* `ip6tables`: Ip6tables type provider
* Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.
**Autorequires:**
has_feature :iprange
has_feature :ipsec_dir
has_feature :ipsec_policy
+ has_feature :ipset
optional_commands({
:ip6tables => 'ip6tables',
:iniface => "-i",
:ipsec_dir => "-m policy --dir",
:ipsec_policy => "--pol",
+ :ipset => "-m set --match-set",
:isfirstfrag => "-m frag --fragid 0 --fragfirst",
:ishasmorefrags => "-m frag --fragid 0 --fragmore",
:islastfrag => "-m frag --fragid 0 --fraglast",
:tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type,
:src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
- :toports, :log_level, :log_prefix, :reject, :set_mark, :connlimit_above,
- :connlimit_mask, :connmark]
+ :rhitcount, :rttl, :rname, :rsource, :rdest, :ipset, :jump, :todest,
+ :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark,
+ :connlimit_above, :connlimit_mask, :connmark]
end
end
end
+ #ip6tables only supports ipset on a limited set of platforms
+ if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
+ describe 'ipset' do
+ it 'applies' do
+ pp = <<-EOS
+ package { 'ipset': ensure => present }
+ exec { 'create ipset':
+ command => 'ipset create blacklist family inet6 hash:ip,port maxelem 1024 hashsize 65535 timeout 120',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ require => Package['ipset'],
+ }
+ exec { 'add blacklist':
+ command => 'ipset add blacklist 2001:db8::1,80',
+ path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ require => Exec['create ipset'],
+ }
+ class { '::firewall': }
+ firewall { '612 - test':
+ ensure => present,
+ chain => 'INPUT',
+ proto => tcp,
+ action => drop,
+ ipset => 'blacklist src,src',
+ provider => 'ip6tables',
+ require => Exec['add blacklist'],
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "612 - test" -m set --match-set blacklist src,src -j DROP/)
+ end
+ end
+ end
+ end
+
# ip6tables only support addrtype on a limited set of platforms
if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
['dst_type', 'src_type'].each do |type|
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff