From 3f46798d3e3ef0cf8165771814dcb9cc20a8ad2d Mon Sep 17 00:00:00 2001 From: Alex Conrey Date: Sat, 21 Mar 2020 17:57:44 -0700 Subject: [PATCH] Add iptables --hex-string support to firewall resource --- REFERENCE.md | 5 +++++ lib/puppet/provider/firewall/iptables.rb | 3 ++- lib/puppet/type/firewall.rb | 7 +++++++ spec/fixtures/iptables/conversion_hash.rb | 8 ++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index b510e3b..ea9a8aa 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1026,6 +1026,11 @@ Sets the length of layer-3 payload to match. String matching feature. Matches the packet against the pattern given as an argument. +##### `string_hex` + +String matching feature. Matches the package against the hex pattern +given as an argument. + ##### `string_algo` Valid values: bm, kmp diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 066b0a8..c0afbcb 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -149,6 +149,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa stat_probability: '--probability', state: '-m state --state', string: '-m string --string', + string_hex: '-m string --hex-string', string_algo: '--algo', string_from: '--from', string_to: '--to', @@ -325,7 +326,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst, :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo, :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index d10389d..a3eef48 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -2030,6 +2030,13 @@ Puppet::Type.newtype(:firewall) do end end + newproperty(:string_hex) do + desc <<-PUPPETCODE + String matching feature. Matches the package against the hex pattern + given as an argument. + PUPPETCODE + end + newproperty(:string_algo, required_features: :string_matching) do desc <<-PUPPETCODE String matching feature, pattern matching strategy. diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index b99db65..fe24939 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -713,6 +713,14 @@ ARGS_TO_HASH = { string_from: '1', }, }, + 'hexstring_matching_1' => { + line: '-A INPUT -m string --hex-string "|0000FF0001|" --algo bm', + table: 'filter', + params: { + string_hex: '|0000FF0001|'. + string_algo: 'bm', + }, + }, 'nfqueue_jump1' => { line: '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 -m comment --comment "000 nfqueue specify queue_num"', table: 'filter', -- 2.45.2