has_feature :reject_type
has_feature :log_level
has_feature :log_prefix
+ has_feature :mark
commands :iptables => '/sbin/iptables'
commands :iptables_save => '/sbin/iptables-save'
:toports => "--to-ports",
:tosource => "--to-source",
:uid => "-m owner --uid-owner",
+ :set_mark => "--set-mark",
}
# This is the order of resources as they appear in iptables-save output,
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
- :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
+ :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
def insert
debug 'Inserting rule %s' % resource[:name]
feature :reject_type, "The ability to control reject messages"
feature :log_level, "The ability to control the log level"
feature :log_prefix, "The ability to add prefixes to log messages"
+ feature :mark, "Set the netfilter mark value associated with the packet"
# provider specific features
feature :iptables, "The provider provides iptables features."
* LOG
* MASQUERADE
* REDIRECT
+ * MARK
But any valid chain name is allowed.
EOS
end
+ newproperty(:set_mark, :required_features => :mark) do
+ desc <<-EOS
+ Set the Netfilter mark value associated with the packet.
+ EOS
+
+ munge do |value|
+ if ! value.to_s.include?("0x")
+ "0x" + value.to_i.to_s(16)
+ else
+ super
+ end
+ end
+ end
+
newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
end
end
+ if value(:set_mark)
+ unless value(:jump).to_s =~ /MARK/ &&
+ value(:chain).to_s =~ /PREROUTING/ &&
+ value(:table).to_s =~ /mangle/
+ self.fail "Parameter set_mark only applies to " \
+ "the PREROUTING chain of the mangle table and when jump => MARK"
+ end
+ end
+
if value(:dport)
unless value(:proto).to_s =~ /tcp|udp|sctp/
self.fail "[%s] Parameter dport only applies to sctp, tcp and udp " \
:gid => 'root',
},
},
+ 'mark_set-mark' => {
+ :line => '-t mangle -A PREROUTING -j MARK --set-mark 1000',
+ :table => 'mangle',
+ :params => {
+ :jump => 'MARK',
+ :chain => 'PREROUTING',
+ :set_mark => '1000',
+ }
+ },
}
# This hash is for testing converting a hash to an argument line.
},
:args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING gid root only', '-j', 'ACCEPT'],
},
+ 'mark_set-mark' => {
+ :params => {
+ :name => '058 set-mark 1000',
+ :table => 'mangle',
+ :jump => 'MARK',
+ :chain => 'PREROUTING',
+ :set_mark => '1000',
+ },
+ :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 1000', '-j', 'MARK', '--set-mark', '0x3e8'],
+ },
}
res.parameters[:jump].should == nil
end
- ['QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT'].each do |jump|
+ ['QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK'].each do |jump|
it "should accept jump value #{jump}" do
@resource[:jump] = jump
@resource[:jump].should == jump
@resource[:gid].should == ['root', 'bobby']
end
end
+
+ describe ':set_mark' do
+ it 'should allow me to set set-mark' do
+ @resource[:set_mark] = '0x3e8'
+ @resource[:set_mark].should == '0x3e8'
+ end
+ it 'should convert int to hex' do
+ @resource[:set_mark] = '1000'
+ @resource[:set_mark].should == '0x3e8'
+ end
+ end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff