rirs

Provides functions that expose data from Regional Internet Registries

Module Stats

8,835 downloads

8,603 latest version

4.1 quality score

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

released Jul 18th 2015

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'jethrocarr-rirs', '1.1.0'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add jethrocarr-rirs

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install jethrocarr-rirs --version 1.1.0

Documentation

jethrocarr/rirs — version 1.1.0 Jul 18th 2015

puppet-rirs

Provides custom Puppet functions that allow lookup of data provided by Regional Internet Registries such as IP allocations, useful for purposes like generating geographical IP Access Control Lists (essentially GeoIP rules).

Currently we have the one function (rir_allocations) but additional functions or facts could always be added in future such as AS numbers if desired.

If you are not familar with the different RIRs, they exist to manage the allocation and registration of internet number resources. There are 5 RIRs which cover different regions:

Registry	Region
AFRNIC	Africa Region
APNIC	Asia/Pacific Region
ARIN	North America Region
LACNIC	Latin America and some Caribbean Islands
RIPE NCC	Europe, the Middle East, and Central Asia

rir_allocations (registry, inet, country)

Returns IP ranges allocated to the various Regional Internet Registries around the world by type (ipv4 vs ipv6) and their geographical country assignment.

This function is very useful as a replacement for GeoIP modules as instead of requiring per-app support, you can simply use Puppet to take the output from this function and generate the designed configuration or ACLs.

As the data from the RIRs only gets updated daily, this function caches the results and only refreshes every 24 hours. If a refresh fails (eg network issue) it falls back to serving stale cache so there's no sudden change of configuration as long as the cache files remain on disk (generally in /tmp)

Note that unlike a GeoIP provider there's no curation taking place, we assume the country an IP range has been allocated to, is where it is being used - but this is not always true, so your milage may vary.

Parameters & Output

Parameter	Values
registry	One of: afrnic, apnic, arin, lacnic, ripe-ncc
inet	Either: ipv4 or ipv6
country	Optional: Filter to a particular 2-char country

The function returns either two different outputs. If a country code has NOT been supplied, it returns a hash of countries with an array of IP addresses for each country.

If a country code HAS been supplied, it returns an array of all the IP addresses allocated to that country.

Return format of addresses is always IP/CIDR for both IPv4 and IPv6.

Usage Examples

You can call the rir_allocations function from inside your Puppet manifests and even iterate through them inside Puppet's DSL, or you can use it directly from ERB templates.

Usage in Puppet Resources

This is an example of setting iptables rules that restrict traffic to SSH to New Zealand (APNIC/NZ) IPv6 addresses using the puppetlabs/firewall module with ip6tables provider for Linux:

# Use jethrocarr-rirs rir_allocations function to get an array of all IP
# addresses belonging to NZ IPv6 allocations and then create iptables
# rules for each of them accordingly.
#
# Note we use a old style interation (pre future parser) to ensure
# compatibility with Puppet 3 systems. In future when 4.x+ is standard we
# could rewite with a newer loop approach as per:
# https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html

define s_firewall::ssh_ipv6 ($address = $title) {
  firewall { "004 V6 Permit SSH ${address}":
    provider => 'ip6tables',
    proto    => 'tcp',
    port     => '22',
    source   => $address,
    action   => 'accept',
  }  
}

$ipv6_allocations = rir_allocations('apnic', 'ipv6', 'nz')
s_firewall::pre::ssh_ipv6 { $ipv6_allocations: }

Note that due to the use of Puppet 3 compatible iterator, you'll need to rename s_firewall::ssh_ipv6 to yourmodule::yourclass::ssh_ipv6 as the definition has to be a child of the module/class that it's inside of - in the above example, it lives in s_firewall/manifests/init.pp.

This example can also be a big performance hit to your first Puppet run since it has to create many hundreds of resources on the first run - the bigger the country the bigger the impact could end up being.

Usage in Puppet ERB Templates

If you want to provide the list of addresses to configuration files or scripts rather than using it to create Puppet resources, it's entirely possible to call the function directly from inside ERB templates. The following is an example of generating Apache mod_access_compat rules to restrict visitors from New Zealand (APNIC/NZ) IPv4 and IPv6 addresses only.

<Location "/admin">
  Order deny,allow
  Deny from all

  # Use the jethrocarr-rirs Puppet module functions to lookup the IP
  # allocations from APNIC for New Zealand. This works better than the
  # buggy mod_geoip module since it supports both IPv4 and IPv6 concurrently.

  <% scope.function_rir_allocations(['apnic', 'ipv4', 'nz']).each do |ipv4| -%>
    Allow from <%= ipv4 %>
  <% end -%>
  <% scope.function_rir_allocations(['apnic', 'ipv6', 'nz']).each do |ipv6| -%>
    Allow from <%= ipv6 %>
  <% end -%>
</Location>

Remember the larger registries and countries can have thousands of address allocations, make sure you know the impact of generating so many rules in your application configurations.

Requirements

The minimum requirements are met by most systems:

Standard Ruby environment.
Ability to connect to remote HTTP webservers to download latest data.

However a big performance improvement can be made by installing the netaddr third party Gem. This will slow down the initial run of the function considerably, but it performs a merge of all consecutive ranges returned per-country which means far smaller output being fed into Puppet resources or configuration files. For example, APNIC's entire v4 and v6 allocation is around 33k records unmerged vs 24k when merged by country.

If you're planning to use this function to generate resources such as iptables firewall policies, you almost certainly want to install netaddr:

gem install netaddr

If the gem is not installed, the merge process is skipped over but a notice is added to the Puppet master logs reminding/recommending the installation of netaddr for everyone whom didn't read this README.md like you did. :-)

Development

Contributions via the form of Pull Requests is always welcome!

Nice to have features

General improvements to existing logic are always good, but additional functions or facts relating to RIR-sourced data is also welcome. Some ideas:

Pulling AS numbers could potentially be useful at some point for people running networks.
Automated testing contributions welcome, Puppet's documentation on doing tests with custom functions is a bit lacking and the default Puppet module creation stuff doesn't setup any useful tests other than ensuring it's valid Ruby.

Just remember that:

It is important not to break the existing parameter options and output of existing functions due to impact it could have on systems, please keep this in mind when filing PRs.
The use of third party Gems must have a graceful fall-back if they are not available on the user's environment. Puppet won't automatically install dependencies for them sadly.

Debugging

Remember that custom Puppet functions execute on the master/server, not the local server. This means that:

If the master is behind a restrictive network it may be unable to access the different RIR servers to download the latest data.
Errors and debug log messages might only appear on the master.

If Puppet is run with --debug it exposes additional debug messages from the RIR functions, useful if debugging timeout issues, etc.

Debug: Scope(Class[main]): RIR: Processing data for RIR apnic
Debug: Scope(Class[main]): RIR: Downloading latest data... http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
Debug: Scope(Class[main]): RIR: Performing a merge of the returned ranges per-country
Debug: Scope(Class[main]): RIR: Writing to cache file at /tmp/.puppet_rir_allocations_apnic.yaml
Debug: Scope(Class[main]): RIR: RIR data processed, returning results
Debug: Scope(Class[main]): RIR: Processing data for RIR apnic
Debug: Scope(Class[main]): RIR: Loading RIR data from cachefile /tmp/.puppet_rir_allocations_apnic.yaml...
Debug: Scope(Class[main]): RIR: RIR data processed, returning results

License

This module is licensed under the Apache License, Version 2.0 (the "License"). See the LICENSE or http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

   END OF TERMS AND CONDITIONS

   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "{}"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

   Copyright {yyyy} {name of copyright owner}

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started