From: Patrick Hemmer Date: Sat, 26 Apr 2014 16:13:59 +0000 (-0400) Subject: add ipset support X-Git-Tag: 1.3.0~1^2~2^2~2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=52d82874e9c1f33da7c72b42dc4579e8f8ae22f3;p=puppet-modules%2Fpuppetlabs-firewall.git add ipset support --- diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 09816a3..c8e3080 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -29,6 +29,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :ipsec_dir has_feature :ipsec_policy has_feature :mask + has_feature :ipset optional_commands({ :iptables => 'iptables', @@ -62,6 +63,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :iniface => "-i", :ipsec_dir => "-m policy --dir", :ipsec_policy => "--pol", + :ipset => "-m set --match-set", :isfragment => "-f", :jump => "-j", :limit => "-m limit --limit", @@ -153,7 +155,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :jump, :todest, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark, :connlimit_above, :connlimit_mask, :connmark ] @@ -222,6 +224,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # --tcp-flags takes two values; we cheat by adding " around it # so it behaves like --comment values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"') + # ditto for --match-set + values = values.sub(/--match-set (\S*) (\S*)/, '--match-set "\1 \2"') # we do a similar thing for negated address masks (source and destination). values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"') # the actual rule will have the ! mark before the option. @@ -502,7 +506,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # our tcp_flags takes a single string with comma lists separated # by space # --tcp-flags expects two arguments - if res == :tcp_flags + if res == :tcp_flags or res == :ipset one, two = resource_value.split(' ') args << one args << two diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 66f0f06..bf21005 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -54,6 +54,7 @@ Puppet::Type.newtype(:firewall) do feature :ipsec_policy, "Match IPsec policy" feature :ipsec_dir, "Match IPsec policy direction" feature :mask, "Ability to match recent rules based on the ipv4 mask" + feature :ipset, "Match against specified ipset list" # provider specific features feature :iptables, "The provider provides iptables features." @@ -879,7 +880,7 @@ Puppet::Type.newtype(:firewall) do newproperty(:isfirstfrag, :required_features => :isfirstfrag) do desc <<-EOS - If true, matches if the packet is the first fragment. + If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6. EOS @@ -964,6 +965,15 @@ Puppet::Type.newtype(:firewall) do EOS end + newproperty(:ipset, :required_features => :ipset) do + desc <<-EOS + Matches against the specified ipset list. + The value is the name of the blacklist, followed by a space, and then + 'src' and/or 'dst' separated by a comma. + For example: 'blacklist src,dst' + EOS + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line.