has_feature :iptables
has_feature :hop_limiting
has_feature :rate_limiting
+ has_feature :recent_limiting
has_feature :snat
has_feature :dnat
has_feature :interface_match
:outiface => "-o",
:port => '-m multiport --ports',
:proto => "-p",
+ :rdest => "--rdest",
+ :reap => "--reap",
+ :recent => "-m recent",
:reject => "--reject-with",
+ :rhitcount => "--hitcount",
+ :rname => "--name",
+ :rseconds => "--seconds",
+ :rsource => "--rsource",
+ :rttl => "--rttl",
:source => "-s",
:state => "-m state --state",
:sport => "-m multiport --sports",
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
:port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
+ :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
end
has_feature :iptables
has_feature :rate_limiting
+ has_feature :recent_limiting
has_feature :snat
has_feature :dnat
has_feature :interface_match
:outiface => "-o",
:port => '-m multiport --ports',
:proto => "-p",
+ :rdest => "--rdest",
+ :reap => "--reap",
+ :recent => "-m recent",
:reject => "--reject-with",
+ :rhitcount => "--hitcount",
+ :rname => "--name",
+ :rseconds => "--seconds",
+ :rsource => "--rsource",
+ :rttl => "--rttl",
:set_mark => mark_flag,
:socket => "-m socket",
:source => "-s",
@resource_list = [:table, :source, :src_range, :destination, :dst_range, :iniface, :outiface,
:proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port,
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp,
- :limit, :burst, :jump, :todest, :tosource, :toports, :log_prefix,
+ :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
+ :jump, :todest, :tosource, :toports, :log_prefix,
:log_level, :reject, :set_mark]
def insert
# the actual rule will have the ! mark before the option.
values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"')
+ # rsource, rdest, reap and rttl take no values. Cheat by adding "" after them.
+ values = values.sub(/--rsource/, '--rsource ""')
+ values = values.sub(/--rdest/, '--rdest ""')
+ values = values.sub(/--reap/, '--reap ""')
+ values = values.sub(/--rttl/, '--rttl ""')
+
# Trick the system for booleans
@known_booleans.each do |bool|
# append "true" because all params are expected to have values
next
end
end
+ if res == :rsource then
+ resource_value = nil
+ end
+ if res == :rdest then
+ resource_value = nil
+ end
+ if res == :reap then
+ resource_value = nil
+ end
+ if res == :rttl then
+ resource_value = nil
+ end
elsif res == :jump and resource[:action] then
# In this case, we are substituting jump for action
resource_value = resource[:action].to_s.upcase
feature :hop_limiting, "Hop limiting features."
feature :rate_limiting, "Rate limiting features."
+ feature :recent_limiting, "The netfilter recent module"
feature :snat, "Source NATing"
feature :dnat, "Destination NATing"
feature :interface_match, "Interface matching"
newvalues(:true, :false)
end
+ newproperty(:recent, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Enable the recent module. Takes as an argument one of set, update,
+ rcheck or remove.
+ EOS
+
+ newvalues(:set, :update, :rcheck, :remove)
+ munge do |value|
+ value = "--" + value
+ end
+ end
+
+ newproperty(:rdest, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; add the destination IP address to the list.
+ Takes no argument.
+ EOS
+ end
+
+ newproperty(:rsource, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; add the source IP address to the list.
+ Takes no argument.
+ EOS
+ end
+
+ newproperty(:rname, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; The name of the list. Takes a string argument.
+ EOS
+ end
+
+ newproperty(:rseconds, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; used in conjunction with one of --rcheck or
+ --update. When used, this will narrow the match to only happen
+ when the address is in the list and was seen within the last
+ given number of seconds.
+ EOS
+ end
+
+ newproperty(:reap, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; can only be used in conjunction with --seconds. When
+ used, this will cause entries older then 'seconds' to be purged.
+ EOS
+ end
+
+ newproperty(:rhitcount, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; used in conjunction with --update or --rcheck. When
+ used, this will narrow the match to only happen when the address
+ is in the list and packets had been received greater than or equal
+ to the given value.
+ EOS
+ end
+
+ newproperty(:rttl, :required_features => :recent_limiting) do
+ desc <<-EOS
+ Recent module; may only be used in conjunction with one of --rcheck
+ or --update. When used, this will narrow the match to only happen
+ when the address is in the list and the TTL of the current packet
+ matches that of the packet which hit the --set rule. This may be
+ useful if you have problems with people faking their source
+ address in order to DoS you via this module by disallowing others
+ access to your site by sending bogus packets to you.
+ EOS
+ end
+
newproperty(:socket, :required_features => :socket) do
desc <<-EOS
If true, matches if an open socket can be found by doing a coket lookup
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff