has_feature :ipsec_policy
has_feature :mask
has_feature :ipset
+ has_feature :length
optional_commands({
:ip6tables => 'ip6tables',
:ishasmorefrags => "-m frag --fragid 0 --fragmore",
:islastfrag => "-m frag --fragid 0 --fraglast",
:jump => "-j",
+ :length => "-m length --length",
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
:physdev_out, :physdev_is_bridged, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
- :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
+ :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
has_feature :mask
has_feature :ipset
has_feature :clusterip
+ has_feature :length
optional_commands({
:iptables => 'iptables',
:isfragment => "-f",
:jump => "-j",
:goto => "-g",
+ :length => "-m length --length",
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
:stat_mode, :stat_every, :stat_packet, :stat_probability,
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
- :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
+ :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode,
:clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
:clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
feature :mask, "Ability to match recent rules based on the ipv4 mask"
feature :ipset, "Match against specified ipset list"
feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them."
+ feature :length, "Match the length of layer-3 payload"
# provider specific features
feature :iptables, "The provider provides iptables features."
EOS
end
+ newproperty(:length, :required_features => :length) do
+ desc <<-EOS
+ Sets the length of layer-3 payload to match.
+ EOS
+
+ munge do |value|
+ match = value.to_s.match("([0-9]+)(-)?([0-9]+)?")
+ low = match[1].to_int
+ high = match[3].to_int
+
+ if low.nil? or (low and match[2] and high.nil?)
+ raise ArgumentError, "Length value must either be an integer or a range"
+ end
+
+ if (low < 0 or low > 65535)
+ or (high and (high < 0 or high > 65535 or high < low))
+ raise ArgumentError, "Length values must be between 0 and 65535"
+ end
+
+ value = low
+ if high
+ value = value + ":#{high}"
+ end
+ value
+ end
+ end
+
autorequire(:firewallchain) do
reqs = []
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff