* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
**Autorequires:**
* `address_type`: The ability to match on source or destination address type.
+* `clusterip`: Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them.
+
* `connection_limiting`: Connection limiting features.
* `dnat`: Destination NATing.
* `burst`: Rate limiting burst value (per second) before limit checks apply. Values must match '/^\d+$/'. Requires the `rate_limiting` feature.
+* `clusterip_new`: Create a new ClusterIP. You always have to set this on the first rule for a given ClusterIP. Requires the `clusterip` feature.
+
+* `clusterip_hashmode`: Specify the hashing mode. Valid values are sourceip, sourceip-sourceport, sourceip-sourceport-destport. Requires the `clusterip` feature.
+
+* `clusterip_clustermac`: Specify the ClusterIP MAC address. Has to be a link-layer multicast address. Requires the `clusterip` feature.
+
+* `clusterip_total_nodes`: Number of total nodes within this cluster. Requires the `clusterip` feature.
+
+* `clusterip_local_node`: Local node number within this cluster. Requires the `clusterip` feature.
+
+* `clusterip_hash_init`: Specify the random seed used for hash initialization. Requires the `clusterip` feature.
+
* `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature.
* `checksum_fill`: When using a `jump` value of 'CHECKSUM', this boolean makes sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are 'true' or 'false'. Requires the `iptables` feature.
has_feature :ipsec_policy
has_feature :mask
has_feature :ipset
+ has_feature :clusterip
optional_commands({
:iptables => 'iptables',
@protocol = "IPv4"
@resource_map = {
- :burst => "--limit-burst",
- :checksum_fill => "--checksum-fill",
- :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
- :connlimit_above => "-m connlimit --connlimit-above",
- :connlimit_mask => "--connlimit-mask",
- :connmark => "-m connmark --mark",
- :ctstate => "-m conntrack --ctstate",
- :destination => "-d",
- :dport => ["-m multiport --dports", "--dport"],
- :dst_range => "--dst-range",
- :dst_type => "--dst-type",
- :gateway => "--gateway",
- :gid => "--gid-owner",
- :icmp => "-m icmp --icmp-type",
- :iniface => "-i",
- :ipsec_dir => "-m policy --dir",
- :ipsec_policy => "--pol",
- :ipset => "-m set --match-set",
- :isfragment => "-f",
- :jump => "-j",
- :limit => "-m limit --limit",
- :log_level => "--log-level",
- :log_prefix => "--log-prefix",
- :mac_source => ["-m mac --mac-source", "--mac-source"],
- :mask => '--mask',
- :match_mark => "-m mark --mark",
- :mss => '-m tcpmss --mss',
- :name => "-m comment --comment",
- :outiface => "-o",
- :pkttype => "-m pkttype --pkt-type",
- :port => '-m multiport --ports',
- :proto => "-p",
- :random => "--random",
- :rdest => "--rdest",
- :reap => "--reap",
- :recent => "-m recent",
- :reject => "--reject-with",
- :rhitcount => "--hitcount",
- :rname => "--name",
- :rseconds => "--seconds",
- :rsource => "--rsource",
- :rttl => "--rttl",
- :set_mark => mark_flag,
- :set_mss => '--set-mss',
- :socket => "-m socket",
- :source => "-s",
- :sport => ["-m multiport --sports", "--sport"],
- :src_range => "--src-range",
- :src_type => "--src-type",
- :stat_every => '--every',
- :stat_mode => "-m statistic --mode",
- :stat_packet => '--packet',
- :stat_probability => '--probability',
- :state => "-m state --state",
- :table => "-t",
- :tcp_flags => "-m tcp --tcp-flags",
- :todest => "--to-destination",
- :toports => "--to-ports",
- :tosource => "--to-source",
- :to => "--to",
- :uid => "--uid-owner",
- :physdev_in => "--physdev-in",
- :physdev_out => "--physdev-out",
