From b6ec9cb70a33242767a30ebcfdad657d4a944d66 Mon Sep 17 00:00:00 2001
From: Simon Humbert <shumbert@hostopia.com>
Date: Tue, 3 May 2016 17:04:19 -0400
Subject: [PATCH] adding iptables length extension

---
 lib/puppet/provider/firewall/ip6tables.rb |  4 +++-
 lib/puppet/provider/firewall/iptables.rb  |  4 +++-
 lib/puppet/type/firewall.rb               | 28 +++++++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 78ad24d..056c5ed 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -30,6 +30,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   has_feature :ipsec_policy
   has_feature :mask
   has_feature :ipset
+  has_feature :length
 
   optional_commands({
     :ip6tables      => 'ip6tables',
@@ -89,6 +90,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :ishasmorefrags     => "-m frag --fragid 0 --fragmore",
     :islastfrag         => "-m frag --fragid 0 --fraglast",
     :jump               => "-j",
+    :length             => "-m length --length",
     :limit              => "-m limit --limit",
     :log_level          => "--log-level",
     :log_prefix         => "--log-prefix",
@@ -221,7 +223,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :physdev_out, :physdev_is_bridged, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
     :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
     :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
-    :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
+    :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
     :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index dd92362..28390f1 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -34,6 +34,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   has_feature :mask
   has_feature :ipset
   has_feature :clusterip
+  has_feature :length
 
   optional_commands({
     :iptables => 'iptables',
@@ -74,6 +75,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :isfragment            => "-f",
     :jump                  => "-j",
     :goto                  => "-g",
+    :length                => "-m length --length",
     :limit                 => "-m limit --limit",
     :log_level             => "--log-level",
     :log_prefix            => "--log-prefix",
@@ -255,7 +257,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :stat_mode, :stat_every, :stat_packet, :stat_probability,
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
-    :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
+    :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
     :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 2529d19..35fac12 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -59,6 +59,7 @@ Puppet::Type.newtype(:firewall) do
   feature :mask, "Ability to match recent rules based on the ipv4 mask"
   feature :ipset, "Match against specified ipset list"
   feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them."
+  feature :length, "Match the length of layer-3 payload"
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -1386,6 +1387,33 @@ Puppet::Type.newtype(:firewall) do
     EOS
   end
 
+  newproperty(:length, :required_features => :length) do
+    desc <<-EOS
+      Sets the length of layer-3 payload to match.
+    EOS
+
+    munge do |value|
+      match = value.to_s.match("([0-9]+)(-)?([0-9]+)?")
+      low   = match[1].to_int
+      high  = match[3].to_int
+
+      if low.nil? or (low and match[2] and high.nil?)
+        raise ArgumentError, "Length value must either be an integer or a range"
+      end
+
+      if (low < 0 or low > 65535)
+        or (high and (high < 0 or high > 65535 or high < low))
+        raise ArgumentError, "Length values must be between 0 and 65535"
+      end
+
+      value = low
+      if high
+        value = value + ":#{high}"
+      end
+      value
+    end
+  end
+
 
   autorequire(:firewallchain) do
     reqs = []
-- 
2.45.2