From 8e50ba468e5af36d3033a3f046a8ff2df0443a74 Mon Sep 17 00:00:00 2001 From: Ashley Penney Date: Mon, 5 May 2014 21:31:15 +0200 Subject: [PATCH] Add `mask` as a parameter. This is only used for the recent module and seems to be relatively new as it doesn't seem to exist prior to 14.04. --- lib/puppet/provider/firewall/iptables.rb | 98 ++++++++++++------------ lib/puppet/type/firewall.rb | 10 +++ 2 files changed, 60 insertions(+), 48 deletions(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 828e2be..5ad1012 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -28,6 +28,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :iprange has_feature :ipsec_dir has_feature :ipsec_policy + has_feature :mask optional_commands({ :iptables => 'iptables', @@ -46,53 +47,54 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir @protocol = "IPv4" @resource_map = { - :burst => "--limit-burst", + :burst => "--limit-burst", :connlimit_above => "-m connlimit --connlimit-above", - :connlimit_mask => "--connlimit-mask", - :connmark => "-m connmark --mark", - :ctstate => "-m conntrack --ctstate", - :destination => "-d", - :dst_type => "-m addrtype --dst-type", - :dst_range => "-m iprange --dst-range", - :dport => ["-m multiport --dports", "--dport"], - :gid => "-m owner --gid-owner", - :icmp => "-m icmp --icmp-type", - :iniface => "-i", - :jump => "-j", - :limit => "-m limit --limit", - :log_level => "--log-level", - :log_prefix => "--log-prefix", - :name => "-m comment --comment", - :outiface => "-o", - :port => '-m multiport --ports', - :proto => "-p", - :random => "--random", - :rdest => "--rdest", - :reap => "--reap", - :recent => "-m recent", - :reject => "--reject-with", - :rhitcount => "--hitcount", - :rname => "--name", - :rseconds => "--seconds", - :rsource => "--rsource", - :rttl => "--rttl", - :set_mark => mark_flag, - :socket => "-m socket", - :source => "-s", - :src_type => "-m addrtype --src-type", - :src_range => "-m iprange --src-range", - :sport => ["-m multiport --sports", "--sport"], - :state => "-m state --state", - :table => "-t", - :tcp_flags => "-m tcp --tcp-flags", - :todest => "--to-destination", - :toports => "--to-ports", - :tosource => "--to-source", - :uid => "-m owner --uid-owner", - :pkttype => "-m pkttype --pkt-type", - :isfragment => "-f", - :ipsec_dir => "-m policy --dir", - :ipsec_policy => "--pol", + :connlimit_mask => "--connlimit-mask", + :connmark => "-m connmark --mark", + :ctstate => "-m conntrack --ctstate", + :destination => "-d", + :dst_type => "-m addrtype --dst-type", + :dst_range => "-m iprange --dst-range", + :dport => ["-m multiport --dports", "--dport"], + :gid => "-m owner --gid-owner", + :icmp => "-m icmp --icmp-type", + :iniface => "-i", + :jump => "-j", + :limit => "-m limit --limit", + :log_level => "--log-level", + :log_prefix => "--log-prefix", + :name => "-m comment --comment", + :outiface => "-o", + :port => '-m multiport --ports', + :proto => "-p", + :random => "--random", + :rdest => "--rdest", + :reap => "--reap", + :recent => "-m recent", + :reject => "--reject-with", + :rhitcount => "--hitcount", + :rname => "--name", + :rseconds => "--seconds", + :rsource => "--rsource", + :rttl => "--rttl", + :set_mark => mark_flag, + :socket => "-m socket", + :source => "-s", + :src_type => "-m addrtype --src-type", + :src_range => "-m iprange --src-range", + :sport => ["-m multiport --sports", "--sport"], + :state => "-m state --state", + :table => "-t", + :tcp_flags => "-m tcp --tcp-flags", + :todest => "--to-destination", + :toports => "--to-ports", + :tosource => "--to-source", + :uid => "-m owner --uid-owner", + :pkttype => "-m pkttype --pkt-type", + :isfragment => "-f", + :ipsec_dir => "-m policy --dir", + :ipsec_policy => "--pol", + :mask => '--mask', } # These are known booleans that do not take a value, but we want to munge @@ -144,8 +146,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource, - :toports, :random, :log_prefix, :log_level, :reject, :set_mark, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :jump, :todest, + :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark, :connlimit_above, :connlimit_mask, :connmark ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 6dcd924..22afbd2 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -899,6 +899,12 @@ Puppet::Type.newtype(:firewall) do newvalues(:in, :out) end + newproperty(:mask, :required_features => :mask) do + desc <<-EOS + Sets the mask to use when `recent` is enabled. + EOS + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line. @@ -1063,5 +1069,9 @@ Puppet::Type.newtype(:firewall) do self.fail "Parameter 'connlimit_mask' requires 'connlimit_above'" end + if value(:mask) && ! value(:recent) + self.fail "Mask can only be set if recent is enabled." + end + end end -- 2.45.2