From fb5fadfce34093e4b630ac62fcb8a84cebaa0bd4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rapha=C3=ABl=20Pinson?= <raphael.pinson@camptocamp.com>
Date: Tue, 26 Mar 2019 14:58:53 +0100
Subject: [PATCH] Support ctdir

---
 lib/puppet/provider/firewall/ip6tables.rb | 3 ++-
 lib/puppet/provider/firewall/iptables.rb  | 3 ++-
 lib/puppet/type/firewall.rb               | 4 ++++
 spec/fixtures/iptables/conversion_hash.rb | 9 +++++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index eca66df..b28ddbb 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -72,6 +72,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
     ctstate: '-m conntrack --ctstate',
+    ctdir: '--ctdir',
     destination: '-d',
     dport: ['-m multiport --dports', '--dport'],
     dst_range: '--dst-range',
@@ -253,7 +254,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
                     :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
                     :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state,
-                    :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
+                    :ctstate, :ctdir, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
                     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
                     :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
                     :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 3819060..e00b2c3 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -68,6 +68,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     connlimit_mask: '--connlimit-mask',
     connmark: '-m connmark --mark',
     ctstate: '-m conntrack --ctstate',
+    ctdir: '--ctdir',
     destination: '-d',
     dport: ['-m multiport --dports', '--dport'],
     dst_range: '--dst-range',
@@ -296,7 +297,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :proto, :isfragment, :stat_mode, :stat_every, :stat_packet, :stat_probability,
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy,
-    :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
+    :state, :ctstate, :ctdir, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index cf27165..1bc8f83 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -940,6 +940,10 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:ctdir) do
+    newvalues(:REPLY, :ORIGINAL)
+  end
+
   # Connection mark
   newproperty(:connmark, required_features: :mark) do
     desc <<-PUPPETCODE
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index b99db65..6c92c2e 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -980,6 +980,15 @@ HASH_TO_ARGS = {
     },
     args: ['-t', :filter, '-p', :tcp, '-m', 'conntrack', '--ctstate', 'ESTABLISHED,INVALID', '-m', 'comment', '--comment', '100 ctstates_set_from_array'],
   },
+  'ctstates_and_ctdir' => {
+    params: {
+      name: '100 ctstates_and_ctdir',
+      table: 'filter',
+      ctstate: ['ESTABLISHED'],
+      ctdir: 'REPLY',
+    },
+    args: ['-t', :filter, '-p', :tcp, '-m', 'conntrack', '--ctstate', 'ESTABLISHED', '--ctdir', :REPLY, '-m', 'comment', '--comment', '100 ctstates_and_ctdir'],
+  },
   'comment_string_character_validation' => {
     params: {
       name: '000 allow from 192.168.0.1, please',
-- 
2.45.2