Add iptables --hex-string support to firewall resource

diff --git a/REFERENCE.md b/REFERENCE.md
index b510e3b120e95a246126e14c85b34347975418d8..ea9a8aa8f8d575d2029dbfaf1e47755160ab6109 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1026,6 +1026,11 @@ Sets the length of layer-3 payload to match.
 String matching feature. Matches the packet against the pattern
 given as an argument.
 
+##### `string_hex`
+
+String matching feature. Matches the package against the hex pattern
+given as an argument.
+
 ##### `string_algo`
 
 Valid values: bm, kmp

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 066b0a80b330a600cd32494a2338650a45909994..c0afbcb784fa55e5df32a761f6751c93ac0b124e 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -149,6 +149,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     stat_probability: '--probability',
     state: '-m state --state',
     string: '-m string --string',
+    string_hex: '-m string --hex-string',
     string_algo: '--algo',
     string_from: '--from',
     string_to: '--to',
@@ -325,7 +326,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
     :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
     :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo,
     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d10389d183691e0c2c193a2abc1047af3807e4c1..a3eef48183bb36a3c58deaa6d15b2bc20bda027c 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -2030,6 +2030,13 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:string_hex) do
+    desc <<-PUPPETCODE
+      String matching feature. Matches the package against the hex pattern
+      given as an argument.
+    PUPPETCODE
+  end
+
   newproperty(:string_algo, required_features: :string_matching) do
     desc <<-PUPPETCODE
       String matching feature, pattern matching strategy.

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index b99db650b3e58ff05228019b2557617e9f19e9fe..fe249397afc1925bd522ae9a35d7bb6c2e5ad140 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -713,6 +713,14 @@ ARGS_TO_HASH = {
       string_from: '1',
     },
   },
+  'hexstring_matching_1' => {
+    line: '-A INPUT -m string --hex-string "|0000FF0001|" --algo bm',
+    table: 'filter',
+    params: {
+      string_hex: '|0000FF0001|'.
+      string_algo: 'bm',
+    },
+  },
   'nfqueue_jump1' => {
     line: '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 -m comment --comment "000 nfqueue specify queue_num"',
     table: 'filter',