From: Ian Anderson Date: Thu, 14 Jul 2016 18:30:12 +0000 (-0700) Subject: Implemented paramters for NFQUEUE jump target X-Git-Tag: 1.8.2~26^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=a97d15149f23197697fef9fff849f143d3c22067;p=puppet-modules%2Fpuppetlabs-firewall.git Implemented paramters for NFQUEUE jump target --- diff --git a/README.markdown b/README.markdown index 46435bc..f824b24 100644 --- a/README.markdown +++ b/README.markdown @@ -410,12 +410,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`. + * Supported features: `address_type`, `clusterip`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `length`, `log_level`, `log_prefix`, `log_uid`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `queue_bypass`, `queue_num`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `string_matching`, `tcp_flags`. **Autorequires:** @@ -659,6 +659,10 @@ firewall { '999 this runs last': * `provider`: The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. Available providers are ip6tables and iptables. See the [Providers](#providers) section above for details about these providers. +* `queue_bypass`: When using a `jump` value of 'NFQUEUE' this boolean will allow packets to bypass `queue_num`. This is useful when the process in userspace may not be listening on `queue_num` all the time. + +* `queue_num`: When using a `jump` value of 'NFQUEUE' this parameter specifies the queue number to send packets to. + * `random`: When using a `jump` value of 'MASQUERADE', 'DNAT', 'REDIRECT', or 'SNAT', this boolean will enable randomized port mapping. Valid values are true or false. Requires the `dnat` feature. * `rdest`: If boolean 'true', adds the destination IP address to the list. Valid values are true or false. Requires the `recent_limiting` feature and the `recent` parameter. diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 32820f8..72d30be 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -32,6 +32,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :ipset has_feature :length has_feature :string_matching + has_feature :queue_num + has_feature :queue_bypass optional_commands({ :ip6tables => 'ip6tables', @@ -105,6 +107,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :pkttype => "-m pkttype --pkt-type", :port => '-m multiport --ports', :proto => "-p", + :queue_num => "--queue-num", + :queue_bypass => "--queue-bypass", :rdest => "--rdest", :reap => "--reap", :recent => "-m recent", @@ -168,6 +172,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :physdev_is_bridged, :time_contiguous, :kernel_timezone, + :queue_bypass, ] # Properties that use "-m " (with the potential to have multiple @@ -231,7 +236,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index f2d44bc..f599faa 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -36,6 +36,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :clusterip has_feature :length has_feature :string_matching + has_feature :queue_num + has_feature :queue_bypass optional_commands({ :iptables => 'iptables', @@ -90,6 +92,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :pkttype => "-m pkttype --pkt-type", :port => '-m multiport --ports', :proto => "-p", + :queue_num => "--queue-num", + :queue_bypass => "--queue-bypass", :random => "--random", :rdest => "--rdest", :reap => "--reap", @@ -161,6 +165,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :time_contiguous, :kernel_timezone, :clusterip_new, + :queue_bypass, ] # Properties that use "-m " (with the potential to have multiple @@ -265,7 +270,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, - :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, + :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index cba8cb9..71e5394 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -61,6 +61,8 @@ Puppet::Type.newtype(:firewall) do feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them." feature :length, "Match the length of layer-3 payload" feature :string_matching, "String matching features" + feature :queue_num, "Which NFQUEUE to send packets to" + feature :queue_bypass, "If nothing is listening on queue_num, allow packets to bypass the queue" # provider specific features feature :iptables, "The provider provides iptables features." @@ -1457,6 +1459,32 @@ Puppet::Type.newtype(:firewall) do EOS end + newproperty(:queue_num, :required_features => :queue_num) do + desc <<-EOS + Used with NFQUEUE jump target. + What queue number to send packets to + EOS + munge do |value| + match = value.to_s.match("^([0-9])*$") + if match.nil? + raise ArgumentError, "queue_num must be an integer" + end + + if match[1].to_i > 65535 || match[1].to_i < 0 + raise ArgumentError, "queue_num must be between 0 and 65535" + end + value + end + end + + newproperty(:queue_bypass, :required_features => :queue_bypass) do + desc <<-EOS + Used with NFQUEUE jump target + Allow packets to bypass :queue_num if userspace process is not listening + EOS + newvalues(:true, :false) + end + autorequire(:firewallchain) do reqs = [] @@ -1649,5 +1677,11 @@ Puppet::Type.newtype(:firewall) do end end + if value(:queue_num) || value(:queue_bypass) + unless value(:jump).to_s == "NFQUEUE" + self.fail "Paramter queue_number and queue_bypass require jump => NFQUEUE" + end + end + end end diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 2acce5f..164f67d 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -627,6 +627,42 @@ ARGS_TO_HASH = { :string_from => '1', }, }, + 'nfqueue_jump1' => { + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "000 nfqueue specify queue_num" -j NFQUEUE --queue-num 50', + :table => 'filter', + :params => { + :name => "000 nfqueue specify queue_num", + :source => "1.2.3.4/32", + :destination => "4.3.2.1/32", + :jump => "NFQUEUE", + :queue_num => "50", + :proto => "tcp", + }, + }, + 'nfqueue_jump2' => { + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "002 nfqueue specify queue_num and queue_bypass" -j NFQUEUE --queue-num 50 --queue-bypass', + :table => "filter", + :params => { + :name => "002 nfqueue specify queue_num and queue_bypass", + :source => "1.2.3.4/32", + :destination => "4.3.2.1/32", + :jump => "NFQUEUE", + :queue_num => "50", + :queue_bypass => true, + :proto => "tcp", + }, + }, + 'nfqueue_jump3' => { + :line => '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -m comment --comment "003 nfqueue dont specify queue_num or queue_bypass" -j NFQUEUE', + :table => "filter", + :params => { + :name => "003 nfqueue dont specify queue_num or queue_bypass", + :source => "1.2.3.4/32", + :destination => "4.3.2.1/32", + :jump => "NFQUEUE", + :proto => "tcp", + }, + }, } # This hash is for testing converting a hash to an argument line. @@ -1206,4 +1242,37 @@ HASH_TO_ARGS = { }, :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "000 string_matching", "-m", "string", "--string", "'GET /index.html'", "--from", "1", "--to", "65535"], }, -} + 'nfqueue_jump1' => { + :params => { + :name => '000 nfqueue specify queue_num', + :table => 'filter', + :jump => 'NFQUEUE', + :source => "1.2.3.4/32", + :destination => "4.3.2.1/32", + :queue_num => "50", + }, + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "000 nfqueue specify queue_num", "-j", "NFQUEUE", "--queue-num", "50"] + }, + 'nfqueue_jump2' => { + :params => { + :name => '002 nfqueue specify queue_num and queue_bypass', + :table => 'filter', + :jump => "NFQUEUE", + :source => '1.2.3.4/32', + :destination => '4.3.2.1/32', + :queue_num => "50", + :queue_bypass => true, + }, + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "002 nfqueue specify queue_num and queue_bypass", "-j", "NFQUEUE", "--queue-num", "50", "--queue-bypass"] + }, + 'nfqueue_jump3' => { + :params => { + :name => '003 nfqueue dont specify queue_num or queue_bypass', + :table => 'filter', + :jump => "NFQUEUE", + :source => '1.2.3.4/32', + :destination => '4.3.2.1/32', + }, + :args => ["-t", :filter, "-s", "1.2.3.4/32", "-d", "4.3.2.1/32", "-p", :tcp, "-m", "comment", "--comment", "003 nfqueue dont specify queue_num or queue_bypass", "-j", "NFQUEUE"] + } +} \ No newline at end of file