:state => "-m state --state",
:sport => "-m multiport --sports",
:table => "-t",
+ :tcp_flags => "-m tcp --tcp-flags",
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
# changes between puppet runs, the changed rules will be re-applied again.
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+ :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
def insert
keys = []
values = line.dup
+ # --tcp-flags takes two values; we cheat by adding " around it
+ # so it behaves like --comment
+ values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
+
@resource_list.reverse.each do |k|
if values.slice!(/\s#{@resource_map[k]}/)
keys << k
end
end
- if resource_value.is_a?(Array)
+ # our tcp_flags takes a single string with comma lists separated
+ # by space
+ # --tcp-flags expects two arguments
+ if res == :tcp_flags
+ one, two = resource_value.split(' ')
+ args << one
+ args << two
+ elsif resource_value.is_a?(Array)
args << resource_value.join(',')
else
args << resource_value
defaultto "tcp"
end
+ # tcp-specific
+ newproperty(:tcp_flags) do
+ desc <<-EOS
+ Match when the TCP flags are as specified.
+ Is a string with a list of comma-separated flag names for the mask,
+ then a space, then a comma-separated list of flags that should be set.
+ The flags are: SYN ACK FIN RST URG PSH ALL NONE
+ Note that you specify them in the order that iptables --list-rules
+ would list them to avoid having puppet think you changed the flags.
+ Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
+ ACK,RST and FIN bits cleared. Such packets are used to request
+ TCP connection initiation.
+ EOS
+ end
+
+
# Iptables specific
newproperty(:chain, :required_features => :iptables) do
desc <<-EOS
:sport => ["15","512-1024"],
},
},
+ 'tcp_flags_1' => {
+ :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+ :table => 'filter',
+ :compare_all => true,
+ :chain => 'INPUT',
+ :proto => 'tcp',
+ :params => {
+ :chain => "INPUT",
+ :ensure => :present,
+ :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+ :name => "000 initiation",
+ :proto => "tcp",
+ :provider => "iptables",
+ :table => "filter",
+ :tcp_flags => "SYN,RST,ACK,FIN SYN",
+ },
+ },
'state_returns_sorted_values' => {
:line => '-A INPUT -m state --state INVALID,RELATED,ESTABLISHED',
:table => 'filter',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
},
+ 'tcp_flags_1' => {
+ :params => {
+ :name => "000 initiation",
+ :tcp_flags => "SYN,RST,ACK,FIN SYN",
+ :table => "filter",
+ },
+
+ :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST,ACK,FIN", "SYN", "-m", "comment", "--comment", "000 initiation",]
+ },
'states_set_from_array' => {
:params => {
:name => "100 states_set_from_array",
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff