* Use a cron job.
* Click [Run Puppet](https://docs.puppet.com/pe/2016.1/console_classes_groups_running_puppet.html#run-puppet-on-an-individual-node) in the console.
+### condition parameter
+
+The `condition` parameter requires `xtables-addons` to be installed locally.
+For ubuntu distributions `xtables-addons-common` package can be installed by running command: `apt-get install xtables-addons-common` or
+running a manifest:
+
+```puppet
+package { 'xtables-addons-common':
+ ensure => 'latest',
+}
+```
+
+For other distributions(RedHat, Debian, Centos etc) is required a manual installation of `xtables-addons` package.
+
#### Reporting Issues
Please report any bugs in the Puppetlabs JIRA issue tracker:
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name, :notrack, :condition]
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :condition, :name, :notrack]
end
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name, :notrack, :condition
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :condition, :name, :notrack
]
def insert
values = values.gsub(%r{(!\s+)?--tcp-flags (\S*) (\S*)}, '--tcp-flags "\1\2 \3"')
# --hex-string output is in quotes, need to move ! inside quotes
values = values.gsub(%r{(!\s+)?--hex-string "(\S*?)"}, '--hex-string "\1\2"')
+ # --condition output is in quotes, need to move ! inside quotes
+ values = values.gsub(%r{(!\s+)?--condition "(\S*?)"}, '--condition "\1\2"')
# --match-set can have multiple values with weird iptables format
if values =~ %r{-m set (!\s+)?--match-set}
values = values.gsub(%r{(!\s+)?--match-set (\S*) (\S*)}, '--match-set \1\2 \3')
PUPPETCODE
newvalues(:true, :false)
end
-
+
newproperty(:condition, required_features: :condition) do
desc <<-PUPPETCODE
Match on boolean value (0/1) stored in /proc/net/nf_condition/name.
expect(result.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
end
end
+
+ describe 'condition', ubuntu_vmpooler: false do
+ context 'is set' do
+ pp = <<-PUPPETCODE
+ if $facts['os']['name'] == 'Ubuntu' and versioncmp($facts['os']['release']['full'], '14.04') > 0 {
+ firewall { '010 isblue ipv4':
+ ensure => 'present',
+ condition => '! isblue',
+ chain => 'INPUT',
+ iniface => 'enp0s8',
+ proto => 'icmp',
+ action => 'drop',
+ }
+ }
+ PUPPETCODE
+ it 'applies' do
+ apply_manifest(pp)
+ end
+ if fetch_os_name == 'ubuntu' && os[:release].to_i > 14
+ it 'contains the rule' do
+ run_shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -i enp0s8 -p icmp -m condition ! --condition "isblue" -m comment --comment "010 isblue ipv4" -j DROP})
+ end
+ end
+ end
+ end
+ end
end
end
RSpec.configure do |c|
+ # This flag is disabling some tests on docker/vagrant containers
+ # To enable tests on abs/vmpooler machines just set to `true` this flag
+ c.filter_run_excluding ubuntu_vmpooler: false
c.before :suite do
if os[:family] == 'debian' && os[:release].to_i == 10
pp = <<-PUPPETCODE
package { 'net-tools':
ensure => 'latest',
}
- package { 'iptables':
- ensure => 'latest',
- }
PUPPETCODE
LitmusHelper.instance.apply_manifest(pp)
LitmusHelper.instance.run_shell('update-alternatives --set iptables /usr/sbin/iptables-legacy', expect_failures: true)
package { 'conntrack-tools':
ensure => 'latest',
}
+ package { 'xtables-addons-common':
+ ensure => 'latest',
+ }
+ package { 'iptables':
+ ensure => 'latest',
+ }
PUPPETCODE
LitmusHelper.instance.apply_manifest(pp)
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff