From 69fdc370d680db6bec4c074a3dae30833de4ac57 Mon Sep 17 00:00:00 2001
From: Hunter Haugen <hunter@puppetlabs.com>
Date: Wed, 5 Feb 2014 13:59:08 -0800
Subject: [PATCH] Add --random support as per #141 comment

---
 lib/puppet/provider/firewall/iptables.rb | 13 ++++++++++--
 lib/puppet/type/firewall.rb              |  9 ++++++++
 spec/acceptance/firewall_spec.rb         | 27 ++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 97520e0..3095a12 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -62,6 +62,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :outiface => "-o",
     :port => '-m multiport --ports',
     :proto => "-p",
+    :random => "--random",
     :rdest => "--rdest",
     :reap => "--reap",
     :recent => "-m recent",
@@ -92,7 +93,15 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
   # These are known booleans that do not take a value, but we want to munge
   # to true if they exist.
-  @known_booleans = [:socket, :isfragment, :rsource, :rdest, :reap, :rttl]
+  @known_booleans = [
+    :isfragment,
+    :random,
+    :rdest,
+    :reap,
+    :rsource,
+    :rttl,
+    :socket
+  ]
 
 
   # Create property methods dynamically
@@ -132,7 +141,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
-    :toports, :log_prefix, :log_level, :reject, :set_mark
+    :toports, :random, :log_prefix, :log_level, :reject, :set_mark
   ]
 
   def insert
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 18f1a71..4701e27 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -456,6 +456,15 @@ Puppet::Type.newtype(:firewall) do
     EOS
   end
 
+  newproperty(:random, :required_features => :dnat) do
+    desc <<-EOS
+      When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+      this boolean will enable randomized port mapping.
+    EOS
+
+    newvalues(:true, :false)
+  end
+
   # Reject ICMP type
   newproperty(:reject, :required_features => :reject_type) do
     desc <<-EOS
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index c8c3ccd..f4af72b 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -822,6 +822,33 @@ describe 'firewall type' do
     end
   end
 
+  describe 'random' do
+    context '192.168.1.1' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '570 - test 2':
+            proto  => all,
+            table  => 'nat',
+            chain  => 'POSTROUTING',
+            jump   => 'MASQUERADE',
+            source => '172.30.0.0/16',
+            random => true
+          }
+        EOS
+
+        apply_manifest(pp, :catch_failures => true)
+        apply_manifest(pp, :catch_changes => true)
+      end
+
+      it 'should contain the rule' do
+        shell('iptables -t nat -S') do |r|
+          expect(r.stdout).to match(/-A POSTROUTING -s 172\.30\.0\.0\/16 -m comment --comment "570 - test 2" -j MASQUERADE --random/)
+        end
+      end
+    end
+  end
+
   describe 'icmp' do
     context 'any' do
       it 'fails' do
-- 
2.45.2