From b4062295dbf44ae3cfccdb288d497922756bfda2 Mon Sep 17 00:00:00 2001
From: Robert Frank <rwf14f@gmail.com>
Date: Mon, 22 Jul 2019 16:54:58 +0200
Subject: [PATCH] (MODULES-6136) Add zone property of CT target.

Adds support for zone property of CT target.
---
 REFERENCE.md                                  |  6 +++++
 lib/puppet/provider/firewall/ip6tables.rb     |  4 +++-
 lib/puppet/provider/firewall/iptables.rb      |  4 +++-
 lib/puppet/type/firewall.rb                   | 22 ++++++++++++++++++-
 .../firewall_attributes_happy_path_spec.rb    | 10 +++++++++
 ...irewall_attributes_ipv6_happy_path_spec.rb | 12 +++++++++-
 spec/spec_helper_acceptance.rb                |  2 +-
 spec/unit/puppet/type/firewall_spec.rb        |  7 ++++++
 8 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 84fbdc6..6583057 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -220,6 +220,8 @@ installed.
 
   * ipvs: The ability to match IP Virtual Server packets.
 
+  * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
+
 #### Properties
 
 The following properties are available in the `firewall` type.
@@ -1125,6 +1127,10 @@ Valid values: `true`, `false`
 
 Indicates that the current packet belongs to an IPVS connection.
 
+##### `zone`
+
+Assign this packet to zone id and only have lookups done in that zone.
+
 #### Parameters
 
 The following parameters are available in the `firewall` type.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 16bb606..eca66df 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -34,6 +34,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
   has_feature :string_matching
   has_feature :queue_num
   has_feature :queue_bypass
+  has_feature :ct_target
 
   optional_commands(ip6tables: 'ip6tables',
                     ip6tables_save: 'ip6tables-save')
@@ -164,6 +165,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     hashlimit_htable_expire: '--hashlimit-htable-expire',
     hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
     bytecode: '-m bpf --bytecode',
+    zone: '--zone',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -258,5 +260,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :name]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name]
 end
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 61d7f1b..f3a334b 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -43,6 +43,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
   has_feature :queue_num
   has_feature :queue_bypass
   has_feature :ipvs
+  has_feature :ct_target
 
   optional_commands(iptables: 'iptables',
                     iptables_save: 'iptables-save')
@@ -170,6 +171,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
     bytecode: '-m bpf --bytecode',
     ipvs: '-m ipvs --ipvs',
+    zone: '--zone',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -304,7 +306,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name
   ]
 
   def insert
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 666c665..cf27165 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -129,6 +129,8 @@ Puppet::Type.newtype(:firewall) do
       * bpf: The ability to use Berkeley Paket Filter rules.
 
       * ipvs: The ability to match IP Virtual Server packets.
+
+      * ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
   PUPPETCODE
 
   feature :connection_limiting, 'Connection limiting features.'
@@ -173,7 +175,7 @@ Puppet::Type.newtype(:firewall) do
   feature :hashlimit, 'Hashlimit features'
   feature :bpf, 'Berkeley Paket Filter feature'
   feature :ipvs, 'Packet belongs to an IP Virtual Server connection'
-
+  feature :ct_target, 'The ability to set connection tracking parameters for a packet or its associated connection'
   # provider specific features
   feature :iptables, 'The provider provides iptables features.'
 
@@ -1857,6 +1859,12 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:true, :false)
   end
 
+  newproperty(:zone, required_features: :ct_target) do
+    desc <<-PUPPETCODE
+      Assign this packet to zone id and only have lookups done in that zone.
+    PUPPETCODE
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil
@@ -2067,5 +2075,17 @@ Puppet::Type.newtype(:firewall) do
         raise 'Either hashlimit_upto or hashlimit_above are required'
       end
     end
+
+    if value(:zone)
+      unless value(:jump).to_s == 'CT'
+        raise 'Parameter zone requires jump => CT'
+      end
+    end
+
+    if value(:jump).to_s == 'CT'
+      unless value(:table).to_s =~ %r{raw}
+        raise 'Parameter jump => CT only applies to table => raw'
+      end
+    end
   end
 end
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index accb748..704cfd6 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -349,6 +349,13 @@ describe 'firewall attribute testing, happy path' do
             chain          => 'OUTPUT',
             table          => 'mangle',
           }
+          firewall { '1100 - ct_target tests - zone':
+            proto => 'all',
+            zone  => '4000',
+            jump  => 'CT',
+            chain => 'PREROUTING',
+            table => 'raw',
+          }
       PUPPETCODE
       apply_manifest(pp, catch_failures: true)
       apply_manifest(pp, catch_changes: do_catch_changes)
@@ -502,5 +509,8 @@ describe 'firewall attribute testing, happy path' do
     it 'jump is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
     end
+    it 'zone is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1100 - ct_target tests - zone" -j CT --zone 4000})
+    end
   end
 end
diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
index 5a77291..a5e8a40 100644
--- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
@@ -261,7 +261,14 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh
           proto   => all,
           provider => 'ip6tables',
         }
-
+        firewall { '1101 - ct_target tests - zone':
+          proto    => 'all',
+          zone     => '4000',
+          jump     => 'CT',
+          chain    => 'PREROUTING',
+          table    => 'raw',
+          provider => 'ip6tables',
+        }
       PUPPETCODE
       apply_manifest(pp, catch_failures: true)
       apply_manifest(pp, catch_changes: do_catch_changes)
@@ -367,5 +374,8 @@ describe 'firewall attribute testing, happy path', unless: (os[:family] == 'redh
         expect(result.stdout).to match(regex)
       end
     end
+    it 'zone is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1101 - ct_target tests - zone" -j CT --zone 4000})
+    end
   end
 end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
index 00e3293..4644626 100644
--- a/spec/spec_helper_acceptance.rb
+++ b/spec/spec_helper_acceptance.rb
@@ -11,7 +11,7 @@ def iptables_flush_all_tables
 end
 
 def ip6tables_flush_all_tables
-  ['filter', 'mangle'].each do |t|
+  ['filter', 'mangle', 'raw'].each do |t|
     expect(shell("ip6tables -t #{t} -F").stderr).to eq('')
   end
 end
diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
index a8fedac..6f29602 100755
--- a/spec/unit/puppet/type/firewall_spec.rb
+++ b/spec/unit/puppet/type/firewall_spec.rb
@@ -558,6 +558,13 @@ describe firewall do # rubocop:disable RSpec/MultipleDescribes
     end
   end
 
+  describe 'ct_target' do
+    it 'allows me to set zone' do
+      resource[:zone] = 4000
+      expect(resource[:zone]).to be 4000
+    end
+  end
+
   [:chain, :jump].each do |param|
     describe param do
       it 'autorequires fwchain when table and provider are undefined' do
-- 
2.45.2