From 57a40a1a131a1891649707a8919180f752b2c09f Mon Sep 17 00:00:00 2001 From: Markus Opolka Date: Wed, 22 Apr 2020 09:32:19 +0200 Subject: [PATCH] Extend LOG options - Adds booleans for --log-tcp-sequence, --log-tcp-options, --log-ip-options --- lib/puppet/provider/firewall/ip6tables.rb | 12 ++++- lib/puppet/provider/firewall/iptables.rb | 11 ++++- lib/puppet/type/firewall.rb | 47 +++++++++++++++++-- .../firewall_attributes_happy_path_spec.rb | 15 +++--- 4 files changed, 73 insertions(+), 12 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index e0fa243..ddba026 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -17,6 +17,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 has_feature :log_level has_feature :log_prefix has_feature :log_uid + has_feature :log_tcp_sequence + has_feature :log_tcp_options + has_feature :log_ip_options has_feature :mark has_feature :mss has_feature :tcp_flags @@ -114,6 +117,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 log_level: '--log-level', log_prefix: '--log-prefix', log_uid: '--log-uid', + log_tcp_sequence: '--log-tcp-sequence', + log_tcp_options: '--log-tcp-options', + log_ip_options: '--log-ip-options', mask: '--mask', match_mark: '-m mark --mark', name: '-m comment --comment', @@ -199,6 +205,9 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :islastfrag, :isfirstfrag, :log_uid, + :log_tcp_sequence, + :log_tcp_options, + :log_ip_options, :rsource, :rdest, :reap, @@ -283,7 +292,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, - :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, + :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index c0afbcb..56fddcd 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -22,6 +22,9 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa has_feature :log_level has_feature :log_prefix has_feature :log_uid + has_feature :log_tcp_sequence + has_feature :log_tcp_options + has_feature :log_ip_options has_feature :mark has_feature :mss has_feature :nflog_group @@ -107,6 +110,9 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa log_level: '--log-level', log_prefix: '--log-prefix', log_uid: '--log-uid', + log_tcp_sequence: '--log-tcp-sequence', + log_tcp_options: '--log-tcp-options', + log_ip_options: '--log-ip-options', mac_source: ['-m mac --mac-source', '--mac-source'], mask: '--mask', match_mark: '-m mark --mark', @@ -205,6 +211,9 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :clamp_mss_to_pmtu, :isfragment, :log_uid, + :log_tcp_sequence, + :log_tcp_options, + :log_ip_options, :random_fully, :random, :rdest, @@ -331,7 +340,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, - :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index a3eef48..5c5c3d3 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -35,7 +35,8 @@ Puppet::Type.newtype(:firewall) do * Required binaries: ip6tables-save, ip6tables. * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag, - ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss, + ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, + log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf. @@ -45,7 +46,8 @@ Puppet::Type.newtype(:firewall) do * Default for kernel == linux. * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match, interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length, - log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix, + log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options, + mark, mask, mss, netmap, nflog_group, nflog_prefix, nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf. @@ -90,6 +92,12 @@ Puppet::Type.newtype(:firewall) do * log_uid: The ability to log the userid of the process which generated the packet. + * log_tcp_sequence: The ability to log TCP sequence numbers. + + * log_tcp_options: The ability to log TCP packet header. + + * log_ip_options: The ability to log IP/IPv6 packet header. + * mark: The ability to match or set the netfilter mark value associated with the packet. * mask: The ability to match recent rules based on the ipv4 mask. @@ -153,6 +161,9 @@ Puppet::Type.newtype(:firewall) do feature :log_level, 'The ability to control the log level' feature :log_prefix, 'The ability to add prefixes to log messages' feature :log_uid, 'Add UIDs to log messages' + feature :log_tcp_sequence, 'Add TCP sequence numbers to log messages' + feature :log_tcp_options, 'Add TCP packet header to log messages' + feature :log_ip_options, 'Add IP/IPv6 packet header to log messages' feature :mark, 'Match or Set the netfilter mark value associated with the packet' feature :mss, 'Match a given TCP MSS value or range.' feature :tcp_flags, 'The ability to match on particular TCP flag settings' @@ -796,6 +807,33 @@ Puppet::Type.newtype(:firewall) do newvalues(:true, :false) end + newproperty(:log_tcp_sequence, required_features: :log_tcp_sequence) do + desc <<-PUPPETCODE + When combined with jump => "LOG" enables logging of the TCP sequence + numbers. + PUPPETCODE + + newvalues(:true, :false) + end + + newproperty(:log_tcp_options, required_features: :log_tcp_options) do + desc <<-PUPPETCODE + When combined with jump => "LOG" logging of the TCP packet + header. + PUPPETCODE + + newvalues(:true, :false) + end + + newproperty(:log_ip_options, required_features: :log_ip_options) do + desc <<-PUPPETCODE + When combined with jump => "LOG" logging of the TCP IP/IPv6 + packet header. + PUPPETCODE + + newvalues(:true, :false) + end + newproperty(:nflog_group, required_features: :nflog_group) do desc <<-PUPPETCODE Used with the jump target NFLOG. @@ -2349,9 +2387,10 @@ Puppet::Type.newtype(:firewall) do end end - if value(:log_prefix) || value(:log_level) || value(:log_uid) == :true + if value(:log_prefix) || value(:log_level) || value(:log_uid) || + value(:log_tcp_sequence) || value(:log_tcp_options) || value(:log_ip_options) == :true unless value(:jump).to_s == 'LOG' - raise 'Parameter log_prefix, log_level and log_uid require jump => LOG' + raise 'Parameter log_prefix, log_level, log_tcp_sequence, log_tcp_options, log_ip_options and log_uid require jump => LOG' end end diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 9d350b6..cccc3e3 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -243,10 +243,13 @@ describe 'firewall attribute testing, happy path' do jump => 'LOG', log_prefix => 'FW-A-INPUT: ', } - firewall { '701 - log_uid': - chain => 'OUTPUT', - jump => 'LOG', - log_uid => true, + firewall { '701 - log_uid, tcp-sequences and options': + chain => 'OUTPUT', + jump => 'LOG', + log_uid => true, + log_tcp_sequence => true, + log_tcp_options => true, + log_ip_options => true, } firewall { '711 - physdev_in': chain => 'FORWARD', @@ -433,8 +436,8 @@ describe 'firewall attribute testing, happy path' do it 'comment containing "-A "' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "}) end - it 'set log_uid' do - expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid}) + it 'set log_uid, log_tcp_sequence, log_tcp_options, log_ip_options' do + expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid, tcp-sequences and options" -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid}) end it 'set physdev_in' do expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 711 -m comment --comment "711 - physdev_in" -j ACCEPT}) -- 2.45.2