}->
firewall { '002 accept related established rules':
proto => 'all',
- state => ['RELATED', 'ESTABLISHED'],
+ ctstate => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
@resource_map = {
:burst => "--limit-burst",
+ :ctstate => "-m conntrack --ctstate",
:destination => "-d",
:dport => "-m multiport --dports",
:gid => "-m owner --gid-owner",
# not provided with current parser [georg.koester])
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
- :port, :pkttype, :name, :state, :icmp, :hop_limit, :limit, :burst, :jump,
- :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
+ :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
+ :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@resource_map = {
:burst => "--limit-burst",
+ :ctstate => "-m conntrack --ctstate",
:destination => "-d",
:dst_type => "-m addrtype --dst-type",
:dst_range => "-m iprange --dst-range",
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :src_range, :destination, :dst_range, :iniface, :outiface,
:proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port,
- :dst_type, :src_type, :socket, :pkttype, :name, :state, :icmp,
+ :dst_type, :src_type, :socket, :pkttype, :name, :state, :ctstate, :icmp,
:limit, :burst, :jump, :todest, :tosource, :toports, :log_prefix,
:log_level, :reject, :set_mark]
hash[prop] = Puppet::Util::IPCidr.new(hash[prop]).cidr unless hash[prop].nil?
end
- [:dport, :sport, :port, :state].each do |prop|
+ [:dport, :sport, :port, :state, :ctstate].each do |prop|
hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
end
# States should always be sorted. This ensures that the output from
# iptables-save and user supplied resources is consistent.
- hash[:state] = hash[:state].sort unless hash[:state].nil?
+ hash[:state] = hash[:state].sort unless hash[:state].nil?
+ hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
# This forces all existing, commentless rules or rules with invalid comments to be moved
# to the bottom of the stack.
end
end
+ newproperty(:ctstate, :array_matching => :all, :required_features =>
+ :state_match) do
+
+ desc <<-EOS
+ Matches a packet based on its state in the firewall stateful inspection
+ table, using the conntrack module. Values can be:
+
+ * INVALID
+ * ESTABLISHED
+ * NEW
+ * RELATED
+ EOS
+
+ newvalues(:INVALID,:ESTABLISHED,:NEW,:RELATED)
+
+ # States should always be sorted. This normalizes the resource states to
+ # keep it consistent with the sorted result from iptables-save.
+ def should=(values)
+ @should = super(values).sort_by {|sym| sym.to_s}
+ end
+
+ def is_to_s(value)
+ should_to_s(value)
+ end
+
+ def should_to_s(value)
+ value = [value] unless value.is_a?(Array)
+ value.join(',')
+ end
+ end
+
+
# Hop limiting properties
newproperty(:hop_limit, :required_features => :hop_limiting) do
desc <<-EOS
:action => nil,
},
},
+ 'ctstate_returns_sorted_values' => {
+ :line => '-A INPUT -m conntrack --ctstate INVALID,RELATED,ESTABLISHED',
+ :table => 'filter',
+ :params => {
+ :ctstate => ['ESTABLISHED', 'INVALID', 'RELATED'],
+ :action => nil,
+ },
+ },
'comment_string_character_validation' => {
:line => '-A INPUT -s 192.168.0.1/32 -m comment --comment "000 allow from 192.168.0.1, please"',
:table => 'filter',
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 states_set_from_array",
"-m", "state", "--state", "ESTABLISHED,INVALID"],
},
+ 'ctstates_set_from_array' => {
+ :params => {
+ :name => "100 ctstates_set_from_array",
+ :table => "filter",
+ :ctstate => ['ESTABLISHED', 'INVALID']
+ },
+ :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 ctstates_set_from_array",
+ "-m", "conntrack", "--ctstate", "ESTABLISHED,INVALID"],
+ },
'comment_string_character_validation' => {
:params => {
:name => "000 allow from 192.168.0.1, please",
'name' => '004 log all INVALID packets',
'chain' => 'INPUT',
'proto' => 'all',
- 'state' => 'INVALID',
+ 'ctstate' => 'INVALID',
'jump' => 'LOG',
'log_level' => '3',
'log_prefix' => '"IPTABLES dropped invalid: "',
'name' => '003 log all INVALID packets',
'chain' => 'INPUT',
'proto' => 'all',
- 'state' => 'INVALID',
+ 'ctstate' => 'INVALID',
'jump' => 'LOG',
'log_level' => '3',
'log_prefix' => '"IPTABLES dropped invalid: "',
'name' => '004 log all INVALID packets',
'chain' => 'INPUT',
'proto' => 'all',
- 'state' => 'INVALID',
+ 'ctstate' => 'INVALID',
'jump' => 'LOG',
'log_level' => '3',
'log_prefix' => '"IPTABLES dropped invalid: "',
}->
firewall { '002 accept related established rules':
proto => 'all',
- state => ['RELATED', 'ESTABLISHED'],
+ ctstate => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
end
end
+ describe ':ctstate' do
+ it 'should accept value as a string' do
+ @resource[:ctstate] = :INVALID
+ @resource[:ctstate].should == [:INVALID]
+ end
+
+ it 'should accept value as an array' do
+ @resource[:ctstate] = [:INVALID, :NEW]
+ @resource[:ctstate].should == [:INVALID, :NEW]
+ end
+
+ it 'should sort values alphabetically' do
+ @resource[:ctstate] = [:NEW, :ESTABLISHED]
+ @resource[:ctstate].should == [:ESTABLISHED, :NEW]
+ end
+ end
+
describe ':burst' do
it 'should accept numeric values' do
@resource[:burst] = 12
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff