From 3f46798d3e3ef0cf8165771814dcb9cc20a8ad2d Mon Sep 17 00:00:00 2001
From: Alex Conrey <alex@conrey.us>
Date: Sat, 21 Mar 2020 17:57:44 -0700
Subject: [PATCH] Add iptables --hex-string support to firewall resource

---
 REFERENCE.md                              | 5 +++++
 lib/puppet/provider/firewall/iptables.rb  | 3 ++-
 lib/puppet/type/firewall.rb               | 7 +++++++
 spec/fixtures/iptables/conversion_hash.rb | 8 ++++++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index b510e3b..ea9a8aa 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -1026,6 +1026,11 @@ Sets the length of layer-3 payload to match.
 String matching feature. Matches the packet against the pattern
 given as an argument.
 
+##### `string_hex`
+
+String matching feature. Matches the package against the hex pattern
+given as an argument.
+
 ##### `string_algo`
 
 Valid values: bm, kmp
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 066b0a8..c0afbcb 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -149,6 +149,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     stat_probability: '--probability',
     state: '-m state --state',
     string: '-m string --string',
+    string_hex: '-m string --hex-string',
     string_algo: '--algo',
     string_from: '--from',
     string_to: '--to',
@@ -325,7 +326,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :state, :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
     :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
     :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_hex, :string_algo,
     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d10389d..a3eef48 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -2030,6 +2030,13 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:string_hex) do
+    desc <<-PUPPETCODE
+      String matching feature. Matches the package against the hex pattern
+      given as an argument.
+    PUPPETCODE
+  end
+
   newproperty(:string_algo, required_features: :string_matching) do
     desc <<-PUPPETCODE
       String matching feature, pattern matching strategy.
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index b99db65..fe24939 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -713,6 +713,14 @@ ARGS_TO_HASH = {
       string_from: '1',
     },
   },
+  'hexstring_matching_1' => {
+    line: '-A INPUT -m string --hex-string "|0000FF0001|" --algo bm',
+    table: 'filter',
+    params: {
+      string_hex: '|0000FF0001|'.
+      string_algo: 'bm',
+    },
+  },
   'nfqueue_jump1' => {
     line: '-A INPUT -m tcp -p tcp -s 1.2.3.4/32 -d 4.3.2.1/32 -j NFQUEUE --queue-num 50 -m comment --comment "000 nfqueue specify queue_num"',
     table: 'filter',
-- 
2.45.2