has_feature :pkttype
has_feature :isfragment
has_feature :socket
+ has_feature :address_type
optional_commands({
:iptables => 'iptables',
@resource_map = {
:burst => "--limit-burst",
:destination => "-d",
+ :destination_type => "-m addrtype --dst-type",
:dport => ["-m multiport --dports", "-m (udp|tcp) --dport"],
:gid => "-m owner --gid-owner",
:icmp => "-m icmp --icmp-type",
:set_mark => mark_flag,
:socket => "-m socket",
:source => "-s",
+ :source_type => "-m addrtype --src-type",
:sport => ["-m multiport --sports", "-m (udp|tcp) --sport"],
:state => "-m state --state",
:table => "-t",
# changes between puppet runs, the changed rules will be re-applied again.
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port, :socket, :pkttype, :name, :state, :icmp, :limit, :burst,
- :jump, :todest, :tosource, :toports, :log_prefix, :log_level, :reject, :set_mark]
+ :proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port,
+ :destination_type, :source_type, :socket, :pkttype, :name, :state, :icmp,
+ :limit, :burst, :jump, :todest, :tosource, :toports, :log_prefix,
+ :log_level, :reject, :set_mark]
def insert
debug 'Inserting rule %s' % resource[:name]
feature :pkttype, "Match a packet type"
feature :socket, "Match open sockets"
feature :isfragment, "Match fragments"
+ feature :address_type, "The ability match on source or destination address type"
# provider specific features
feature :iptables, "The provider provides iptables features."
end
end
+ newproperty(:destination_type, :required_features => :address_type) do
+ desc <<-EOS
+ The destination address type. For example:
+
+ destination_type => 'LOCAL'
+
+ Can be one of:
+
+ * UNSPEC - an unspecified address
+ * UNICAST - a unicast address
+ * LOCAL - a local address
+ * BROADCAST - a broadcast address
+ * ANYCAST - an anycast packet
+ * MULTICAST - a multicast address
+ * BLACKHOLE - a blackhole address
+ * UNREACHABLE - an unreachable address
+ * PROHIBIT - a prohibited address
+ * THROW - undocumented
+ * NAT - undocumented
+ * XRESOLVE - undocumented
+ EOS
+
+ newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+ end
+
+ newproperty(:source_type, :required_features => :address_type) do
+ desc <<-EOS
+ The source address type. For example:
+
+ source_type => 'LOCAL'
+
+ Can be one of:
+
+ * UNSPEC - an unspecified address
+ * UNICAST - a unicast address
+ * LOCAL - a local address
+ * BROADCAST - a broadcast address
+ * ANYCAST - an anycast packet
+ * MULTICAST - a multicast address
+ * BLACKHOLE - a blackhole address
+ * UNREACHABLE - an unreachable address
+ * PROHIBIT - a prohibited address
+ * THROW - undocumented
+ * NAT - undocumented
+ * XRESOLVE - undocumented
+ EOS
+
+ newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+ :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+ end
+
newproperty(:proto) do
desc <<-EOS
The specific protocol to match for this rule. By default this is
:sport => ["15","512-1024"],
},
},
+ 'destination_type_1' => {
+ :line => '-A INPUT -m addrtype --dst-type LOCAL',
+ :table => 'filter',
+ :params => {
+ :destination_type => 'LOCAL',
+ },
+ },
+ 'source_type_1' => {
+ :line => '-A INPUT -m addrtype --src-type LOCAL',
+ :table => 'filter',
+ :params => {
+ :source_type => 'LOCAL',
+ },
+ },
'tcp_flags_1' => {
:line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
:table => 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
},
+ 'destination_type_1' => {
+ :params => {
+ :name => '000 destination_type',
+ :table => 'filter',
+ :destination_type => 'LOCAL',
+ },
+ :args => ['-t', :filter, '-p', :tcp, '-m', 'addrtype', '--dst-type', :LOCAL, '-m', 'comment', '--comment', '000 destination_type'],
+ },
+ 'source_type_1' => {
+ :params => {
+ :name => '000 source_type',
+ :table => 'filter',
+ :source_type => 'LOCAL',
+ },
+ :args => ['-t', :filter, '-p', :tcp, '-m', 'addrtype', '--src-type', :LOCAL, '-m', 'comment', '--comment', '000 source_type'],
+ },
'tcp_flags_1' => {
:params => {
:name => "000 initiation",
end
end
+ [:destination_type, :source_type].each do |addrtype|
+ describe addrtype do
+ it "should have no default" do
+ res = @class.new(:name => "000 test")
+ res.parameters[addrtype].should == nil
+ end
+ end
+
+ [:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, :BLACKHOLE,
+ :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].each do |type|
+ it "should accept #{addrtype} value #{type}" do
+ @resource[addrtype] = type
+ @resource[addrtype].should == type
+ end
+ end
+
+ it "should fail when #{addrtype} value is not recognized" do
+ lambda { @resource[addrtype] = 'foo' }.should raise_error(Puppet::Error)
+ end
+ end
+
[:iniface, :outiface].each do |iface|
describe iface do
it "should accept #{iface} value as a string" do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff