* `ip6tables`: Ip6tables type provider
* Required binaries: `ip6tables-save`, `ip6tables`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`.
+ * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`.
**Autorequires:**
* `provider`: The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. Available providers are ip6tables and iptables. See the [Providers](#providers) section above for details about these providers.
+* `queue_bypass`: When using a `jump` value of 'NFQUEUE' this boolean will allow packets to bypass `queue_num`. This is useful when the process in userspace may not be listening on `queue_num` all the time.
+
+* `queue_num`: When using a `jump` value of 'NFQUEUE' this parameter specifies the queue number to send packets to.
+
* `random`: When using a `jump` value of 'MASQUERADE', 'DNAT', 'REDIRECT', or 'SNAT', this boolean will enable randomized port mapping. Valid values are true or false. Requires the `dnat` feature.
* `rdest`: If boolean 'true', adds the destination IP address to the list. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter.
has_feature :ipset
has_feature :length
has_feature :string_matching
+ has_feature :queue_num
+ has_feature :queue_bypass
optional_commands({
:ip6tables => 'ip6tables',
:pkttype => "-m pkttype --pkt-type",
:port => '-m multiport --ports',
:proto => "-p",
+ :queue_num => "--queue-num",
+ :queue_bypass => "--queue-bypass",
:rdest => "--rdest",
:reap => "--reap",
:recent => "-m recent",
:physdev_is_bridged,
:time_contiguous,
:kernel_timezone,
+ :queue_bypass,
]
# Properties that use "-m <ipt module name>" (with the potential to have multiple
:ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
+ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
end
has_feature :clusterip
has_feature :length
has_feature :string_matching
+ has_feature :queue_num
+ has_feature :queue_bypass
optional_commands({
:iptables => 'iptables',
:pkttype => "-m pkttype --pkt-type",
:port => '-m multiport --ports',
:proto => "-p",
+ :queue_num => "--queue-num",
+ :queue_bypass => "--queue-bypass",
:random => "--random",
:rdest => "--rdest",
:reap => "--reap",
:time_contiguous,
:kernel_timezone,
:clusterip_new,
+ :queue_bypass,
]
# Properties that use "-m <ipt module name>" (with the potential to have multiple
:state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
:string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
- :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
+ :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
:clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
:log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them."
feature :length, "Match the length of layer-3 payload"
feature :string_matching, "String matching features"
+ feature :queue_num, "Which NFQUEUE to send packets to"
+ feature :queue_bypass, "If nothing is listening on queue_num, allow packets to bypass the queue"
# provider specific features
feature :iptables, "The provider provides iptables features."
EOS
end
+ newproperty(:queue_num, :required_features => :queue_num) do
+ desc <<-EOS
+ Used with NFQUEUE jump target.
+ What queue number to send packets to
+ EOS
+ munge do |value|
+ match = value.to_s.match("^([0-9])*$")
+ if match.nil?
+ raise ArgumentError, "queue_num must be an integer"
+ end
+
+ if match[1].to_i > 65535 || match[1].to_i < 0
+ raise ArgumentError, "queue_num must be between 0 and 65535"
+ end
+ value
+ end
+ end
+
+ newproperty(:queue_bypass, :required_features => :queue_bypass) do
+ desc <<-EOS
+ Used with NFQUEUE jump target
+ Allow packets to bypass :queue_num if userspace process is not listening
+ EOS
+ newvalues(:true, :false)
+ end
+
autorequire(:firewallchain) do
reqs = []
end
end
+ if value(:queue_num) || value(:queue_bypass)
+ unless value(:jump).to_s == "NFQUEUE"
+ self.fail "Paramter queue_number and queue_bypass require jump => NFQUEUE"
+ end
+ end
+
end
end
:string_from => '1',
},
},
+ 'nfqueue_jump1' => {
+ :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "000 nfqueue specify queue_num" -j NFQUEUE --queue-num 50',
+ :table => 'filter',
+ :params => {
+ :name => "000 nfqueue specify queue_num",
+ :source => "1.2.3.4/32",
+ :destination => "4.3.2.1/32",
+ :jump => "NFQUEUE",
+ :queue_num => "50",
+ :proto => "tcp",
+ },
+ },
+ 'nfqueue_jump2' => {
+ :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "002 nfqueue specify queue_num and queue_bypass" -j NFQUEUE --queue-num 50 --queue-bypass',
+ :table => "filter",
+ :params => {
+ :name => "002 nfqueue specify queue_num and queue_bypass",
+ :source => "1.2.3.4/32",
+ :destination => "4.3.2.1/32",
+ :jump => "NFQUEUE",
+ :queue_num => "50",
+ :queue_bypass => true,
+ :proto => "tcp",
+ },
+ },
+ 'nfqueue_jump3' => {
+ :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "003 nfqueue dont specify queue_num or queue_bypass" -j NFQUEUE',
+ :table => "filter",
+ :params => {
+ :name => "003 nfqueue dont specify queue_num or queue_bypass",
+ :source => "1.2.3.4/32",
+ :destination => "4.3.2.1/32",
+ :jump => "NFQUEUE",
+ :proto => "tcp",
+ },
+ },
}
# This hash is for testing converting a hash to an argument line.
},
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 string_matching", "-m", "string", "--string", "'GET /index.html'", "--from", "1", "--to", "65535"],
},
-}
+ 'nfqueue_jump1' => {
+ :params => {
+ :name => '000 nfqueue specify queue_num',
+ :table => 'filter',
+ :jump => 'NFQUEUE',
+ :source => "1.2.3.4/32",
+ :destination => "4.3.2.1/32",
+ :queue_num => "50",
+ },
+ :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "000 nfqueue specify queue_num", "-j", "NFQUEUE", "--queue-num", "50"]
+ },
+ 'nfqueue_jump2' => {
+ :params => {
+ :name => '002 nfqueue specify queue_num and queue_bypass',
+ :table => 'filter',
+ :jump => "NFQUEUE",
+ :source => '1.2.3.4/32',
+ :destination => '4.3.2.1/32',
+ :queue_num => "50",
+ :queue_bypass => true,
+ },
+ :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "002 nfqueue specify queue_num and queue_bypass", "-j", "NFQUEUE", "--queue-num", "50", "--queue-bypass"]
+ },
+ 'nfqueue_jump3' => {
+ :params => {
+ :name => '003 nfqueue dont specify queue_num or queue_bypass',
+ :table => 'filter',
+ :jump => "NFQUEUE",
+ :source => '1.2.3.4/32',
+ :destination => '4.3.2.1/32',
+ },
+ :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "003 nfqueue dont specify queue_num or queue_bypass", "-j", "NFQUEUE"]
+ }
+}
\ No newline at end of file
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff