From: James Taylor Date: Fri, 31 Jan 2020 00:52:54 +0000 (+1100) Subject: (MODULES-7800) add --helper option support for jump target CT X-Git-Tag: v2.3.0~10^2~1 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=053c6d66ec98c0e52ed9b3cf56ce58192f7c6001;p=puppet-modules%2Fpuppetlabs-firewall.git (MODULES-7800) add --helper option support for jump target CT --- diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 103773f..9d3c3c0 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -179,6 +179,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval', bytecode: '-m bpf --bytecode', zone: '--zone', + helper: '--helper', } # These are known booleans that do not take a value, but we want to munge @@ -277,5 +278,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name] + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :name] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 8c9f2d3..ae22900 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -185,6 +185,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa bytecode: '-m bpf --bytecode', ipvs: '-m ipvs --ipvs', zone: '--zone', + helper: '--helper', } # These are known booleans that do not take a value, but we want to munge @@ -323,7 +324,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :name ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 32483de..815ed92 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -2157,6 +2157,12 @@ Puppet::Type.newtype(:firewall) do PUPPETCODE end + newproperty(:helper, required_features: :ct_target) do + desc <<-PUPPETCODE + Invoke the nf_conntrack_xxx helper module for this packet. + PUPPETCODE + end + autorequire(:firewallchain) do reqs = [] protocol = nil @@ -2374,6 +2380,12 @@ Puppet::Type.newtype(:firewall) do end end + if value(:helper) + unless value(:jump).to_s == 'CT' + raise 'Parameter helper requires jump => CT' + end + end + if value(:jump).to_s == 'CT' unless value(:table).to_s =~ %r{raw} raise 'Parameter jump => CT only applies to table => raw'