This adds the pkttype property so we can match multicast and broadcast packets.
has_feature :log_prefix
has_feature :mark
has_feature :tcp_flags
+ has_feature :pkttype
commands :iptables => '/sbin/ip6tables'
commands :iptables_save => '/sbin/ip6tables-save'
:toports => "--to-ports",
:tosource => "--to-source",
:uid => "-m owner --uid-owner",
+ :pkttype => "-m pkttype --pkt-type"
}
# This is the order of resources as they appear in iptables-save output,
# changes between puppet runs, the changed rules will be re-applied again.
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
+ :proto, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst, :jump,
:todest, :tosource, :toports, :log_level, :log_prefix, :reject]
end
has_feature :log_prefix
has_feature :mark
has_feature :tcp_flags
+ has_feature :pkttype
commands :iptables => '/sbin/iptables'
commands :iptables_save => '/sbin/iptables-save'
:tosource => "--to-source",
:uid => "-m owner --uid-owner",
:set_mark => "--set-mark",
+ :pkttype => "-m pkttype --pkt-type"
}
# This is the order of resources as they appear in iptables-save output,
# changes between puppet runs, the changed rules will be re-applied again.
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+ :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
def insert
feature :log_prefix, "The ability to add prefixes to log messages"
feature :mark, "Set the netfilter mark value associated with the packet"
feature :tcp_flags, "The ability to match on particular TCP flag settings"
+ feature :pkttype, "Match a packet type"
# provider specific features
feature :iptables, "The provider provides iptables features."
end
end
+ newproperty(:pkttype, :required_features => :pkttype) do
+ desc <<-EOS
+ Sets the packet type to match.
+ EOS
+
+ newvalues(:unicast, :broadcast, :multicast)
+ end
+
newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
:outiface => 'eth+',
},
},
+ 'pkttype multicast' => {
+ :line => '-A INPUT -m pkttype --pkt-type multicast -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :action => 'accept',
+ :pkttype => 'multicast',
+ },
+ },
}
# This hash is for testing converting a hash to an argument line.
},
:args => ["-t", :filter, "-o", "eth+", "-p", :tcp, "-m", "comment", "--comment", "060 outiface", "-j", "DROP"],
},
+ 'pkttype multicast' => {
+ :params => {
+ :name => '062 pkttype multicast',
+ :table => "filter",
+ :action => 'accept',
+ :chain => 'INPUT',
+ :iniface => 'eth0',
+ :pkttype => 'multicast',
+ },
+ :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-m", "pkttype", "--pkt-type", :multicast, "-m", "comment", "--comment", "062 pkttype multicast", "-j", "ACCEPT"],
+ },
}
rel[1].target.ref.should == @resource.ref
end
end
+
+ describe ':pkttype' do
+ [:multicast, :broadcast, :unicast].each do |pkttype|
+ it "should accept pkttype value #{pkttype}" do
+ @resource[:pkttype] = pkttype
+ @resource[:pkttype].should == pkttype
+ end
+ end
+
+ it 'should fail when the pkttype value is not recognized' do
+ lambda { @resource[:pkttype] = 'not valid' }.should raise_error(Puppet::Error)
+ end
+ end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff