has_feature :string_matching
has_feature :queue_num
has_feature :queue_bypass
+ has_feature :ipvs
optional_commands(iptables: 'iptables',
iptables_save: 'iptables-save')
hashlimit_htable_expire: '--hashlimit-htable-expire',
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
bytecode: '-m bpf --bytecode',
+ ipvs: '-m ipvs --ipvs',
}
# These are known booleans that do not take a value, but we want to munge
:kernel_timezone,
:clusterip_new,
:queue_bypass,
+ :ipvs,
]
# Properties that use "-m <ipt module name>" (with the potential to have multiple
feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue'
feature :hashlimit, 'Hashlimit features'
feature :bpf, 'Berkeley Paket Filter feature'
+ feature :ipvs, 'Packet belongs to an IP Virtual Server connection'
# provider specific features
feature :iptables, 'The provider provides iptables features.'
PUPPETCODE
end
+ newproperty(:ipvs, required_features: :ipvs) do
+ desc <<-PUPPETCODE
+ Indicates that the current packet belongs to an IPVS connection.
+ PUPPETCODE
+ end
+
autorequire(:firewallchain) do
reqs = []
protocol = nil
log_level => '3',
log_prefix => 'IPTABLES dropped invalid: ',
}
-
firewall { '501 - connlimit':
proto => tcp,
dport => '2222',
chain => 'OUTPUT',
table => 'mangle',
}
+ firewall { '1002 - set ipvs':
+ proto => 'tcp',
+ dport => '4321',
+ chain => 'OUTPUT',
+ }
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff