From 039f788eef2976547098e1058680a52e3e17d6d7 Mon Sep 17 00:00:00 2001 From: Christof Musik Date: Mon, 18 Jul 2022 15:37:32 +0200 Subject: [PATCH] add support for using multiple rpfilter options in rules --- lib/puppet/provider/firewall/iptables.rb | 15 +++++++++++++++ lib/puppet/type/firewall.rb | 6 +++++- .../firewall_attributes_happy_path_spec.rb | 12 ++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 1458e75..5818b04 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -534,6 +534,17 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa (\s--tunnel-src\s\S+)? (\s--next)?}x, '--pol "ipsec\1\2\3\4\5\6\7\8" ') + + # rpfilter also takes multiple parameters; use quote trick again + rpfilter_opts = values.scan(%r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+}) + if rpfilter_opts && rpfilter_opts.length == 1 && rpfilter_opts[0] + rpfilter_opts = rpfilter_opts[0][1..-1].reject { |x| x.nil? } + values = values.sub( + %r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+}, + "-m rpfilter \"#{rpfilter_opts.join(' ')}\"", + ) + end + # on some iptables versions, --connlimit-saddr switch is added after the rule is applied values = values.gsub(%r{--connlimit-saddr}, '') @@ -632,6 +643,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa hash[prop] = hash[prop].split(';') unless hash[prop].nil? end + hash[:rpfilter] = hash[:rpfilter].split(' ') unless hash[:rpfilter].nil? + ## clean up DSCP class to HEX mappings valid_dscp_classes = { '0x0a' => 'af11', @@ -918,6 +931,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa one, two = resource_value.split(' ') args << one args << two + elsif res == :rpfilter + args << resource_value elsif resource_value.is_a?(Array) args << resource_value.join(',') elsif !resource_value.nil? diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index d79066d..0074dc5 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -1705,7 +1705,7 @@ Puppet::Type.newtype(:firewall) do newvalues(:true, :false) end - newproperty(:rpfilter, required_features: :rpfilter) do + newproperty(:rpfilter, required_features: :rpfilter, array_matching: :all) do desc <<-PUPPETCODE Enable the rpfilter module. PUPPETCODE @@ -1714,6 +1714,10 @@ Puppet::Type.newtype(:firewall) do munge do |value| _value = '--' + value end + + def insync?(is) + is.to_set == should.to_set + end end newproperty(:socket, required_features: :socket) do diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index dedc9be..a1b7302 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -331,6 +331,12 @@ describe 'firewall attribute testing, happy path' do physdev_is_bridged => true, } firewall { '900 - set rpfilter': + table => 'raw', + chain => 'PREROUTING', + action => 'accept', + rpfilter => [ 'invert', 'validmark', 'loose', 'accept-local' ], + } + firewall { '901 - set rpfilter': table => 'raw', chain => 'PREROUTING', action => 'accept', @@ -421,6 +427,12 @@ describe 'firewall attribute testing, happy path' do it 'toports is set' do expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222}) end + it 'rpfilter is set' do + expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --loose --validmark --accept-local --invert -m comment --comment "900 - set rpfilter" -j ACCEPT}) + end + it 'single rpfilter is set' do + expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --invert -m comment --comment "901 - set rpfilter" -j ACCEPT}) + end it 'limit is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT}) end -- 2.45.2