Adds support for zone property of CT target.
* ipvs: The ability to match IP Virtual Server packets.
+ * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
+
#### Properties
The following properties are available in the `firewall` type.
Indicates that the current packet belongs to an IPVS connection.
+##### `zone`
+
+Assign this packet to zone id and only have lookups done in that zone.
+
#### Parameters
The following parameters are available in the `firewall` type.
has_feature :string_matching
has_feature :queue_num
has_feature :queue_bypass
+ has_feature :ct_target
optional_commands(ip6tables: 'ip6tables',
ip6tables_save: 'ip6tables-save')
hashlimit_htable_expire: '--hashlimit-htable-expire',
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
bytecode: '-m bpf --bytecode',
+ zone: '--zone',
}
# These are known booleans that do not take a value, but we want to munge
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :name]
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name]
end
has_feature :queue_num
has_feature :queue_bypass
has_feature :ipvs
+ has_feature :ct_target
optional_commands(iptables: 'iptables',
iptables_save: 'iptables-save')
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
bytecode: '-m bpf --bytecode',
ipvs: '-m ipvs --ipvs',
+ zone: '--zone',
}
# These are known booleans that do not take a value, but we want to munge
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
- :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :name
+ :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name
]
def insert
* bpf: The ability to use Berkeley Paket Filter rules.
* ipvs: The ability to match IP Virtual Server packets.
+
+ * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
PUPPETCODE
feature :connection_limiting, 'Connection limiting features.'
feature :hashlimit, 'Hashlimit features'
feature :bpf, 'Berkeley Paket Filter feature'
feature :ipvs, 'Packet belongs to an IP Virtual Server connection'
-
+ feature :ct_target, 'The ability to set connection tracking parameters for a packet or its associated connection'
# provider specific features
feature :iptables, 'The provider provides iptables features.'
newvalues(:true, :false)
end
+ newproperty(:zone, required_features: :ct_target) do
+ desc <<-PUPPETCODE
+ Assign this packet to zone id and only have lookups done in that zone.
+ PUPPETCODE
+ end
+
autorequire(:firewallchain) do
reqs = []
protocol = nil
raise 'Either hashlimit_upto or hashlimit_above are required'
end
end
+
+ if value(:zone)
+ unless value(:jump).to_s == 'CT'
+ raise 'Parameter zone requires jump => CT'
+ end
+ end
+
+ if value(:jump).to_s == 'CT'
+ unless value(:table).to_s =~ %r{raw}
+ raise 'Parameter jump => CT only applies to table => raw'
+ end
+ end
end
end
chain => 'OUTPUT',
table => 'mangle',
}
+ firewall { '1100 - ct_target tests - zone':
+ proto => 'all',
+ zone => '4000',
+ jump => 'CT',
+ chain => 'PREROUTING',
+ table => 'raw',
+ }
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
it 'jump is set' do
expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
end
+ it 'zone is set' do
+ expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1100 - ct_target tests - zone" -j CT --zone 4000})
+ end
end
end
proto => all,
provider => 'ip6tables',
}
-
+ firewall { '1101 - ct_target tests - zone':
+ proto => 'all',
+ zone => '4000',
+ jump => 'CT',
+ chain => 'PREROUTING',
+ table => 'raw',
+ provider => 'ip6tables',
+ }
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
expect(result.stdout).to match(regex)
end
end
+ it 'zone is set' do
+ expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1101 - ct_target tests - zone" -j CT --zone 4000})
+ end
end
end
end
def ip6tables_flush_all_tables
- ['filter', 'mangle'].each do |t|
+ ['filter', 'mangle', 'raw'].each do |t|
expect(shell("ip6tables -t #{t} -F").stderr).to eq('')
end
end
end
end
+ describe 'ct_target' do
+ it 'allows me to set zone' do
+ resource[:zone] = 4000
+ expect(resource[:zone]).to be 4000
+ end
+ end
+
[:chain, :jump].each do |param|
describe param do
it 'autorequires fwchain when table and provider are undefined' do
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff