}
```
+
You can also change the TCP MSS value for VPN client traffic:
```puppet
}
```
+The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
+
+```puppet
+firewall { '503 Mirror traffic to IDS':
+ proto => all,
+ jump => 'TEE',
+ gateway => '10.0.0.2',
+ chain => 'PREROUTING',
+ table => 'mangle',
+}
+```
+
The following example creates a new chain and forwards any port 5000 access to it.
```puppet
firewall { '100 forward to MY_CHAIN':
* `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'. The default is 'present'.
+* `gateway`: Used with TEE target to mirror traffic of a machine to a secondary host on the LAN.
+
* `gid`: GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. Requires the `owner` feature.
* `hop_limit`: Hop limiting value for matched packets. Values must match '/^\d+$/'. Requires the `hop_limiting` feature.
:dport => ["-m multiport --dports", "--dport"],
:dst_range => '--dst-range',
:dst_type => "--dst-type",
+ :gateway => "--gateway",
:gid => "--gid-owner",
:hop_limit => "-m hl --hl-eq",
:icmp => "-m icmp6 --icmpv6-type",
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss,
:set_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
:dport => ["-m multiport --dports", "--dport"],
:dst_range => "--dst-range",
:dst_type => "--dst-type",
+ :gateway => "--gateway",
:gid => "--gid-owner",
:icmp => "-m icmp --icmp-type",
:iniface => "-i",
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
- :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :set_mss, :todest,
+ :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :set_mss, :todest,
:tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :mss,
:connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]
EOS
end
+ newproperty(:gateway, :required_features => :iptables) do
+ desc <<-EOS
+ The TEE target will clone a packet and redirect this clone to another
+ machine on the local network segment. gateway is the target host's IP.
+ EOS
+ end
+
newproperty(:ipset, :required_features => :ipset) do
desc <<-EOS
Matches against the specified ipset list.
end
end
+ if value(:jump).to_s == "TEE"
+ unless value(:gateway)
+ self.fail "When using jump => TEE, the gateway property is required"
+ end
+ end
+
if value(:jump).to_s == "DNAT"
unless value(:table).to_s =~ /nat/
self.fail "Parameter jump => DNAT only applies to table => nat"
--- /dev/null
+require 'spec_helper_acceptance'
+
+describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+
+ before(:all) do
+ shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
+ shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
+ end
+
+ if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
+ describe 'tee_gateway' do
+ context '10.0.0.2' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '810 - tee_gateway':
+ chain => 'PREROUTING',
+ table => 'mangle',
+ jump => 'TEE',
+ gateway => '10.0.0.2',
+ proto => all,
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2/)
+ end
+ end
+ end
+ end
+
+ describe 'tee_gateway6' do
+ context '2001:db8::1' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall {
+ '811 - tee_gateway6':
+ chain => 'PREROUTING',
+ table => 'mangle',
+ jump => 'TEE',
+ gateway => '2001:db8::1',
+ proto => all,
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1/)
+ end
+ end
+ end
+ end
+ end
+
+end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff