Reinstating $failsafe_ssh

See: example42#34

Resolves example42#34

Author: Freeaqingme

Diff for: manifests/init.pp

@@ -51,6 +51,12 @@
 # [*enable_v6*]
 #   Use this module with IPv6. Defaults to false.
 #
+# [*failsafe_ssh*]
+#   Bool. Insert a rule allowing iptables at all cost. This is to prevent accidental
+#   lockouts when implementing this module. You may want to disable this, and add
+#   the desired rules yourself (allowing to implement specific white- and blacklists,
+#   as well as blocking bruteforce attacks).
+#
 # [*template*]
 #   The template file to use when config=file
 #
@@ -149,6 +155,7 @@
   $default_order            = 5000,
   $enable_v4                = $iptables::params::enable_v4,
   $enable_v6                = $iptables::params::enable_v6,
+  $failsafe_ssh             = true,
   $template                 = '',
   $mode                     = 'concat',
   $version                  = 'present',
@@ -266,8 +273,11 @@
 
   include iptables::ruleset::default_action
   include iptables::ruleset::loopback
+  
+  if any2bool($failsafe_ssh) {
+    include iptables::ruleset::failsafe_ssh
+  }
 
-  # Todo: For now this always evaluates to false, no service is getting restarted
   if ! $bool_service_override_restart {
     service { 'iptables':
       ensure     => $iptables::manage_service_ensure,

Diff for: manifests/ruleset/failsafe_ssh.pp

@@ -0,0 +1,30 @@
+
+class iptables::ruleset::failsafe_ssh (
+  $chains          = [ 'INPUT', 'OUTPUT' ],
+  $target          = 'ACCEPT',
+  $order           = 11,
+  $port            = 22,
+  $log             = false,
+  $log_prefix      = $iptables::log_prefix,
+  $log_limit_burst = $iptables::log_limit_burst,
+  $log_limit       = $iptables::log_limit,
+  $log_level       = $iptables::log_level,
+) {
+  
+  $discard = iptables_declare_multiple('iptables::rule',
+    $chains, 'example42-failsafe-ssh-###name###',
+  {
+    table           => 'filter',
+    chain           => '###name###',
+    target          => $target,
+    protocol        => 'tcp',
+    port            => $port,
+    order           => $order,
+    log             => $log,
+    log_prefix      => $log_prefix,
+    log_limit_burst => $log_limit_burst,
+    log_limit       => $log_limit,
+    log_level       => $log_level
+  })
+
+}