}
```
+You can also change the TCP MSS value for VPN client traffic:
+
+```puppet
+firewall { '110 TCPMSS for VPN clients':
+ chain => 'FORWARD',
+ table => 'mangle',
+ source => '10.0.2.0/24',
+ proto => tcp,
+ tcp_flags => 'SYN,RST SYN',
+ mss => '1361:1541',
+ set_mss => '1360',
+ jump => 'TCPMSS',
+}
+```
+
The following example creates a new chain and forwards any port 5000 access to it.
```puppet
firewall { '100 forward to MY_CHAIN':
* `ip6tables`: Ip6tables type provider
* Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
**Autorequires:**
* `reject_type`: The ability to control reject messages.
+* `set_mss`: Set the TCP MSS of a packet.
+
* `snat`: Source NATing.
* `socket`: The ability to match open sockets.
* `islastfrag`: If true, matches when the packet is the last fragment of a fragmented ipv6 packet. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `islastfrag`.
-* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK'.
+* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK', 'TCPMSS'.
For the values 'ACCEPT', 'DROP', and 'REJECT', you must use the generic `action` parameter. This is to enforce the use of generic parameters where possible for maximum cross-platform modeling.
* `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February.
+* `mss`: Sets a given TCP MSS value or range to match.
+
* `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
```puppet
* `set_mark`: Set the Netfilter mark value associated with the packet. Accepts either 'mark/mask' or 'mark'. These will be converted to hex if they are not already. Requires the `mark` feature.
+* `set_mss`: When combined with `jump => 'TCPMSS'` specifies the value of the MSS field.
+
* `socket`: If 'true', matches if an open socket can be found by doing a socket lookup on the packet. Valid values are 'true', 'false'. Requires the `socket` feature.
* `source`: The source address. For example: `source => '192.168.2.0/24'`. You can also negate a mask by putting ! in front. For example: `source => '! 192.168.2.0/24'`. The source can also be an IPv6 address if your provider supports it.
has_feature :log_level
has_feature :log_prefix
has_feature :mark
+ has_feature :mss
has_feature :tcp_flags
has_feature :pkttype
has_feature :ishasmorefrags
:mask => "--mask",
:name => "-m comment --comment",
:mac_source => ["-m mac --mac-source", "--mac-source"],
+ :mss => "-m tcpmss --mss",
:outiface => "-o",
:pkttype => "-m pkttype --pkt-type",
:port => '-m multiport --ports',
:rsource => "--rsource",
:rttl => "--rttl",
:set_mark => mark_flag,
+ :set_mss => '--set-mss',
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject,
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss,
:set_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
end
has_feature :log_level
has_feature :log_prefix
has_feature :mark
+ has_feature :mss
has_feature :tcp_flags
has_feature :pkttype
has_feature :isfragment
:log_prefix => "--log-prefix",
:mac_source => ["-m mac --mac-source", "--mac-source"],
:mask => '--mask',
+ :mss => '-m tcpmss --mss',
:name => "-m comment --comment",
:outiface => "-o",
:pkttype => "-m pkttype --pkt-type",
:rsource => "--rsource",
:rttl => "--rttl",
:set_mark => mark_flag,
+ :set_mss => '--set-mss',
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
- :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :set_mss, :todest,
+ :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :mss,
:connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]
feature :log_level, "The ability to control the log level"
feature :log_prefix, "The ability to add prefixes to log messages"
feature :mark, "Match or Set the netfilter mark value associated with the packet"
+ feature :mss, "Match a given TCP MSS value or range."
feature :tcp_flags, "The ability to match on particular TCP flag settings"
feature :pkttype, "Match a packet type"
feature :socket, "Match open sockets"
end.flatten)
defaultto "tcp"
end
+
+ # tcp-specific
+ newproperty(:mss) do
+ desc <<-EOS
+ Match a given TCP MSS value or range.
+ EOS
+ end
# tcp-specific
newproperty(:tcp_flags, :required_features => :tcp_flags) do
end
end
+ newproperty(:set_mss, :required_features => :iptables) do
+ desc <<-EOS
+ Sets the TCP MSS value for packets.
+ EOS
+ end
+
newproperty(:pkttype, :required_features => :pkttype) do
desc <<-EOS
Sets the packet type to match.
end
end
+ if value(:jump).to_s == "TCPMSS"
+ unless value(:set_mss)
+ self.fail "Parameter jump => TCPMSS set_mss is required"
+ end
+ end
+
if value(:jump).to_s == "DNAT"
unless value(:table).to_s =~ /nat/
self.fail "Parameter jump => DNAT only applies to table => nat"
end
end
+ describe 'set_mss' do
+ context '1360' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '502 - set_mss':
+ proto => 'tcp',
+ jump => 'TCPMSS',
+ set_mss => '1360',
+ mss => '1361:1541',
+ chain => 'FORWARD',
+ table => 'mangle',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
+ end
+ end
+ end
+ end
+
+ describe 'set_mss6' do
+ context '1360' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '502 - set_mss':
+ proto => 'tcp',
+ jump => 'TCPMSS',
+ set_mss => '1360',
+ mss => '1361:1541',
+ chain => 'FORWARD',
+ table => 'mangle',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
+ end
+ end
+ end
+ end
+
# RHEL5 does not support --random
if default['platform'] !~ /el-5/
describe 'random' do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff