* `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature.
+ * `checksum_fill`: When using a `jump` value of 'CHECKSUM' this boolean will make sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are true or false. Requires the `iptables` feature.
+
* `connlimit_above`: Connection limiting value for matched connections above n. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
* `connlimit_mask`: Connection limiting by subnet mask for matched connections. Apply a subnet mask of /0 to /32 for IPv4, and a subnet mask of /0 to /128 for IPv6. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
@resource_map = {
:burst => "--limit-burst",
+ :checksum_fill => "--checksum-fill",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
+ :checksum_fill,
:ishasmorefrags,
:islastfrag,
:isfirstfrag,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
- :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark,
- :connlimit_above, :connlimit_mask, :connmark]
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject,
+ :set_mark, :connlimit_above, :connlimit_mask, :connmark]
end
@resource_map = {
:burst => "--limit-burst",
+ :checksum_fill => "--checksum-fill",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
+ :checksum_fill,
:isfragment,
:random,
:rdest,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
- :tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark,
+ :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
]
EOS
end
+ newproperty(:checksum_fill, :required_features => :iptables) do
+ desc <<-EOS
+ Compute and fill missing packet checksums.
+ EOS
+
+ newvalues(:true, :false)
+ end
+
newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
self.fail "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'"
end
+ if value(:checksum_fill)
+ unless value(:jump).to_s == "CHECKSUM" && value(:table).to_s == "mangle"
+ self.fail "Parameter checksum_fill requires jump => CHECKSUM and table => mangle"
+ end
+ end
+
end
end
end
end
+ describe 'checksum_fill' do
+ context 'virbr' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '576 - test':
+ proto => udp,
+ table => 'mangle',
+ outiface => 'virbr0',
+ chain => 'POSTROUTING',
+ dport => '68',
+ jump => 'CHECKSUM',
+ checksum_fill => true,
+ provider => iptables,
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/)
+ end
+ end
+ end
+ end
+
+ describe 'checksum_fill6' do
+ context 'virbr' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '576 - test':
+ proto => udp,
+ table => 'mangle',
+ outiface => 'virbr0',
+ chain => 'POSTROUTING',
+ dport => '68',
+ jump => 'CHECKSUM',
+ checksum_fill => true,
+ provider => ip6tables,
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/)
+ end
+ end
+ end
+ end
+
# RHEL5 does not support --random
if default['platform'] !~ /el-5/
describe 'random' do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff