+# These two gems aren't always present, for instance
+# on Travis with --without development
+begin
+  require 'rspec-system/rake_task'
+rescue LoadError
+end
+
+begin
+  require 'puppet_blacksmith/rake_tasks'
+rescue LoadError
+end
+
+PuppetLint.configuration.send("disable_80chars")
+PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
+PuppetLint.configuration.fail_on_warnings = true
+PuppetLint.configuration.relative = true
+
+# Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
+# http://puppet-lint.com/checks/class_parameter_defaults/
 PuppetLint.configuration.send('disable_class_parameter_defaults')
+# http://puppet-lint.com/checks/class_inherits_from_params_class/
+PuppetLint.configuration.send('disable_class_inherits_from_params_class')
+
+exclude_paths = [
+  "pkg/**/*",
+  "vendor/**/*",
+  "spec/**/*",
+]
+PuppetLint.configuration.ignore_paths = exclude_paths
+PuppetSyntax.exclude_paths = exclude_paths
+
+desc "Run syntax, lint, and spec tests."
+task :test => [
+  :syntax,
+  :lint,
+  :spec,
+]

manifests/init.pp

@@ -31,6 +31,14 @@
 #   (source => $source_dir , recurse => true , purge => true)
 #   Can be defined also by the (top scope) variable $fail2ban_source_dir_purge
 #
+# [*source_dir_owner*]
+#   Configuration directory owner
+#   Default: root
+#
+# [*source_dir_group*]
+#   Configuration directory group
+#   Default: root
+#
 # [*template*]
 #   Sets the path to the template to use as content for main configuration file
 #   If defined, fail2ban main config file has: content => content("$template")
@@ -278,6 +286,8 @@ class fail2ban (
   $source                = params_lookup( 'source' ),
   $source_dir            = params_lookup( 'source_dir' ),
   $source_dir_purge      = params_lookup( 'source_dir_purge' ),
+  $source_dir_owner      = params_lookup( 'source_dir_owner' ),
+  $source_dir_group      = params_lookup( 'source_dir_group' ),
   $template              = params_lookup( 'template' ),
   $service_autorestart   = params_lookup( 'service_autorestart' , 'global' ),
   $options               = params_lookup( 'options' ),
@@ -412,18 +422,18 @@ class fail2ban (
 
   ### Managed resources
   package { $fail2ban::package:
-    ensure  => $fail2ban::manage_package,
-    noop    => $fail2ban::noops,
+    ensure => $fail2ban::manage_package,
+    noop   => $fail2ban::noops,
   }
 
   service { 'fail2ban':
-    ensure     => $fail2ban::manage_service_ensure,
-    name       => $fail2ban::service,
-    enable     => $fail2ban::manage_service_enable,
-    hasstatus  => $fail2ban::service_status,
-    pattern    => $fail2ban::process,
-    require    => Package[$fail2ban::package],
-    noop       => $fail2ban::noops,
+    ensure    => $fail2ban::manage_service_ensure,
+    name      => $fail2ban::service,
+    enable    => $fail2ban::manage_service_enable,
+    hasstatus => $fail2ban::service_status,
+    pattern   => $fail2ban::process,
+    require   => Package[$fail2ban::package],
+    noop      => $fail2ban::noops,
   }
 
   if $fail2ban::manage_file_source
@@ -497,6 +507,8 @@ class fail2ban (
       source  => $fail2ban::source_dir,
       recurse => true,
       purge   => $fail2ban::bool_source_dir_purge,
+      owner   => $fail2ban::source_dir_owner,
+      group   => $fail2ban::source_dir_group,
       force   => $fail2ban::bool_source_dir_purge,
       replace => $fail2ban::manage_file_replace,
       audit   => $fail2ban::manage_audit,

manifests/jail.pp

@@ -15,7 +15,9 @@
 #             Defaults to true
 # $filter   - The filter rule to use.
 #             If empty, defaults to == $jailname.
+# $ignoreip - Don't ban a host which matches an address in this list.
 # $port     - The port to filter. It can be an array of ports.
+# $protocol - The protocol for this jail's action.
 # $logpath  - The log file to monitor
 # $maxretry - How many fails are acceptable
 # $action   - The action to take when fail2ban finds $maxretry $filter-matching
@@ -29,7 +31,9 @@ define fail2ban::jail (
   $order     = '',
   $status    = '',
   $filter    = '',
+  $ignoreip  = '',
   $port      = '',
+  $protocol  = '',
   $action    = '',
   $logpath   = '',
   $maxretry  = '',
@@ -62,6 +66,14 @@ define fail2ban::jail (
     default => $filter,
   }
 
+  $array_ignoreip = is_array($ignoreip) ? {
+    false     => $ignoreip ? {
+      ''      => [],
+      default => [$ignoreip],
+    },
+    default   => $ignoreip,
+  }
+
   $array_port = is_array($port) ? {
     false     => $port ? {
       ''      => [],
@@ -70,6 +82,11 @@ define fail2ban::jail (
     default   => $port,
   }
 
+  $real_protocol = $protocol ? {
+    ''      => undef,
+    default => $protocol,
+  }
+
   $array_action = is_array($action) ? {
     false     => $action ? {
       ''      => [],

manifests/params.pp

@@ -133,6 +133,8 @@ class fail2ban::params {
   $template = ''
   $source_dir = ''
   $source_dir_purge = false
+  $source_dir_owner = 'root'
+  $source_dir_group = 'root'
   $options = ''
   $service_autorestart = true
   $version = 'present'

spec/defines/fail2ban_jail_spec.rb

@@ -37,8 +37,10 @@ filter   = fail2ban::jail
       {
         :name     => 'sample1',
         :port     => ['42', '43'],
+        :protocol => 'udp',
         :logpath  => '/path/to/somelog',
         :enable   => true,
+        :ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ],
         :findtime => '9000',
         :maxretry => '5',
         :bantime  => '3600',
@@ -53,7 +55,9 @@ filter   = fail2ban::jail
 [fail2ban::jail]
 enabled  = true
 filter   = fail2ban::jail
+ignoreip = 10.3.2.0/24 192.168.56.0/24
 port     = 42,43
+protocol = udp
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
 	mail-whois[name=SSH, dest=yourmail@mail.com]
 logpath  = /path/to/somelog

templates/concat/jail.local-stanza.erb

@@ -4,9 +4,15 @@ enabled  = <%= @real_status %>
 <% if @real_filter != '' -%>
 filter   = <%= @real_filter %>
 <% end -%>
+<% if @array_ignoreip != [] -%>
+ignoreip = <%= @array_ignoreip * ' ' %>
+<% end -%>
 <% if @array_port != [] -%>
 port     = <%= @array_port * ',' %>
 <% end -%>
+<% if @real_protocol -%>
+protocol = <%= @real_protocol %>
+<% end -%>
 <% if @array_action != [] -%>
 action   = <%= @array_action.join("\n\t") %>
 <% end -%>

templates/jail.local.erb

@@ -1,6 +1,6 @@
 # This file is managed by Puppet. DO NOT EDIT.
 [DEFAULT]
-ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') %>
+ignoreip = <%= scope.lookupvar('fail2ban::ignoreip') * ' ' %>
 bantime  = <%= scope.lookupvar('fail2ban::bantime') %>
 findtime = <%= scope.lookupvar('fail2ban::findtime') %>
 maxretry = <%= scope.lookupvar('fail2ban::maxretry') %>