- :physdev_is_bridged => "--physdev-is-bridged",
- :date_start => "--datestart",
- :date_stop => "--datestop",
- :time_start => "--timestart",
- :time_stop => "--timestop",
- :month_days => "--monthdays",
- :week_days => "--weekdays",
- :time_contiguous => "--contiguous",
- :kernel_timezone => "--kerneltz",
+ :burst => "--limit-burst",
+ :checksum_fill => "--checksum-fill",
+ :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
+ :connlimit_above => "-m connlimit --connlimit-above",
+ :connlimit_mask => "--connlimit-mask",
+ :connmark => "-m connmark --mark",
+ :ctstate => "-m conntrack --ctstate",
+ :destination => "-d",
+ :dport => ["-m multiport --dports", "--dport"],
+ :dst_range => "--dst-range",
+ :dst_type => "--dst-type",
+ :gateway => "--gateway",
+ :gid => "--gid-owner",
+ :icmp => "-m icmp --icmp-type",
+ :iniface => "-i",
+ :ipsec_dir => "-m policy --dir",
+ :ipsec_policy => "--pol",
+ :ipset => "-m set --match-set",
+ :isfragment => "-f",
+ :jump => "-j",
+ :limit => "-m limit --limit",
+ :log_level => "--log-level",
+ :log_prefix => "--log-prefix",
+ :mac_source => ["-m mac --mac-source", "--mac-source"],
+ :mask => '--mask',
+ :match_mark => "-m mark --mark",
+ :mss => '-m tcpmss --mss',
+ :name => "-m comment --comment",
+ :outiface => "-o",
+ :pkttype => "-m pkttype --pkt-type",
+ :port => '-m multiport --ports',
+ :proto => "-p",
+ :random => "--random",
+ :rdest => "--rdest",
+ :reap => "--reap",
+ :recent => "-m recent",
+ :reject => "--reject-with",
+ :rhitcount => "--hitcount",
+ :rname => "--name",
+ :rseconds => "--seconds",
+ :rsource => "--rsource",
+ :rttl => "--rttl",
+ :set_mark => mark_flag,
+ :set_mss => '--set-mss',
+ :socket => "-m socket",
+ :source => "-s",
+ :sport => ["-m multiport --sports", "--sport"],
+ :src_range => "--src-range",
+ :src_type => "--src-type",
+ :stat_every => '--every',
+ :stat_mode => "-m statistic --mode",
+ :stat_packet => '--packet',
+ :stat_probability => '--probability',
+ :state => "-m state --state",
+ :table => "-t",
+ :tcp_flags => "-m tcp --tcp-flags",
+ :todest => "--to-destination",
+ :toports => "--to-ports",
+ :tosource => "--to-source",
+ :to => "--to",
+ :uid => "--uid-owner",
+ :physdev_in => "--physdev-in",
+ :physdev_out => "--physdev-out",
+ :physdev_is_bridged => "--physdev-is-bridged",
+ :date_start => "--datestart",
+ :date_stop => "--datestop",
+ :time_start => "--timestart",
+ :time_stop => "--timestop",
+ :month_days => "--monthdays",
+ :week_days => "--weekdays",
+ :time_contiguous => "--contiguous",
+ :kernel_timezone => "--kerneltz",
+ :clusterip_new => "--new",
+ :clusterip_hashmode => "--hashmode",
+ :clusterip_clustermac => "--clustermac",
+ :clusterip_total_nodes => "--total-nodes",
+ :clusterip_local_node => "--local-node",
+ :clusterip_hash_init => "--hash-init",
}
# These are known booleans that do not take a value, but we want to munge
:physdev_is_bridged,
:time_contiguous,
:kernel_timezone,
+ :clusterip_new,
]
# Properties that use "-m <ipt module name>" (with the potential to have multiple
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :set_mss, :todest,
- :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :match_mark, :mss,
- :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode,
+ :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
+ :clamp_mss_to_pmtu, :gateway, :set_mss, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
+ :log_level, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+ :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]
def insert
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff