(MODULES-7800) add --helper option support for jump target CT

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 103773f9c39ed97bca0ed9818085ffc73b0fe8d4..9d3c3c0ab7df03a81774e1de7b0f7a43c2a81c46 100644 (file)
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -179,6 +179,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
     bytecode: '-m bpf --bytecode',
     zone: '--zone',
+    helper: '--helper',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -277,5 +278,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :name]
 end

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 8c9f2d35a4d6e78cd321e62053ea11a02362c41c..ae2290090370a52adbe4c7585d39d501b91dfac3 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -185,6 +185,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     bytecode: '-m bpf --bytecode',
     ipvs: '-m ipvs --ipvs',
     zone: '--zone',
+    helper: '--helper',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -323,7 +324,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :name
   ]
 
   def insert

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 32483debdf32251eac5ffbabd47be605c1df6593..815ed923568fb50c6a4ef93a5339fde741c31c09 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -2157,6 +2157,12 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
   end
 
+  newproperty(:helper, required_features: :ct_target) do
+    desc <<-PUPPETCODE
+      Invoke the nf_conntrack_xxx helper module for this packet.
+    PUPPETCODE
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil
@@ -2374,6 +2380,12 @@ Puppet::Type.newtype(:firewall) do
       end
     end
 
+    if value(:helper)
+      unless value(:jump).to_s == 'CT'
+        raise 'Parameter helper requires jump => CT'
+      end
+    end
+
     if value(:jump).to_s == 'CT'
       unless value(:table).to_s =~ %r{raw}
         raise 'Parameter jump => CT only applies to table => raw'