From 4d26a8d79079de5e13d07610a0f4ea7e53ddda86 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <tdockendorf@osc.edu>
Date: Fri, 14 Feb 2020 13:45:38 -0500
Subject: [PATCH] Support rpfilter

---
 lib/puppet/provider/firewall/ip6tables.rb             |  5 ++++-
 lib/puppet/provider/firewall/iptables.rb              |  4 +++-
 lib/puppet/type/firewall.rb                           | 11 +++++++++++
 .../acceptance/firewall_attributes_happy_path_spec.rb |  6 ++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 089ab94..e0fa243 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -36,6 +36,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
   has_feature :queue_num
   has_feature :queue_bypass
   has_feature :ct_target
+  has_feature :rpfilter
 
   optional_commands(ip6tables: 'ip6tables',
                     ip6tables_save: 'ip6tables-save')
@@ -130,6 +131,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     reject: '--reject-with',
     rhitcount: '--hitcount',
     rname: '--name',
+    rpfilter: '-m rpfilter',
     rseconds: '--seconds',
     rsource: '--rsource',
     rttl: '--rttl',
@@ -200,6 +202,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     :rsource,
     :rdest,
     :reap,
+    :rpfilter,
     :rttl,
     :socket,
     :physdev_is_bridged,
@@ -284,5 +287,5 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :name]
+                    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :helper, :rpfilter, :name]
 end
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 75e3e49..066b0a8 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -45,6 +45,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
   has_feature :queue_bypass
   has_feature :ipvs
   has_feature :ct_target
+  has_feature :rpfilter
 
   optional_commands(iptables: 'iptables',
                     iptables_save: 'iptables-save')
@@ -129,6 +130,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     reject: '--reject-with',
     rhitcount: '--hitcount',
     rname: '--name',
+    rpfilter: '-m rpfilter',
     rseconds: '--seconds',
     rsource: '--rsource',
     rttl: '--rttl',
@@ -332,7 +334,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name
   ]
 
   def insert
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d0cc10a..d10389d 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1639,6 +1639,17 @@ Puppet::Type.newtype(:firewall) do
     newvalues(:true, :false)
   end
 
+  newproperty(:rpfilter, required_features: :rpfilter) do
+    desc <<-PUPPETCODE
+      Enable the rpfilter module.
+    PUPPETCODE
+
+    newvalues(:loose, :validmark, :'accept-local', :invert)
+    munge do |value|
+      _value = '--' + value
+    end
+  end
+
   newproperty(:socket, required_features: :socket) do
     desc <<-PUPPETCODE
       If true, matches if an open socket can be found by doing a coket lookup
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index cbc0cb3..9d350b6 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -322,6 +322,12 @@ describe 'firewall attribute testing, happy path' do
             physdev_out        => "eth1",
             physdev_is_bridged => true,
           }
+          firewall { '900 - set rpfilter':
+            table    => 'raw',
+            chain    => 'PREROUTING',
+            action   => 'accept',
+            rpfilter => 'invert',
+          }
           firewall { '1000 - set_dscp':
             proto     => 'tcp',
             jump      => 'DSCP',
-- 
2.45.2