From c64d3796e1c32a02d318aea2eb2c8b3788760993 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rapha=C3=ABl=20Pinson?= <raphael.pinson@camptocamp.com>
Date: Thu, 30 May 2013 13:37:53 +0200
Subject: [PATCH] Add support for hop limit

---
 lib/puppet/provider/firewall/ip6tables.rb  | 5 ++++-
 lib/puppet/type/firewall.rb                | 9 +++++++++
 spec/fixtures/ip6tables/conversion_hash.rb | 9 +++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 8e34fbe..1a7b16c 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -2,6 +2,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   @doc = "Ip6tables type provider"
 
   has_feature :iptables
+  has_feature :hop_limiting
   has_feature :rate_limiting
   has_feature :snat
   has_feature :dnat
@@ -42,6 +43,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :icmp => "-m icmp6 --icmpv6-type",
     :iniface => "-i",
     :jump => "-j",
+    :hop_limit => "-m hl --hl-eq",
     :limit => "-m limit --limit",
     :log_level => "--log-level",
     :log_prefix => "--log-prefix",
@@ -83,7 +85,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   # I put it when calling the command. So compability with manual changes
   # not provided with current parser [georg.koester])
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
-    :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst, :jump,
+    :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :gid, :uid, :sport, :dport,
+    :port, :pkttype, :name, :state, :icmp, :hop_limit, :limit, :burst, :jump,
     :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
 
   # These are known booleans that do not take a value, but we want to munge
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 1c6f773..685f7e9 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -28,6 +28,7 @@ Puppet::Type.newtype(:firewall) do
     installed.
   EOS
 
+  feature :hop_limiting, "Hop limiting features."
   feature :rate_limiting, "Rate limiting features."
   feature :snat, "Source NATing"
   feature :dnat, "Destination NATing"
@@ -552,6 +553,14 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  # Hop limiting properties
+  newproperty(:hop_limit, :required_features => :hop_limiting) do
+    desc <<-EOS
+      Hop limiting value for matched packets.
+    EOS
+    newvalue(/^\d+$/)
+  end
+
   # Rate limiting properties
   newproperty(:limit, :required_features => :rate_limiting) do
     desc <<-EOS
diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
index 42816d6..7c507d7 100644
--- a/spec/fixtures/ip6tables/conversion_hash.rb
+++ b/spec/fixtures/ip6tables/conversion_hash.rb
@@ -95,4 +95,13 @@ HASH_TO_ARGS6 = {
     },
     :args => ["-t", :filter, "-p", :tcp, "-m", "frag", "--fragid", "0", "--fragfirst", "-m", "comment", "--comment", "100 first fragment"],
   },
+  'hop_limit' => {
+    :params => {
+      :name => "100 hop limit",
+      :hop_limit => 255,
+      :provider => 'ip6tables',
+      :table => "filter",
+    },
+    :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "100 hop limit", "-m", "hl", "--hl-eq", 255],
+  },
 }
-- 
2.45.2