]> review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commitdiff
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: c270774)
add cgroup support
authorLes Aker <me@lesaker.org>
Mon, 4 May 2020 19:47:14 +0000 (15:47 -0400)
committerLes Aker <me@lesaker.org>
Mon, 4 May 2020 19:47:14 +0000 (15:47 -0400)
REFERENCE.md patch | blob | history
lib/puppet/provider/firewall/iptables.rb patch | blob | history
lib/puppet/type/firewall.rb patch | blob | history
spec/fixtures/iptables/conversion_hash.rb patch | blob | history

diff --git a/REFERENCE.md b/REFERENCE.md
index d0eb3908ddce04f0ffff1ee1938518eab878293e..b5fd806d0fcb0a272bb7b91b5eb9f6932ec5d8ae 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1316,6 +1316,10 @@ Assign this packet to zone id and only have lookups done in that zone.
 
 Invoke the nf_conntrack_xxx helper module for this packet.
 
+##### `cgroup`
+
+Matches against the net_cls cgroup ID of the packet.
+
 #### Parameters
 
 The following parameters are available in the `firewall` type.
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index c0afbcb784fa55e5df32a761f6751c93ac0b124e..b4c369cb46adac7cacc91ce26e0816a8595dc0fa 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -196,6 +196,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     ipvs: '-m ipvs --ipvs',
     zone: '--zone',
     helper: '--helper',
+    cgroup: '-m cgroup --cgroup',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -335,7 +336,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup,
+    :rpfilter, :name
   ]
 
   def insert
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index a3eef48183bb36a3c58deaa6d15b2bc20bda027c..98eb18517e57997340803d124630405d3134ef14 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -2196,6 +2196,12 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
   end
 
+  newproperty(:cgroup) do
+    desc <<-PUPPETCODE
+      Matches against the net_cls cgroup ID of the packet.
+    PUPPETCODE
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 5eea78d176c933baf7db9666bba217f4e5f61ece..937d13eeb41def90cc39ccda44f4325140e0685a 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -763,6 +763,13 @@ ARGS_TO_HASH = {
     produce_warning: true,
     params: {},
   },
+  'cgroup_matching_1' => {
+    line: '-A INPUT -m cgroup --cgroup "0x100001"',
+    table: 'filter',
+    params: {
+      cgroup: '0x100001',
+    },
+  },
 }.freeze
 
 # This hash is for testing converting a hash to an argument line.