From 053c6d66ec98c0e52ed9b3cf56ce58192f7c6001 Mon Sep 17 00:00:00 2001 From: James Taylor Date: Fri, 31 Jan 2020 11:52:54 +1100 Subject: [PATCH] (MODULES-7800) add --helper option support for jump target CT --- lib/puppet/provider/firewall/ip6tables.rb | 3 ++- lib/puppet/provider/firewall/iptables.rb | 3 ++- lib/puppet/type/firewall.rb | 12 ++++++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 103773f..9d3c3c0 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -179,6 +179,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval', bytecode: '-m bpf --bytecode', zone: '--zone', + helper: '--helper', } # These are known booleans that do not take a value, but we want to munge @@ -277,5 +278,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name] + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :name] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 8c9f2d3..ae22900 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -185,6 +185,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa bytecode: '-m bpf --bytecode', ipvs: '-m ipvs --ipvs', zone: '--zone', + helper: '--helper', } # These are known booleans that do not take a value, but we want to munge @@ -323,7 +324,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :name ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 32483de..815ed92 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -2157,6 +2157,12 @@ Puppet::Type.newtype(:firewall) do PUPPETCODE end + newproperty(:helper, required_features: :ct_target) do + desc <<-PUPPETCODE + Invoke the nf_conntrack_xxx helper module for this packet. + PUPPETCODE + end + autorequire(:firewallchain) do reqs = [] protocol = nil @@ -2374,6 +2380,12 @@ Puppet::Type.newtype(:firewall) do end end + if value(:helper) + unless value(:jump).to_s == 'CT' + raise 'Parameter helper requires jump => CT' + end + end + if value(:jump).to_s == 'CT' unless value(:table).to_s =~ %r{raw} raise 'Parameter jump => CT only applies to table => raw' -- 2.45.2