Added support for statistic module

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 33d1749bac82b677e841b1e67ae02ebac342c227..1f0dd7bb4324cf218575ecee41b7a63e7e1cd246 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -29,6 +29,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   has_feature :ipsec_dir
   has_feature :ipsec_policy
   has_feature :mask
+  has_feature :stat_mode
+  has_feature :stat_every
+  has_feature :stat_packet
+  has_feature :stat_prob
 
   optional_commands({
     :iptables => 'iptables',
@@ -97,6 +101,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :ipsec_policy    => "--pol",
     :mask            => '--mask',
     :mac_source        => ["-m mac --mac-source", "--mac-source"],
+    :stat_mode       => "-m statistic --mode",
+    :stat_every      => '--every',
+    :stat_packet     => '--packet',
+    :stat_prob       => '--probability',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -145,6 +153,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   # This order can be determined by going through iptables source code or just tweaking and trying manually
   @resource_list = [
     :table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
+    :stat_mode, :stat_every, :stat_packet, :stat_prob,
     :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port,
     :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index cffab48e24fcb4ce17efaae02c6b22e067e34baa..538efcb66a6dfdfc14e55901ed46a69a43e16d89 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -54,6 +54,10 @@ Puppet::Type.newtype(:firewall) do
   feature :ipsec_policy, "Match IPsec policy"
   feature :ipsec_dir, "Match IPsec policy direction"
   feature :mask, "Ability to match recent rules based on the ipv4 mask"
+  feature :stat_mode, "Match packets based on staistic mode"
+  feature :stat_every, "Match one packet every nth time"
+  feature :stat_packet, "Set initial counter"
+  feature :stat_prob, "Match packets based on probability"
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -902,6 +906,62 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:in, :out)
   end
 
+  newproperty(:stat_mode, :required_features => :stat_mode) do
+    desc <<-EOS
+      Sets the statistic modoule mode
+    EOS
+
+    newvalues(:nth, :random)
+  end
+
+  newproperty(:stat_every, :required_features => :stat_mode) do
+    desc <<-EOS
+      Match every nth packet (used with 'nth' mode)
+    EOS
+
+    validate do |value|
+      unless value =~ /^\d+$/
+        raise ArgumentError, <<-EOS
+          stat_every value must be a digit
+        EOS
+      end
+
+      unless value.to_i > 0
+        raise ArgumentError, <<-EOS
+          stat_every value must be larger than 0
+        EOS
+      end
+    end
+  end
+
+  newproperty(:stat_packet, :required_features => :stat_mode) do
+    desc <<-EOS
+      Set initial counter (used with 'nth' mode)
+    EOS
+
+    newvalues(/^\d+$/)
+  end
+
+  newproperty(:stat_prob, :required_features => :stat_mode) do
+    desc <<-EOS
+      Set the probably for a packet to be matched (used with 'random' mode)
+    EOS
+
+    validate do |value|
+      unless value =~ /^([01])\.(\d+)$/
+        raise ArgumentError, <<-EOS
+          stat_prob must be between 0.0 and 1.0
+        EOS
+      end
+
+      if $1.to_i == 1 && $2.to_i != 0
+        raise ArgumentError, <<-EOS
+          start_prob must be between 0.0 and 1.0
+        EOS
+      end
+    end
+  end
+
   newproperty(:mask, :required_features => :mask) do
     desc <<-EOS
       Sets the mask to use when `recent` is enabled.
@@ -1083,5 +1143,23 @@ Puppet::Type.newtype(:firewall) do
       self.fail "Mask can only be set if recent is enabled."
     end
 
+    [:stat_packet, :stat_every, :stat_prob].each do |param|
+      if value(param) && ! value(:stat_mode)
+        self.fail "Parameter '#{param.to_s}' requires 'stat_mode' to be set"
+      end
+    end
+
+    if value(:stat_packet) && value(:stat_mode) != :nth
+      self.fail "Parameter 'stat_packet' requires 'stat_mode' to be set to 'nth'"
+    end
+
+    if value(:stat_every) && value(:stat_mode) != :nth
+      self.fail "Parameter 'stat_every' requires 'stat_mode' to be set to 'nth'"
+    end
+
+    if value(:stat_prob) && value(:stat_mode) != :random
+      self.fail "Parameter 'stat_prob' requires 'stat_mode' to be set to 'random'"
+    end
+
   end
 end