@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
+ :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
# to true if they exist.
@known_booleans = [
:checksum_fill,
+ :clamp_mss_to_pmtu,
:ishasmorefrags,
:islastfrag,
:isfirstfrag,
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :todest,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
+ :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
# to true if they exist.
@known_booleans = [
:checksum_fill,
+ :clamp_mss_to_pmtu,
:isfragment,
:random,
:rdest,
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :set_mss, :todest,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :set_mss, :todest,
:tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :match_mark, :mss,
:connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]
end
end
+ newproperty(:clamp_mss_to_pmtu, :required_features => :iptables) do
+ desc <<-EOS
+ Sets the clamp mss to pmtu flag.
+ EOS
+
+ newvalues(:true, :false)
+ end
+
newproperty(:set_mss, :required_features => :iptables) do
desc <<-EOS
Sets the TCP MSS value for packets.
end
if value(:jump).to_s == "TCPMSS"
- unless value(:set_mss)
- self.fail "When using jump => TCPMSS, the set_mss property is required"
+ unless value(:set_mss) || value(:clamp_mss_to_pmtu)
+ self.fail "When using jump => TCPMSS, the set_mss or clamp_mss_to_pmtu property is required"
end
end
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end
- describe 'set_mss' do
+ describe 'mss ipv4 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
end
end
end
+
+ context 'clamp_mss_to_pmtu' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '503 - clamp_mss_to_pmtu':
+ proto => 'tcp',
+ chain => 'FORWARD',
+ tcp_flags => 'SYN,RST SYN',
+ jump => 'TCPMSS',
+ clamp_mss_to_pmtu => true,
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
+ end
+ end
+ end
end
if default['platform'] !~ /el-5/
- describe 'set_mss6' do
+ describe 'mss ipv6 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
end
end
end
+
+ context 'clamp_mss_to_pmtu' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '503 - clamp_mss_to_pmtu':
+ proto => 'tcp',
+ chain => 'FORWARD',
+ tcp_flags => 'SYN,RST SYN',
+ jump => 'TCPMSS',
+ clamp_mss_to_pmtu => true,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
+ end
+ end
+ end
end
end
:action => 'reject',
},
},
+ 'clamp_mss_to_pmtu' => {
+ :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "067 change max segment size" -j TCPMSS --clamp-mss-to-pmtu',
+ :table => 'filter',
+ :params => {
+ :name => '067 change max segment size',
+ :table => 'filter',
+ :proto => 'tcp',
+ :tcp_flags => 'SYN,RST SYN',
+ :jump => 'TCPMSS',
+ :clamp_mss_to_pmtu => true,
+ },
+ },
}
# This hash is for testing converting a hash to an argument line.
},
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "066 REJECT connlimit_above 10 with mask 32 and mark matches", "-j", "REJECT", "-m", "mark", "--mark", "0x1", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "32"],
},
+ 'clamp_mss_to_pmtu' => {
+ :params => {
+ :name => '067 change max segment size',
+ :table => 'filter',
+ :proto => 'tcp',
+ :tcp_flags => 'SYN,RST SYN',
+ :jump => 'TCPMSS',
+ :clamp_mss_to_pmtu => true,
+ },
+ :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-m", "comment", "--comment", "067 change max segment size", "-j", "TCPMSS", "--clamp-mss-to-pmtu"],
+ },
}
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff