From 68f13c03e754e4b837b94f12cec58de03731deb2 Mon Sep 17 00:00:00 2001
From: Thomas Vander Stichele <thomas (at) apestaart (dot) org>
Date: Sun, 4 Mar 2012 18:16:20 +0100
Subject: [PATCH] (#10025) Add support for --tcp-flags

---
 lib/puppet/provider/firewall/iptables.rb  | 16 ++++++++++++--
 lib/puppet/type/firewall.rb               | 16 ++++++++++++++
 spec/fixtures/iptables/conversion_hash.rb | 26 +++++++++++++++++++++++
 3 files changed, 56 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index f4de354..5602e1d 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -44,6 +44,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :state => "-m state --state",
     :sport => "-m multiport --sports",
     :table => "-t",
+    :tcp_flags => "-m tcp --tcp-flags",
     :todest => "--to-destination",
     :toports => "--to-ports",
     :tosource => "--to-source",
@@ -56,7 +57,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   # changes between puppet runs, the changed rules will be re-applied again.
   # This order can be determined by going through iptables source code or just tweaking and trying manually
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
-    :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+    :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
     :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
 
   def insert
@@ -115,6 +116,10 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     keys = []
     values = line.dup
 
+    # --tcp-flags takes two values; we cheat by adding " around it
+    # so it behaves like --comment
+    values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
+
     @resource_list.reverse.each do |k|
       if values.slice!(/\s#{@resource_map[k]}/)
         keys << k
@@ -247,7 +252,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         end
       end
 
-      if resource_value.is_a?(Array)
+      # our tcp_flags takes a single string with comma lists separated
+      # by space
+      # --tcp-flags expects two arguments
+      if res == :tcp_flags
+        one, two = resource_value.split(' ')
+        args << one
+        args << two
+      elsif resource_value.is_a?(Array)
         args << resource_value.join(',')
       else
         args << resource_value
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 59db2ea..11997a0 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -212,6 +212,22 @@ Puppet::Type.newtype(:firewall) do
     defaultto "tcp"
   end
 
+  # tcp-specific
+  newproperty(:tcp_flags) do
+    desc <<-EOS
+      Match when the TCP flags are as specified.
+      Is a string with a list of comma-separated flag names for the mask,
+      then a space, then a comma-separated list of flags that should be set.
+      The flags are: SYN ACK FIN RST URG PSH ALL NONE
+      Note that you specify them in the order that iptables --list-rules
+      would list them to avoid having puppet think you changed the flags.
+      Example: FIN,SYN,RST,ACK SYN matches packets with the SYN bit set and the
+	       ACK,RST and FIN bits cleared.  Such packets are used to request
+               TCP  connection initiation.
+    EOS
+  end
+
+
   # Iptables specific
   newproperty(:chain, :required_features => :iptables) do
     desc <<-EOS
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 053c1e4..3b59cd5 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -85,6 +85,23 @@ ARGS_TO_HASH = {
       :sport => ["15","512-1024"],
     },
   },
+  'tcp_flags_1' => {
+    :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+    :table => 'filter',
+    :compare_all => true,
+    :chain => 'INPUT',
+    :proto => 'tcp',
+    :params => {
+      :chain => "INPUT",
+      :ensure => :present,
+      :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+      :name => "000 initiation",
+      :proto => "tcp",
+      :provider => "iptables",
+      :table => "filter",
+      :tcp_flags => "SYN,RST,ACK,FIN SYN",
+    },
+  },
   'state_returns_sorted_values' => {
     :line => '-A INPUT -m state --state INVALID,RELATED,ESTABLISHED',
     :table => 'filter',
@@ -324,6 +341,15 @@ HASH_TO_ARGS = {
     },
     :args => ["-t", :filter, "-p", :tcp, "-m", "multiport", "--dports", "15,512:1024", "-m", "comment", "--comment", "100 sport range"],
   },
+  'tcp_flags_1' => {
+    :params => {
+      :name => "000 initiation",
+      :tcp_flags => "SYN,RST,ACK,FIN SYN",
+      :table => "filter",
+    },
+
+    :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST,ACK,FIN", "SYN", "-m", "comment", "--comment", "000 initiation",]
+  },
   'states_set_from_array' => {
     :params => {
       :name => "100 states_set_from_array",
-- 
2.45.2