From 3655c6bd33d662a3813c2f66cd0bc5889c68c2c2 Mon Sep 17 00:00:00 2001 From: Simon Humbert Date: Tue, 3 May 2016 17:18:50 -0400 Subject: [PATCH] adding iptables string matching extension --- lib/puppet/provider/firewall/ip6tables.rb | 8 +++++- lib/puppet/provider/firewall/iptables.rb | 8 +++++- lib/puppet/type/firewall.rb | 32 +++++++++++++++++++++++ 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 056c5ed..32820f8 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -31,6 +31,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :mask has_feature :ipset has_feature :length + has_feature :string_matching optional_commands({ :ip6tables => 'ip6tables', @@ -127,6 +128,10 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :stat_packet => '--packet', :stat_probability => '--probability', :state => "-m state --state", + :string => "-m string --string", + :string_algo => "--algo", + :string_from => "--from", + :string_to => "--to", :table => "-t", :tcp_flags => "-m tcp --tcp-flags", :todest => "--to-destination", @@ -224,7 +229,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 28390f1..c040d54 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -35,6 +35,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :ipset has_feature :clusterip has_feature :length + has_feature :string_matching optional_commands({ :iptables => 'iptables', @@ -113,6 +114,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :stat_packet => '--packet', :stat_probability => '--probability', :state => "-m state --state", + :string => "-m string --string", + :string_algo => "--algo", + :string_from => "--from", + :string_to => "--to", :table => "-t", :tcp_flags => "-m tcp --tcp-flags", :todest => "--to-destination", @@ -258,7 +263,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index fd0ec54..6063f06 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -60,6 +60,7 @@ Puppet::Type.newtype(:firewall) do feature :ipset, "Match against specified ipset list" feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them." feature :length, "Match the length of layer-3 payload" + feature :string_matching, "String matching features" # provider specific features feature :iptables, "The provider provides iptables features." @@ -1416,6 +1417,37 @@ Puppet::Type.newtype(:firewall) do end end + newproperty(:string, :required_features => :string_matching) do + desc <<-EOS + String matching feature. Matches the packet against the pattern + given as an argument. + EOS + + munge do |value| + value = "'" + value + "'" + end + end + + newproperty(:string_algo, :required_features => :string_matching) do + desc <<-EOS + String matching feature, pattern matching strategy. + EOS + + newvalues(:bm, :kmp) + end + + newproperty(:string_from, :required_features => :string_matching) do + desc <<-EOS + String matching feature, offset from which we start looking for any matching. + EOS + end + + newproperty(:string_to, :required_features => :string_matching) do + desc <<-EOS + String matching feature, offset up to which we should scan. + EOS + end + autorequire(:firewallchain) do reqs = [] -- 2.45.2