:outiface => "-o",
:port => '-m multiport --ports',
:proto => "-p",
+ :random => "--random",
:rdest => "--rdest",
:reap => "--reap",
:recent => "-m recent",
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
- @known_booleans = [:socket, :isfragment, :rsource, :rdest, :reap, :rttl]
+ @known_booleans = [
+ :isfragment,
+ :random,
+ :rdest,
+ :reap,
+ :rsource,
+ :rttl,
+ :socket
+ ]
# Create property methods dynamically
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
- :toports, :log_prefix, :log_level, :reject, :set_mark
+ :toports, :random, :log_prefix, :log_level, :reject, :set_mark
]
def insert
EOS
end
+ newproperty(:random, :required_features => :dnat) do
+ desc <<-EOS
+ When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+ this boolean will enable randomized port mapping.
+ EOS
+
+ newvalues(:true, :false)
+ end
+
# Reject ICMP type
newproperty(:reject, :required_features => :reject_type) do
desc <<-EOS
end
end
+ describe 'random' do
+ context '192.168.1.1' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '570 - test 2':
+ proto => all,
+ table => 'nat',
+ chain => 'POSTROUTING',
+ jump => 'MASQUERADE',
+ source => '172.30.0.0/16',
+ random => true
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ apply_manifest(pp, :catch_changes => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables -t nat -S') do |r|
+ expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/)
+ end
+ end
+ end
+ end
+
describe 'icmp' do
context 'any' do
it 'fails' do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff