From: Johan Huysmans Date: Mon, 12 Dec 2011 09:34:43 +0000 (+0100) Subject: (#11334) Add support for MARK target and set-mark property. X-Git-Tag: 0.1.0~48^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=4af8fe0fb44c90c86212933faf598c61f99258d0;p=puppet-modules%2Fpuppetlabs-firewall.git (#11334) Add support for MARK target and set-mark property. This commit adds support for the set-mark iptables property and will validate its use against the MARK jump target. This will also support handling decimal or hexadecimal conversion where necessary. --- diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 8bd1f62..6504a14 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -17,6 +17,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :reject_type has_feature :log_level has_feature :log_prefix + has_feature :mark commands :iptables => '/sbin/iptables' commands :iptables_save => '/sbin/iptables-save' @@ -47,6 +48,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :toports => "--to-ports", :tosource => "--to-source", :uid => "-m owner --uid-owner", + :set_mark => "--set-mark", } # This is the order of resources as they appear in iptables-save output, @@ -55,7 +57,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # This order can be determined by going through iptables source code or just tweaking and trying manually @resource_list = [:table, :source, :destination, :iniface, :outiface, :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, - :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] + :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark] def insert debug 'Inserting rule %s' % resource[:name] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index de38898..9c2a1a0 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -27,6 +27,7 @@ Puppet::Type.newtype(:firewall) do feature :reject_type, "The ability to control reject messages" feature :log_level, "The ability to control the log level" feature :log_prefix, "The ability to add prefixes to log messages" + feature :mark, "Set the netfilter mark value associated with the packet" # provider specific features feature :iptables, "The provider provides iptables features." @@ -243,6 +244,7 @@ Puppet::Type.newtype(:firewall) do * LOG * MASQUERADE * REDIRECT + * MARK But any valid chain name is allowed. @@ -424,6 +426,20 @@ Puppet::Type.newtype(:firewall) do EOS end + newproperty(:set_mark, :required_features => :mark) do + desc <<-EOS + Set the Netfilter mark value associated with the packet. + EOS + + munge do |value| + if ! value.to_s.include?("0x") + "0x" + value.to_i.to_s(16) + else + super + end + end + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line. @@ -488,6 +504,15 @@ Puppet::Type.newtype(:firewall) do end end + if value(:set_mark) + unless value(:jump).to_s =~ /MARK/ && + value(:chain).to_s =~ /PREROUTING/ && + value(:table).to_s =~ /mangle/ + self.fail "Parameter set_mark only applies to " \ + "the PREROUTING chain of the mangle table and when jump => MARK" + end + end + if value(:dport) unless value(:proto).to_s =~ /tcp|udp|sctp/ self.fail "[%s] Parameter dport only applies to sctp, tcp and udp " \ diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 98ac27a..4c7dde4 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -169,6 +169,15 @@ ARGS_TO_HASH = { :gid => 'root', }, }, + 'mark_set-mark' => { + :line => '-t mangle -A PREROUTING -j MARK --set-mark 1000', + :table => 'mangle', + :params => { + :jump => 'MARK', + :chain => 'PREROUTING', + :set_mark => '1000', + } + }, } # This hash is for testing converting a hash to an argument line. @@ -349,4 +358,14 @@ HASH_TO_ARGS = { }, :args => ['-t', :mangle, '-p', :all, '-m', 'owner', '--gid-owner', 'root', '-m', 'comment', '--comment', '057 POSTROUTING gid root only', '-j', 'ACCEPT'], }, + 'mark_set-mark' => { + :params => { + :name => '058 set-mark 1000', + :table => 'mangle', + :jump => 'MARK', + :chain => 'PREROUTING', + :set_mark => '1000', + }, + :args => ['-t', :mangle, '-p', :tcp, '-m', 'comment', '--comment', '058 set-mark 1000', '-j', 'MARK', '--set-mark', '0x3e8'], + }, } diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index 5c2d8d4..2ccef9d 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -92,7 +92,7 @@ describe firewall do res.parameters[:jump].should == nil end - ['QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT'].each do |jump| + ['QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK'].each do |jump| it "should accept jump value #{jump}" do @resource[:jump] = jump @resource[:jump].should == jump @@ -294,4 +294,15 @@ describe firewall do @resource[:gid].should == ['root', 'bobby'] end end + + describe ':set_mark' do + it 'should allow me to set set-mark' do + @resource[:set_mark] = '0x3e8' + @resource[:set_mark].should == '0x3e8' + end + it 'should convert int to hex' do + @resource[:set_mark] = '1000' + @resource[:set_mark].should == '0x3e8' + end + end end