has_feature :mark
has_feature :tcp_flags
has_feature :pkttype
+ has_feature :isfragment
has_feature :socket
optional_commands({
:toports => "--to-ports",
:tosource => "--to-source",
:uid => "-m owner --uid-owner",
- :pkttype => "-m pkttype --pkt-type"
+ :pkttype => "-m pkttype --pkt-type",
+ :isfragment => "-f",
}
# Create property methods dynamically
# changes between puppet runs, the changed rules will be re-applied again.
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
- :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :socket, :pkttype, :name, :state, :icmp, :limit, :burst,
+ :proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port, :socket, :pkttype, :name, :state, :icmp, :limit, :burst,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
def insert
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
- known_booleans = [:socket]
+ known_booleans = [:socket, :isfragment]
####################
# PRE-PARSE CLUDGING
# Trick the system for booleans
known_booleans.each do |bool|
- values = values.sub(/#{@resource_map[bool]}/, '-m socket true')
+ if bool == :socket then
+ values = values.sub(/#{@resource_map[bool]}/, '-m socket true')
+ end
+ if bool == :isfragment then
+ # only replace those -f that are not followed by an l to
+ # distinguish between -f and the '-f' inside of --tcp-flags.
+ values = values.sub(/-f(?=[^l])/, '-f true')
+ end
end
############
if res == :socket then
resource_value = nil
end
+ if res == :isfragment then
+ resource_value = nil
+ end
elsif res == :jump and resource[:action] then
# In this case, we are substituting jump for action
resource_value = resource[:action].to_s.upcase
feature :tcp_flags, "The ability to match on particular TCP flag settings"
feature :pkttype, "Match a packet type"
feature :socket, "Match open sockets"
+ feature :isfragment, "Match fragments"
# provider specific features
feature :iptables, "The provider provides iptables features."
newvalues(:unicast, :broadcast, :multicast)
end
+ newproperty(:isfragment, :required_features => :isfragment) do
+ desc <<-EOS
+ Set to true to match tcp fragments (requires type to be set to tcp)
+ EOS
+
+ newvalues(:true, :false)
+ end
+
newproperty(:socket, :required_features => :socket) do
desc <<-EOS
If true, matches if an open socket can be found by doing a coket lookup
:socket => true,
},
},
+ 'isfragment_option' => {
+ :line => '-A INPUT -f -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :action => 'accept',
+ :isfragment => true,
+ },
+ },
'single_tcp_sport' => {
:line => '-A OUTPUT -s 10.94.100.46/32 -p tcp -m tcp --sport 20443 -j ACCEPT',
:table => 'mangle',
},
:args => ['-t', :mangle, '-p', :tcp, '-m', 'socket', '-m', 'comment', '--comment', '050 socket option', '-j', 'ACCEPT'],
},
+ 'isfragment_option' => {
+ :params => {
+ :name => '050 isfragment option',
+ :table => 'filter',
+ :proto => :all,
+ :action => 'accept',
+ :isfragment => true,
+ },
+ :args => ['-t', :filter, '-p', :all, '-f', '-m', 'comment', '--comment', '050 isfragment option', '-j', 'ACCEPT'],
+ },
}
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff