add support for using multiple rpfilter options in rules

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 1458e75043459866eec2fb24ee61246465ccbeb3..5818b04541b64aa99dd919f8f5a9434d58fe97f1 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -534,6 +534,17 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
         (\s--tunnel-src\s\S+)?
         (\s--next)?}x,
                         '--pol "ipsec\1\2\3\4\5\6\7\8" ')
+
+    # rpfilter also takes multiple parameters; use quote trick again
+    rpfilter_opts = values.scan(%r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+})
+    if rpfilter_opts && rpfilter_opts.length == 1 && rpfilter_opts[0]
+      rpfilter_opts = rpfilter_opts[0][1..-1].reject { |x| x.nil? }
+      values = values.sub(
+        %r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+},
+        "-m rpfilter \"#{rpfilter_opts.join(' ')}\"",
+      )
+    end
+
     # on some iptables versions, --connlimit-saddr switch is added after the rule is applied
     values = values.gsub(%r{--connlimit-saddr}, '')
 
@@ -632,6 +643,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
       hash[prop] = hash[prop].split(';') unless hash[prop].nil?
     end
 
+    hash[:rpfilter] = hash[:rpfilter].split(' ') unless hash[:rpfilter].nil?
+
     ## clean up DSCP class to HEX mappings
     valid_dscp_classes = {
       '0x0a' => 'af11',
@@ -918,6 +931,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
         one, two = resource_value.split(' ')
         args << one
         args << two
+      elsif res == :rpfilter
+        args << resource_value
       elsif resource_value.is_a?(Array)
         args << resource_value.join(',')
       elsif !resource_value.nil?

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d79066d9cc4a6cda875870135d25566d49556d36..0074dc5b9f9f007e2b298c4e23cf5cbe9a2329c1 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1705,7 +1705,7 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:true, :false)
   end
 
-  newproperty(:rpfilter, required_features: :rpfilter) do
+  newproperty(:rpfilter, required_features: :rpfilter, array_matching: :all) do
     desc <<-PUPPETCODE
       Enable the rpfilter module.
     PUPPETCODE
@@ -1714,6 +1714,10 @@ Puppet::Type.newtype(:firewall) do
     munge do |value|
       _value = '--' + value
     end
+
+    def insync?(is)
+      is.to_set == should.to_set
+    end
   end
 
   newproperty(:socket, required_features: :socket) do

diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index dedc9be294eef13d10aa026f9164af7c09e82e86..a1b73022d0fb75b70000a6a466cef83882f3bab9 100644 (file)
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -331,6 +331,12 @@ describe 'firewall attribute testing, happy path' do
             physdev_is_bridged => true,
           }
           firewall { '900 - set rpfilter':
+            table    => 'raw',
+            chain    => 'PREROUTING',
+            action   => 'accept',
+            rpfilter => [ 'invert', 'validmark', 'loose', 'accept-local' ],
+          }
+          firewall { '901 - set rpfilter':
             table    => 'raw',
             chain    => 'PREROUTING',
             action   => 'accept',
@@ -421,6 +427,12 @@ describe 'firewall attribute testing, happy path' do
     it 'toports is set' do
       expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222})
     end
+    it 'rpfilter is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --loose --validmark --accept-local --invert -m comment --comment "900 - set rpfilter" -j ACCEPT})
+    end
+    it 'single rpfilter is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --invert -m comment --comment "901 - set rpfilter" -j ACCEPT})
+    end
     it 'limit is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT})
     end