From 914c58d8b46905097f5d005ff939d7446a255049 Mon Sep 17 00:00:00 2001 From: Chuck Schweizer Date: Wed, 16 Apr 2014 19:33:30 -0500 Subject: [PATCH] (MODULES-689) Add support for connlimit and connmark --- lib/puppet/provider/firewall/ip6tables.rb | 7 ++- lib/puppet/provider/firewall/iptables.rb | 7 ++- lib/puppet/type/firewall.rb | 52 ++++++++++++++++++++++- 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index d531633..e1ce01a 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -2,6 +2,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = @doc = "Ip6tables type provider" has_feature :iptables + has_feature :connection_limiting has_feature :hop_limiting has_feature :rate_limiting has_feature :recent_limiting @@ -46,6 +47,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = @resource_map = { :burst => "--limit-burst", + :connlimit_above => "-m connlimit --connlimit-above", + :connlimit_mask => "--connlimit-mask", + :connmark => "-m connmark --mark", :ctstate => "-m conntrack --ctstate", :destination => "-d", :dport => "-m multiport --dports", @@ -126,6 +130,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, - :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] + :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, + :connlimit_above, :connlimit_mask, :connmark] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 698e731..828e2be 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -7,6 +7,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir @doc = "Iptables type provider" has_feature :iptables + has_feature :connection_limiting has_feature :rate_limiting has_feature :recent_limiting has_feature :snat @@ -46,6 +47,9 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir @resource_map = { :burst => "--limit-burst", + :connlimit_above => "-m connlimit --connlimit-above", + :connlimit_mask => "--connlimit-mask", + :connmark => "-m connmark --mark", :ctstate => "-m conntrack --ctstate", :destination => "-d", :dst_type => "-m addrtype --dst-type", @@ -141,7 +145,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource, - :toports, :random, :log_prefix, :log_level, :reject, :set_mark + :toports, :random, :log_prefix, :log_level, :reject, :set_mark, + :connlimit_above, :connlimit_mask, :connmark ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 75cf586..6dcd924 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -28,6 +28,7 @@ Puppet::Type.newtype(:firewall) do installed. EOS + feature :connection_limiting, "Connection limiting features." feature :hop_limiting, "Hop limiting features." feature :rate_limiting, "Rate limiting features." feature :recent_limiting, "The netfilter recent module" @@ -40,7 +41,7 @@ Puppet::Type.newtype(:firewall) do feature :reject_type, "The ability to control reject messages" feature :log_level, "The ability to control the log level" feature :log_prefix, "The ability to add prefixes to log messages" - feature :mark, "Set the netfilter mark value associated with the packet" + feature :mark, "Match or Set the netfilter mark value associated with the packet" feature :tcp_flags, "The ability to match on particular TCP flag settings" feature :pkttype, "Match a packet type" feature :socket, "Match open sockets" @@ -605,6 +606,50 @@ Puppet::Type.newtype(:firewall) do end + # Connection mark + newproperty(:connmark, :required_features => :mark) do + desc <<-EOS + Match the Netfilter mark value associated with the packet. Accepts either of: + mark/mask or mark. These will be converted to hex if they are not already. + EOS + munge do |value| + int_or_hex = '[a-fA-F0-9x]' + match = value.to_s.match("(#{int_or_hex}+)(/)?(#{int_or_hex}+)?") + mark = @resource.to_hex32(match[1]) + + # Values that can't be converted to hex. + # Or contain a trailing slash with no mask. + if mark.nil? or (mark and match[2] and match[3].nil?) + raise ArgumentError, "MARK value must be integer or hex between 0 and 0xffffffff" + end + + # There should not be a mask on connmark + unless match[3].nil? + raise ArgumentError, "iptables does not support masks on MARK match rules" + end + value = mark + + value + end + end + + # Connection limiting properties + newproperty(:connlimit_above, :required_features => :connection_limiting) do + desc <<-EOS + Connection limiting value for matched connections above n. + EOS + newvalue(/^\d+$/) + end + + newproperty(:connlimit_mask, :required_features => :connection_limiting) do + desc <<-EOS + Connection limiting by subnet mask for matched connections. + IPv4: 0-32 + IPv6: 0-128 + EOS + newvalue(/^\d+$/) + end + # Hop limiting properties newproperty(:hop_limit, :required_features => :hop_limiting) do desc <<-EOS @@ -1013,5 +1058,10 @@ Puppet::Type.newtype(:firewall) do if value(:action) && value(:jump) self.fail "Only one of the parameters 'action' and 'jump' can be set" end + + if value(:connlimit_mask) && ! value(:connlimit_above) + self.fail "Parameter 'connlimit_mask' requires 'connlimit_above'" + end + end end -- 2.45.2