From 2f1cc74df80045cfee9b635a6fa4fedd340a9ce3 Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Tue, 24 Mar 2020 16:52:20 +0100 Subject: [PATCH] Add --notrack flag --- lib/puppet/provider/firewall/ip6tables.rb | 4 +++- lib/puppet/provider/firewall/iptables.rb | 6 ++++++ lib/puppet/type/firewall.rb | 14 ++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 23b0e9b..bcf35fa 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -203,6 +203,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 bytecode: '-m bpf --bytecode', zone: '--zone', helper: '--helper', + notrack: '--notrack', } # These are known booleans that do not take a value, but we want to munge @@ -229,6 +230,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :time_contiguous, :kernel_timezone, :queue_bypass, + :notrack, ] # Properties that use "-m " (with the potential to have multiple @@ -306,5 +308,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name] + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name, :notrack] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 6068aad..580d565 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -204,6 +204,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa zone: '--zone', helper: '--helper', cgroup: '-m cgroup --cgroup', + notrack: '--notrack', } # These are known booleans that do not take a value, but we want to munge @@ -231,6 +232,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :clusterip_new, :queue_bypass, :ipvs, + :notrack, ] # Properties that use "-m " (with the potential to have multiple @@ -346,8 +348,12 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, +<<<<<<< HEAD :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, :rpfilter, :name +======= + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name, :notrack, +>>>>>>> 6124426... Add --notrack flag ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index c1accc3..db36080 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -2243,6 +2243,14 @@ Puppet::Type.newtype(:firewall) do PUPPETCODE end + newproperty(:notrack, required_features: :ct_target) do + # use this parameter with latest version of iptables + desc <<-PUPPETCODE + Invoke the disable connection tracking for this packet. + PUPPETCODE + newvalues(:true, :false) + end + autorequire(:firewallchain) do reqs = [] protocol = nil @@ -2467,6 +2475,12 @@ Puppet::Type.newtype(:firewall) do end end + if value(:notrack) + unless value(:jump).to_s == 'CT' + raise 'Parameter notrack requires jump => CT' + end + end + if value(:jump).to_s == 'CT' unless value(:table).to_s =~ %r{raw} raise 'Parameter jump => CT only applies to table => raw' -- 2.45.2