* `ip6tables`: Ip6tables type provider
* Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
**Autorequires:**
* `log_prefix`: The ability to add prefixes to log messages.
+* `log_uid`: The ability to log the userid of the process which generated the packet.
+
* `mark`: The ability to match or set the netfilter mark value associated with the packet.
* `mask`: The ability to match recent rules based on the ipv4 mask.
* `log_prefix`: When combined with `jump => 'LOG'` specifies the log prefix to use when logging. Requires the `log_prefix` feature.
+* `log_uid`: The ability to log the userid of the process which generated the packet.
+
* `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature.
* `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying '31' will not match on months that do not have a 31st day; the same goes for 28- or 29-day February.
has_feature :reject_type
has_feature :log_level
has_feature :log_prefix
+ has_feature :log_uid
has_feature :mark
has_feature :mss
has_feature :tcp_flags
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
+ :log_uid => "--log-uid",
:mask => "--mask",
:match_mark => "-m mark --mark",
:name => "-m comment --comment",
:ishasmorefrags,
:islastfrag,
:isfirstfrag,
+ :log_uid,
:rsource,
:rdest,
:reap,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
end
has_feature :reject_type
has_feature :log_level
has_feature :log_prefix
+ has_feature :log_uid
has_feature :mark
has_feature :mss
has_feature :tcp_flags
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
+ :log_uid => "--log-uid",
:mac_source => ["-m mac --mac-source", "--mac-source"],
:mask => '--mask',
:match_mark => "-m mark --mark",
:checksum_fill,
:clamp_mss_to_pmtu,
:isfragment,
+ :log_uid,
:random,
:rdest,
:reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode,
:clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
:clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
- :log_level, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+ :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]
feature :reject_type, "The ability to control reject messages"
feature :log_level, "The ability to control the log level"
feature :log_prefix, "The ability to add prefixes to log messages"
+ feature :log_uid, "Add UIDs to log messages"
feature :mark, "Match or Set the netfilter mark value associated with the packet"
feature :mss, "Match a given TCP MSS value or range."
feature :tcp_flags, "The ability to match on particular TCP flag settings"
EOS
end
+ newproperty(:log_uid, :required_features => :log_uid) do
+ desc <<-EOS
+ When combined with jump => "LOG" specifies the uid of the process making
+ the connection.
+ EOS
+
+ newvalues(:true, :false)
+ end
+
# ICMP matching property
newproperty(:icmp, :required_features => :icmp_match) do
desc <<-EOS
end
end
- if value(:log_prefix) || value(:log_level)
+ if value(:log_prefix) || value(:log_level) || value(:log_uid)
unless value(:jump).to_s == "LOG"
- self.fail "Parameter log_prefix and log_level require jump => LOG"
+ self.fail "Parameter log_prefix, log_level and log_uid require jump => LOG"
end
end
end
end
+ context 'log_uid is true' do
+ it 'adds the rule' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '700 - test log_uid':
+ chain => 'OUTPUT',
+ jump => 'LOG',
+ log_uid => true,
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j LOG --log_uid "/)
+ end
+ end
+
+ if 'removes the rule' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '700 - test log_uid':
+ chain => 'OUTPUT',
+ jump => 'LOG',
+ log_uid => false'
+ ensure => absent,
+ }
+ EOS
+
+ appy_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should not contain the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to_not match('/-A OUTPUT -p tcp -m comment --comment "700 - test log_uid" -j --log-uid "/)
+ end
+ end
+ end
+
context 'comment containing "-A "' do
it 'adds the rule' do
pp = <<-EOS
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff