* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
- * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+ * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.
**Autorequires:**
* `tcp_flags`: The ability to match on particular TCP flag settings.
+* `netmap`: The ability to map entire subnets via source or destination nat rules.
+
#### Parameters
* `action`: This is the action to perform on a match. Valid values for this action are:
* `tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature.
+* `to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature`.
+
* `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.
###Type: firewallchain
has_feature :recent_limiting
has_feature :snat
has_feature :dnat
+ has_feature :netmap
has_feature :interface_match
has_feature :icmp_match
has_feature :owner
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
+ :to => "--to",
:uid => "-m owner --uid-owner",
}
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
- :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark,
+ :tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
]
feature :recent_limiting, "The netfilter recent module"
feature :snat, "Source NATing"
feature :dnat, "Destination NATing"
+ feature :netmap, "NET MAPping"
feature :interface_match, "Interface matching"
feature :icmp_match, "Matching ICMP types"
feature :owner, "Matching owners"
EOS
end
+ newproperty(:to, :required_features => :netmap) do
+ desc <<-EOS
+ For NETMAP this will replace the destination IP
+ EOS
+ end
+
newproperty(:random, :required_features => :dnat) do
desc <<-EOS
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
end
end
+ describe 'to' do
+ context 'Destination netmap 192.168.1.1' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '569 - test':
+ proto => tcp,
+ table => 'nat',
+ chain => 'PREROUTING',
+ jump => 'NETMAP',
+ source => '200.200.200.200',
+ to => '192.168.1.1',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save -t nat') do |r|
+ expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/)
+ end
+ end
+ end
+
+ context 'Source netmap 192.168.1.1' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '569 - test':
+ proto => tcp,
+ table => 'nat',
+ chain => 'POSTROUTING',
+ jump => 'NETMAP',
+ destination => '200.200.200.200',
+ to => '192.168.1.1',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save -t nat') do |r|
+ expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/)
+ end
+ end
+ end
+ end
+
end
end
end
- [:tosource, :todest].each do |addr|
+ [:tosource, :todest, :to].each do |addr|
describe addr do
it "should accept #{addr} value as a string" do
@resource[addr] = '127.0.0.1'
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff