From 8ee8574c9c05a6f28829d3211ff32c8be03202b6 Mon Sep 17 00:00:00 2001 From: Stephen Grier Date: Sun, 9 Jun 2013 01:33:24 +0100 Subject: [PATCH] (#21166) Add support the the iptables recent module. --- lib/puppet/provider/firewall/ip6tables.rb | 10 ++++ lib/puppet/provider/firewall/iptables.rb | 30 +++++++++- lib/puppet/type/firewall.rb | 70 +++++++++++++++++++++++ 3 files changed, 109 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index b42eab4..3055d08 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -4,6 +4,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :iptables has_feature :hop_limiting has_feature :rate_limiting + has_feature :recent_limiting has_feature :snat has_feature :dnat has_feature :interface_match @@ -52,7 +53,15 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :outiface => "-o", :port => '-m multiport --ports', :proto => "-p", + :rdest => "--rdest", + :reap => "--reap", + :recent => "-m recent", :reject => "--reject-with", + :rhitcount => "--hitcount", + :rname => "--name", + :rseconds => "--seconds", + :rsource => "--rsource", + :rttl => "--rttl", :source => "-s", :state => "-m state --state", :sport => "-m multiport --sports", @@ -108,6 +117,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = @resource_list = [:table, :source, :destination, :iniface, :outiface, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, + :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index ff5e6b8..63b75fa 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -8,6 +8,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :iptables has_feature :rate_limiting + has_feature :recent_limiting has_feature :snat has_feature :dnat has_feature :interface_match @@ -61,7 +62,15 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :outiface => "-o", :port => '-m multiport --ports', :proto => "-p", + :rdest => "--rdest", + :reap => "--reap", + :recent => "-m recent", :reject => "--reject-with", + :rhitcount => "--hitcount", + :rname => "--name", + :rseconds => "--seconds", + :rsource => "--rsource", + :rttl => "--rttl", :set_mark => mark_flag, :socket => "-m socket", :source => "-s", @@ -120,7 +129,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir @resource_list = [:table, :source, :src_range, :destination, :dst_range, :iniface, :outiface, :proto, :isfragment, :tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, - :limit, :burst, :jump, :todest, :tosource, :toports, :log_prefix, + :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, + :jump, :todest, :tosource, :toports, :log_prefix, :log_level, :reject, :set_mark] def insert @@ -192,6 +202,12 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # the actual rule will have the ! mark before the option. values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"') + # rsource, rdest, reap and rttl take no values. Cheat by adding "" after them. + values = values.sub(/--rsource/, '--rsource ""') + values = values.sub(/--rdest/, '--rdest ""') + values = values.sub(/--reap/, '--reap ""') + values = values.sub(/--rttl/, '--rttl ""') + # Trick the system for booleans @known_booleans.each do |bool| # append "true" because all params are expected to have values @@ -371,6 +387,18 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir next end end + if res == :rsource then + resource_value = nil + end + if res == :rdest then + resource_value = nil + end + if res == :reap then + resource_value = nil + end + if res == :rttl then + resource_value = nil + end elsif res == :jump and resource[:action] then # In this case, we are substituting jump for action resource_value = resource[:action].to_s.upcase diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index af3cb6e..7ef0cf0 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -30,6 +30,7 @@ Puppet::Type.newtype(:firewall) do feature :hop_limiting, "Hop limiting features." feature :rate_limiting, "Rate limiting features." + feature :recent_limiting, "The netfilter recent module" feature :snat, "Source NATing" feature :dnat, "Destination NATing" feature :interface_match, "Interface matching" @@ -694,6 +695,75 @@ Puppet::Type.newtype(:firewall) do newvalues(:true, :false) end + newproperty(:recent, :required_features => :recent_limiting) do + desc <<-EOS + Enable the recent module. Takes as an argument one of set, update, + rcheck or remove. + EOS + + newvalues(:set, :update, :rcheck, :remove) + munge do |value| + value = "--" + value + end + end + + newproperty(:rdest, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; add the destination IP address to the list. + Takes no argument. + EOS + end + + newproperty(:rsource, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; add the source IP address to the list. + Takes no argument. + EOS + end + + newproperty(:rname, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; The name of the list. Takes a string argument. + EOS + end + + newproperty(:rseconds, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; used in conjunction with one of --rcheck or + --update. When used, this will narrow the match to only happen + when the address is in the list and was seen within the last + given number of seconds. + EOS + end + + newproperty(:reap, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; can only be used in conjunction with --seconds. When + used, this will cause entries older then 'seconds' to be purged. + EOS + end + + newproperty(:rhitcount, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; used in conjunction with --update or --rcheck. When + used, this will narrow the match to only happen when the address + is in the list and packets had been received greater than or equal + to the given value. + EOS + end + + newproperty(:rttl, :required_features => :recent_limiting) do + desc <<-EOS + Recent module; may only be used in conjunction with one of --rcheck + or --update. When used, this will narrow the match to only happen + when the address is in the list and the TTL of the current packet + matches that of the packet which hit the --set rule. This may be + useful if you have problems with people faking their source + address in order to DoS you via this module by disallowing others + access to your site by sending bogus packets to you. + EOS + end + newproperty(:socket, :required_features => :socket) do desc <<-EOS If true, matches if an open socket can be found by doing a coket lookup -- 2.45.2