Skip to content

Commit

Permalink
Use new template for firewall package/service rules on Ubuntu 24.04
Browse files Browse the repository at this point in the history 
This change modifies the firewall package/service rules to use the templates
`..._guard_var` introduced in ComplianceAsCode#11818 to selectively install the firewall
that is chosen by the var_network_filtering_service

It also fixes the platform applicability on Ubuntu 24.04 since it
both required firewalld and required that conflicting services
be disabled when installing packages. This interfered with the
logic introduced in the new templates and could result in a
package/service not be installed/enabled.

For example, if the user selected 'nftables' as their firewall
using the new template and variable, the rule package_nftables_installed
would still be marked as not applicable because the ufw service is enabled
by default on some installations. The proposed solution removes the
applicability check and installs the package depending only on the choice of
var_network_filtering_service, irrespective of the status of the ufw service.
  • Loading branch information
@mpurg
mpurg committed Jan 27, 2025
1 parent 76c428b commit 03ca0e6
Show file tree
Hide file tree
Showing 7 changed files with 45 additions and 12 deletions.
2 changes: 1 addition & 1 deletion linux_os/guide/system/network/network-iptables/package_iptables_installed/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ ocil_clause: 'the package is not installed'

ocil: '{{{ ocil_package(package="iptables") }}}'

{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
Expand Down
10 changes: 9 additions & 1 deletion linux_os/guide/system/network/network-nftables/package_nftables_installed/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Install nftables Package'

description: |-
Expand Down Expand Up @@ -36,10 +35,19 @@ ocil: '{{{ ocil_package(package="nftables") }}}'

platform: system_with_kernel and service_disabled[iptables] and service_disabled[ufw]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: nftables
variable: var_network_filtering_service
value: nftables
{{%- else %}}
template:
name: package_installed
vars:
pkgname: nftables
{{%- endif %}}

fixtext: |-
{{{ describe_package_install(package="nftables") }}}
3 changes: 1 addition & 2 deletions linux_os/guide/system/network/network-nftables/service_nftables_disabled/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Verify nftables Service is Disabled'

description: |-
Expand Down Expand Up @@ -38,7 +37,7 @@ fixtext: '{{{ fixtext_service_disabled("nftables") }}}'

platform: system_with_kernel and package[nftables] and package[firewalld]

{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: service_disabled_guard_var
vars:
Expand Down
5 changes: 1 addition & 4 deletions linux_os/guide/system/network/network-nftables/service_nftables_enabled/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Verify nftables Service is Enabled'

description: |-
Expand Down Expand Up @@ -34,11 +33,9 @@ ocil: |-
fixtext: |-
{{{ fixtext_service_enabled("nftables") }}}
platform: system_with_kernel and package[nftables] and service_disabled[firewalld]


{{%- if product in [ "sle12", "sle15" ] %}}
{{%- if product in [ "sle12", "sle15", "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
Expand Down
11 changes: 10 additions & 1 deletion linux_os/guide/system/network/network-ufw/package_ufw_installed/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Install ufw Package'

description: |-
Expand All @@ -25,7 +24,17 @@ ocil_clause: 'the package is not installed'

ocil: '{{{ ocil_package(package="ufw") }}}'

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_installed_guard_var
vars:
pkgname: ufw
variable: var_network_filtering_service
value: ufw
operation: pattern match
{{%- else %}}
template:
name: package_installed
vars:
pkgname: ufw
{{%- endif %}}
12 changes: 11 additions & 1 deletion linux_os/guide/system/network/network-ufw/package_ufw_removed/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
documentation_complete: true


title: 'Remove ufw Package'

description: |-
Expand All @@ -20,10 +19,21 @@ ocil_clause: 'the package is installed'

ocil: '{{{ ocil_package(package="ufw") }}}'

platform: system_with_kernel

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: package_removed_guard_var
vars:
pkgname: ufw
variable: var_network_filtering_service
value: ufw
{{%- else %}}
template:
name: package_removed
vars:
pkgname: ufw
{{%- endif %}}

fixtext: |-
{{{ describe_package_remove(package="ufw") }}}
14 changes: 12 additions & 2 deletions linux_os/guide/system/network/network-ufw/service_ufw_enabled/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,19 @@ ocil_clause: 'the service is not enabled'
ocil: |-
{{{ ocil_service_enabled(service="ufw") }}}
platform: system_with_kernel and package[ufw]

{{%- if product in [ "ubuntu2404" ] %}}
template:
name: service_enabled_guard_var
vars:
packagename: ufw
servicename: ufw
variable: var_network_filtering_service
value: ufw
{{%- else %}}
template:
name: service_enabled
vars:
servicename: ufw

platform: system_with_kernel and package[ufw]
{{%- endif %}}

0 comments on commit 03ca0e6

Please sign in to comment.