From fa5a41a7e2a36ee98cd0a2382a6a2f1b3f115096 Mon Sep 17 00:00:00 2001
From: frh <4987254+frh@users.noreply.github.com>
Date: Tue, 19 May 2020 14:19:18 +0200
Subject: [PATCH] Add support for NFLOG options to ip6tables

---
 REFERENCE.md                              |  2 +-
 lib/puppet/provider/firewall/ip6tables.rb | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 4b57a52..af2d270 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -126,7 +126,7 @@ installed.
     * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
     interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
     ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid,
-    log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss,
+    log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss, nflog_group, nflog_prefix, nflog_range, nflog_threshold,
     owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
     snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
 
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index ddba026..702072c 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -22,6 +22,10 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
   has_feature :log_ip_options
   has_feature :mark
   has_feature :mss
+  has_feature :nflog_group
+  has_feature :nflog_prefix
+  has_feature :nflog_range
+  has_feature :nflog_threshold
   has_feature :tcp_flags
   has_feature :pkttype
   has_feature :ishasmorefrags
@@ -125,6 +129,10 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
     name: '-m comment --comment',
     mac_source: ['-m mac --mac-source', '--mac-source'],
     mss: '-m tcpmss --mss',
+    nflog_group: '--nflog-group',
+    nflog_prefix: '--nflog-prefix',
+    nflog_range: '--nflog-range',
+    nflog_threshold: '--nflog-threshold',
     outiface: '-o',
     pkttype: '-m pkttype --pkt-type',
     port: '-m multiport --ports',
@@ -291,7 +299,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
                     :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
                     :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
                     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
-                    :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
+                    :string_from, :string_to, :jump, :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, :todest,
                     :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options,
                     :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
-- 
2.45.2