From 81ff7c6bb3b19198bbd82ea3ccdc2543882eb2d3 Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Wed, 14 Jan 2015 11:22:24 -0500 Subject: [PATCH] MODULES-1612 - sync ipset --- README.markdown | 4 +-- lib/puppet/provider/firewall/ip6tables.rb | 8 +++-- spec/acceptance/firewall_spec.rb | 39 +++++++++++++++++++++++ 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/README.markdown b/README.markdown index b30b1fd..2f694eb 100644 --- a/README.markdown +++ b/README.markdown @@ -339,12 +339,12 @@ This type enables you to manage firewall rules within Puppet. * `ip6tables`: Ip6tables type provider * Required binaries: `ip6tables-save`, `ip6tables`. - * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`. **Autorequires:** diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 209bc18..a42cac3 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -26,6 +26,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :iprange has_feature :ipsec_dir has_feature :ipsec_policy + has_feature :ipset optional_commands({ :ip6tables => 'ip6tables', @@ -76,6 +77,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :iniface => "-i", :ipsec_dir => "-m policy --dir", :ipsec_policy => "--pol", + :ipset => "-m set --match-set", :isfirstfrag => "-m frag --fragid 0 --fragfirst", :ishasmorefrags => "-m frag --fragid 0 --fragmore", :islastfrag => "-m frag --fragid 0 --fraglast", @@ -169,8 +171,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource, - :toports, :log_level, :log_prefix, :reject, :set_mark, :connlimit_above, - :connlimit_mask, :connmark] + :rhitcount, :rttl, :rname, :rsource, :rdest, :ipset, :jump, :todest, + :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark, + :connlimit_above, :connlimit_mask, :connmark] end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 138a6cf..803b22d 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1449,6 +1449,45 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end + #ip6tables only supports ipset on a limited set of platforms + if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ + describe 'ipset' do + it 'applies' do + pp = <<-EOS + package { 'ipset': ensure => present } + exec { 'create ipset': + command => 'ipset create blacklist family inet6 hash:ip,port maxelem 1024 hashsize 65535 timeout 120', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Package['ipset'], + } + exec { 'add blacklist': + command => 'ipset add blacklist 2001:db8::1,80', + path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', + require => Exec['create ipset'], + } + class { '::firewall': } + firewall { '612 - test': + ensure => present, + chain => 'INPUT', + proto => tcp, + action => drop, + ipset => 'blacklist src,src', + provider => 'ip6tables', + require => Exec['add blacklist'], + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m comment --comment "612 - test" -m set --match-set blacklist src,src -j DROP/) + end + end + end + end + # ip6tables only support addrtype on a limited set of platforms if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ ['dst_type', 'src_type'].each do |type| -- 2.45.2