has_feature :queue_num
has_feature :queue_bypass
has_feature :ct_target
+ has_feature :rpfilter
optional_commands(ip6tables: 'ip6tables',
ip6tables_save: 'ip6tables-save')
reject: '--reject-with',
rhitcount: '--hitcount',
rname: '--name',
+ rpfilter: '-m rpfilter',
rseconds: '--seconds',
rsource: '--rsource',
rttl: '--rttl',
:rsource,
:rdest,
:reap,
+ :rpfilter,
:rttl,
:socket,
:physdev_is_bridged,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :name]
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name]
end
has_feature :queue_bypass
has_feature :ipvs
has_feature :ct_target
+ has_feature :rpfilter
optional_commands(iptables: 'iptables',
iptables_save: 'iptables-save')
reject: '--reject-with',
rhitcount: '--hitcount',
rname: '--name',
+ rpfilter: '-m rpfilter',
rseconds: '--seconds',
rsource: '--rsource',
rttl: '--rttl',
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :name
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name
]
def insert
newvalues(:true, :false)
end
+ newproperty(:rpfilter, required_features: :rpfilter) do
+ desc <<-PUPPETCODE
+ Enable the rpfilter module.
+ PUPPETCODE
+
+ newvalues(:loose, :validmark, :'accept-local', :invert)
+ munge do |value|
+ _value = '--' + value
+ end
+ end
+
newproperty(:socket, required_features: :socket) do
desc <<-PUPPETCODE
If true, matches if an open socket can be found by doing a coket lookup
physdev_out => "eth1",
physdev_is_bridged => true,
}
+ firewall { '900 - set rpfilter':
+ table => 'raw',
+ chain => 'PREROUTING',
+ action => 'accept',
+ rpfilter => 'invert',
+ }
firewall { '1000 - set_dscp':
proto => 'tcp',
jump => 'DSCP',
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff