From: Jonathan Davies Date: Sun, 22 Feb 2015 17:57:30 +0000 (+0000) Subject: Added support for setting the MSS of a packet. X-Git-Tag: 1.6.0~10^2~2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=8f1ea5994b3bfd70536ac875a8ba9efd4d33ff50;p=puppet-modules%2Fpuppetlabs-firewall.git Added support for setting the MSS of a packet. --- diff --git a/README.markdown b/README.markdown index b9c4713..0712f00 100644 --- a/README.markdown +++ b/README.markdown @@ -292,6 +292,21 @@ firewall { '100 snat for network foo2': } ``` +You can also change the TCP MSS value for VPN client traffic: + +```puppet +firewall { '110 TCPMSS for VPN clients': + chain => 'FORWARD', + table => 'mangle', + source => '10.0.2.0/24', + proto => tcp, + tcp_flags => 'SYN,RST SYN', + mss => '1361:1541', + set_mss => '1360', + jump => 'TCPMSS', +} +``` + The following example creates a new chain and forwards any port 5000 access to it. ```puppet firewall { '100 forward to MY_CHAIN': @@ -373,12 +388,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. **Autorequires:** @@ -434,6 +449,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `reject_type`: The ability to control reject messages. +* `set_mss`: Set the TCP MSS of a packet. + * `snat`: Source NATing. * `socket`: The ability to match open sockets. @@ -523,7 +540,7 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `islastfrag`: If true, matches when the packet is the last fragment of a fragmented ipv6 packet. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `islastfrag`. -* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK'. +* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK', 'TCPMSS'. For the values 'ACCEPT', 'DROP', and 'REJECT', you must use the generic `action` parameter. This is to enforce the use of generic parameters where possible for maximum cross-platform modeling. @@ -543,6 +560,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February. +* `mss`: Sets a given TCP MSS value or range to match. + * `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example: ```puppet @@ -634,6 +653,8 @@ firewall { '101 blacklist strange traffic': * `set_mark`: Set the Netfilter mark value associated with the packet. Accepts either 'mark/mask' or 'mark'. These will be converted to hex if they are not already. Requires the `mark` feature. +* `set_mss`: When combined with `jump => 'TCPMSS'` specifies the value of the MSS field. + * `socket`: If 'true', matches if an open socket can be found by doing a socket lookup on the packet. Valid values are 'true', 'false'. Requires the `socket` feature. * `source`: The source address. For example: `source => '192.168.2.0/24'`. You can also negate a mask by putting ! in front. For example: `source => '! 192.168.2.0/24'`. The source can also be an IPv6 address if your provider supports it. diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 63d160a..d0a020e 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -16,6 +16,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :log_level has_feature :log_prefix has_feature :mark + has_feature :mss has_feature :tcp_flags has_feature :pkttype has_feature :ishasmorefrags @@ -91,6 +92,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :mask => "--mask", :name => "-m comment --comment", :mac_source => ["-m mac --mac-source", "--mac-source"], + :mss => "-m tcpmss --mss", :outiface => "-o", :pkttype => "-m pkttype --pkt-type", :port => '-m multiport --ports', @@ -105,6 +107,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :rsource => "--rsource", :rttl => "--rttl", :set_mark => mark_flag, + :set_mss => '--set-mss', :socket => "-m socket", :source => "-s", :sport => ["-m multiport --sports", "--sport"], @@ -211,7 +214,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss, :set_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 374cb1c..5f614c0 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -21,6 +21,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :log_level has_feature :log_prefix has_feature :mark + has_feature :mss has_feature :tcp_flags has_feature :pkttype has_feature :isfragment @@ -73,6 +74,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :log_prefix => "--log-prefix", :mac_source => ["-m mac --mac-source", "--mac-source"], :mask => '--mask', + :mss => '-m tcpmss --mss', :name => "-m comment --comment", :outiface => "-o", :pkttype => "-m pkttype --pkt-type", @@ -89,6 +91,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :rsource => "--rsource", :rttl => "--rttl", :set_mark => mark_flag, + :set_mss => '--set-mss', :socket => "-m socket", :source => "-s", :sport => ["-m multiport --sports", "--sport"], @@ -235,8 +238,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, - :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :set_mss, :todest, + :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index fc563b6..f6c723b 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -43,6 +43,7 @@ Puppet::Type.newtype(:firewall) do feature :log_level, "The ability to control the log level" feature :log_prefix, "The ability to add prefixes to log messages" feature :mark, "Match or Set the netfilter mark value associated with the packet" + feature :mss, "Match a given TCP MSS value or range." feature :tcp_flags, "The ability to match on particular TCP flag settings" feature :pkttype, "Match a packet type" feature :socket, "Match open sockets" @@ -361,6 +362,13 @@ Puppet::Type.newtype(:firewall) do end.flatten) defaultto "tcp" end + + # tcp-specific + newproperty(:mss) do + desc <<-EOS + Match a given TCP MSS value or range. + EOS + end # tcp-specific newproperty(:tcp_flags, :required_features => :tcp_flags) do @@ -822,6 +830,12 @@ Puppet::Type.newtype(:firewall) do end end + newproperty(:set_mss, :required_features => :iptables) do + desc <<-EOS + Sets the TCP MSS value for packets. + EOS + end + newproperty(:pkttype, :required_features => :pkttype) do desc <<-EOS Sets the packet type to match. @@ -1289,6 +1303,12 @@ Puppet::Type.newtype(:firewall) do end end + if value(:jump).to_s == "TCPMSS" + unless value(:set_mss) + self.fail "Parameter jump => TCPMSS set_mss is required" + end + end + if value(:jump).to_s == "DNAT" unless value(:table).to_s =~ /nat/ self.fail "Parameter jump => DNAT only applies to table => nat" diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 8fadcad..181bd7e 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -892,6 +892,61 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end + describe 'set_mss' do + context '1360' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { + '502 - set_mss': + proto => 'tcp', + jump => 'TCPMSS', + set_mss => '1360', + mss => '1361:1541', + chain => 'FORWARD', + table => 'mangle', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save -t mangle') do |r| + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/) + end + end + end + end + + describe 'set_mss6' do + context '1360' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { + '502 - set_mss': + proto => 'tcp', + jump => 'TCPMSS', + set_mss => '1360', + mss => '1361:1541', + chain => 'FORWARD', + table => 'mangle', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save -t mangle') do |r| + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/) + end + end + end + end + # RHEL5 does not support --random if default['platform'] !~ /el-5/ describe 'random' do