:ipset => "-m set --match-set",
:isfragment => "-f",
:jump => "-j",
+ :goto => "-g",
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
:clusterip_new,
]
- # Properties that use "-m <ipt module name>" (with the potential to have multiple
+ # Properties that use "-m <ipt module name>" (with the potential to have multiple
# arguments against the same IPT module) must be in this hash. The keys in this
# hash are the IPT module names, with the values being an array of the respective
# supported arguments for this IPT module.
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode,
:clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
:clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
:log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
[:dport, :sport, :port, :state, :ctstate].each do |prop|
hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
end
-
- ## clean up DSCP class to HEX mappings
+
+ ## clean up DSCP class to HEX mappings
valid_dscp_classes = {
'0x0a' => 'af11',
'0x0c' => 'af12',
end.flatten)
defaultto "tcp"
end
-
+
# tcp-specific
newproperty(:mss) do
desc <<-EOS
end
end
+ newproperty(:goto, :required_features => :iptables) do
+ desc <<-EOS
+ The value for the iptables --goto parameter. Normal values are:
+
+ * QUEUE
+ * RETURN
+ * DNAT
+ * SNAT
+ * LOG
+ * MASQUERADE
+ * REDIRECT
+ * MARK
+
+ But any valid chain name is allowed.
+ EOS
+
+ validate do |value|
+ unless value =~ /^[a-zA-Z0-9\-_]+$/
+ raise ArgumentError, <<-EOS
+ Goto destination must consist of alphanumeric characters, an
+ underscore or a yphen.
+ EOS
+ end
+
+ if ["accept","reject","drop"].include?(value.downcase)
+ raise ArgumentError, <<-EOS
+ Goto destination should not be one of ACCEPT, REJECT or DROP. Use
+ the action property instead.
+ EOS
+ end
+
+ end
+ end
+
# Interface specific matching properties
newproperty(:iniface, :required_features => :interface_match) do
desc <<-EOS
Set DSCP Markings.
EOS
end
-
+
newproperty(:set_dscp_class, :required_features => :iptables) do
desc <<-EOS
This sets the DSCP field according to a predefined DiffServ class.
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff