add ipset support

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 09816a3a22e5cd556af4fa2d30bacaacbbe36a0b..c8e30800629bc0a4c2beca0185b781fc32240e13 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -29,6 +29,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   has_feature :ipsec_dir
   has_feature :ipsec_policy
   has_feature :mask
+  has_feature :ipset
 
   optional_commands({
     :iptables => 'iptables',
@@ -62,6 +63,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :iniface          => "-i",
     :ipsec_dir        => "-m policy --dir",
     :ipsec_policy     => "--pol",
+    :ipset            => "-m set --match-set",
     :isfragment       => "-f",
     :jump             => "-j",
     :limit            => "-m limit --limit",
@@ -153,7 +155,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port,
     :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :jump, :todest,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
     :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark,
     :connlimit_above, :connlimit_mask, :connmark
   ]
@@ -222,6 +224,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     # --tcp-flags takes two values; we cheat by adding " around it
     # so it behaves like --comment
     values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"')
+    # ditto for --match-set
+    values = values.sub(/--match-set (\S*) (\S*)/, '--match-set "\1 \2"')
     # we do a similar thing for negated address masks (source and destination).
     values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
     # the actual rule will have the ! mark before the option.
@@ -502,7 +506,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
       # our tcp_flags takes a single string with comma lists separated
       # by space
       # --tcp-flags expects two arguments
-      if res == :tcp_flags
+      if res == :tcp_flags or res == :ipset
         one, two = resource_value.split(' ')
         args << one
         args << two

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 66f0f0656ace9954b56d656469d864092975b982..bf21005deb72a9cb549049789a6fb22ce8878b86 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -54,6 +54,7 @@ Puppet::Type.newtype(:firewall) do
   feature :ipsec_policy, "Match IPsec policy"
   feature :ipsec_dir, "Match IPsec policy direction"
   feature :mask, "Ability to match recent rules based on the ipv4 mask"
+  feature :ipset, "Match against specified ipset list"
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -879,7 +880,7 @@ Puppet::Type.newtype(:firewall) do
 
   newproperty(:isfirstfrag, :required_features => :isfirstfrag) do
     desc <<-EOS
-      If true, matches if the packet is the first fragment. 
+      If true, matches if the packet is the first fragment.
       Sadly cannot be negated. ipv6.
     EOS
 
@@ -964,6 +965,15 @@ Puppet::Type.newtype(:firewall) do
     EOS
   end
 
+  newproperty(:ipset, :required_features => :ipset) do
+    desc <<-EOS
+      Matches against the specified ipset list.
+      The value is the name of the blacklist, followed by a space, and then
+      'src' and/or 'dst' separated by a comma.
+      For example: 'blacklist src,dst'
+    EOS
+  end
+
   newparam(:line) do
     desc <<-EOS
       Read-only property for caching the rule line.