has_feature :log_level
has_feature :log_prefix
has_feature :log_uid
+ has_feature :log_tcp_sequence
+ has_feature :log_tcp_options
+ has_feature :log_ip_options
has_feature :mark
has_feature :mss
has_feature :tcp_flags
log_level: '--log-level',
log_prefix: '--log-prefix',
log_uid: '--log-uid',
+ log_tcp_sequence: '--log-tcp-sequence',
+ log_tcp_options: '--log-tcp-options',
+ log_ip_options: '--log-ip-options',
mask: '--mask',
match_mark: '-m mark --mark',
name: '-m comment --comment',
:islastfrag,
:isfirstfrag,
:log_uid,
+ :log_tcp_sequence,
+ :log_tcp_options,
+ :log_ip_options,
:rsource,
:rdest,
:reap,
:icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options,
+ :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
has_feature :log_level
has_feature :log_prefix
has_feature :log_uid
+ has_feature :log_tcp_sequence
+ has_feature :log_tcp_options
+ has_feature :log_ip_options
has_feature :mark
has_feature :mss
has_feature :nflog_group
log_level: '--log-level',
log_prefix: '--log-prefix',
log_uid: '--log-uid',
+ log_tcp_sequence: '--log-tcp-sequence',
+ log_tcp_options: '--log-tcp-options',
+ log_ip_options: '--log-ip-options',
mac_source: ['-m mac --mac-source', '--mac-source'],
mask: '--mask',
match_mark: '-m mark --mark',
:clamp_mss_to_pmtu,
:isfragment,
:log_uid,
+ :log_tcp_sequence,
+ :log_tcp_options,
+ :log_ip_options,
:random_fully,
:random,
:rdest,
:clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
:nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
:set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
- :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+ :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
* Required binaries: ip6tables-save, ip6tables.
* Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
- ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
+ ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid,
+ log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss,
owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
* Default for kernel == linux.
* Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match,
interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
- log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
+ log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options,
+ mark, mask, mss, netmap, nflog_group, nflog_prefix,
nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
* log_uid: The ability to log the userid of the process which generated the packet.
+ * log_tcp_sequence: The ability to log TCP sequence numbers.
+
+ * log_tcp_options: The ability to log TCP packet header.
+
+ * log_ip_options: The ability to log IP/IPv6 packet header.
+
* mark: The ability to match or set the netfilter mark value associated with the packet.
* mask: The ability to match recent rules based on the ipv4 mask.
feature :log_level, 'The ability to control the log level'
feature :log_prefix, 'The ability to add prefixes to log messages'
feature :log_uid, 'Add UIDs to log messages'
+ feature :log_tcp_sequence, 'Add TCP sequence numbers to log messages'
+ feature :log_tcp_options, 'Add TCP packet header to log messages'
+ feature :log_ip_options, 'Add IP/IPv6 packet header to log messages'
feature :mark, 'Match or Set the netfilter mark value associated with the packet'
feature :mss, 'Match a given TCP MSS value or range.'
feature :tcp_flags, 'The ability to match on particular TCP flag settings'
newvalues(:true, :false)
end
+ newproperty(:log_tcp_sequence, required_features: :log_tcp_sequence) do
+ desc <<-PUPPETCODE
+ When combined with jump => "LOG" enables logging of the TCP sequence
+ numbers.
+ PUPPETCODE
+
+ newvalues(:true, :false)
+ end
+
+ newproperty(:log_tcp_options, required_features: :log_tcp_options) do
+ desc <<-PUPPETCODE
+ When combined with jump => "LOG" logging of the TCP packet
+ header.
+ PUPPETCODE
+
+ newvalues(:true, :false)
+ end
+
+ newproperty(:log_ip_options, required_features: :log_ip_options) do
+ desc <<-PUPPETCODE
+ When combined with jump => "LOG" logging of the TCP IP/IPv6
+ packet header.
+ PUPPETCODE
+
+ newvalues(:true, :false)
+ end
+
newproperty(:nflog_group, required_features: :nflog_group) do
desc <<-PUPPETCODE
Used with the jump target NFLOG.
end
end
- if value(:log_prefix) || value(:log_level) || value(:log_uid) == :true
+ if value(:log_prefix) || value(:log_level) || value(:log_uid) ||
+ value(:log_tcp_sequence) || value(:log_tcp_options) || value(:log_ip_options) == :true
unless value(:jump).to_s == 'LOG'
- raise 'Parameter log_prefix, log_level and log_uid require jump => LOG'
+ raise 'Parameter log_prefix, log_level, log_tcp_sequence, log_tcp_options, log_ip_options and log_uid require jump => LOG'
end
end
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
}
- firewall { '701 - log_uid':
- chain => 'OUTPUT',
- jump => 'LOG',
- log_uid => true,
+ firewall { '701 - log_uid, tcp-sequences and options':
+ chain => 'OUTPUT',
+ jump => 'LOG',
+ log_uid => true,
+ log_tcp_sequence => true,
+ log_tcp_options => true,
+ log_ip_options => true,
}
firewall { '711 - physdev_in':
chain => 'FORWARD',
it 'comment containing "-A "' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
end
- it 'set log_uid' do
- expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid})
+ it 'set log_uid, log_tcp_sequence, log_tcp_options, log_ip_options' do
+ expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid, tcp-sequences and options" -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid})
end
it 'set physdev_in' do
expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 711 -m comment --comment "711 - physdev_in" -j ACCEPT})
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff