freighthop 0.3.3 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Puppetfile +1 -1
- data/Puppetfile.lock +4 -5
- data/README.md +18 -7
- data/Vagrantfile +4 -0
- data/lib/freighthop/cli/help.rb +1 -0
- data/lib/freighthop/cli/init.rb +10 -10
- data/lib/freighthop/cli/version.rb +17 -0
- data/lib/freighthop/cli.rb +3 -1
- data/lib/freighthop/version.rb +1 -1
- data/lib/freighthop.rb +4 -0
- data/modules/apt/CHANGELOG +2 -36
- data/modules/apt/Gemfile +5 -6
- data/modules/apt/Gemfile.lock +7 -40
- data/modules/apt/Modulefile +1 -1
- data/modules/apt/README.md +1 -2
- data/modules/apt/Rakefile +0 -1
- data/modules/apt/manifests/init.pp +2 -5
- data/modules/apt/manifests/params.pp +1 -4
- data/modules/apt/manifests/pin.pp +1 -1
- data/modules/apt/manifests/ppa.pp +10 -24
- data/modules/apt/manifests/update.pp +0 -1
- data/modules/apt/metadata.json +19 -32
- data/modules/apt/spec/defines/ppa_spec.rb +2 -53
- data/modules/apt/spec/defines/source_spec.rb +2 -2
- data/modules/apt/templates/source.list.erb +2 -2
- data/modules/apt/tests/key.pp +3 -3
- data/modules/concat/CHANGELOG +73 -0
- data/modules/concat/Gemfile +20 -0
- data/modules/concat/Gemfile.lock +104 -0
- data/modules/concat/Modulefile +7 -6
- data/modules/concat/README.md +440 -0
- data/modules/concat/Rakefile +5 -1
- data/modules/concat/files/concatfragments.rb +137 -0
- data/modules/concat/files/concatfragments.sh +15 -4
- data/modules/concat/lib/facter/concat_basedir.rb +9 -3
- data/modules/concat/manifests/fragment.pp +108 -48
- data/modules/concat/manifests/init.pp +191 -210
- data/modules/concat/manifests/setup.pp +31 -31
- data/modules/concat/metadata.json +40 -21
- data/modules/{apt → concat}/spec/spec_helper_system.rb +11 -6
- data/modules/{firewall → concat}/spec/system/basic_spec.rb +1 -1
- data/modules/concat/spec/system/concat_spec.rb +154 -0
- data/modules/concat/spec/system/deprecation_warnings_spec.rb +247 -0
- data/modules/concat/spec/system/empty_spec.rb +27 -0
- data/modules/concat/spec/system/fragment_source_spec.rb +142 -0
- data/modules/concat/spec/system/replace_spec.rb +257 -0
- data/modules/concat/spec/system/symbolic_name_spec.rb +35 -0
- data/modules/concat/spec/system/warn_spec.rb +106 -0
- data/modules/concat/spec/unit/classes/concat_setup_spec.rb +42 -0
- data/modules/concat/spec/unit/defines/concat_fragment_spec.rb +267 -0
- data/modules/concat/spec/unit/defines/concat_spec.rb +380 -0
- data/modules/concat/spec/unit/facts/concat_basedir_spec.rb +18 -0
- data/modules/concat/tests/fragment.pp +19 -0
- data/modules/concat/tests/init.pp +7 -0
- data/modules/firewall/Changelog +38 -0
- data/modules/firewall/Gemfile +5 -2
- data/modules/firewall/Gemfile.lock +76 -26
- data/modules/firewall/Modulefile +1 -1
- data/modules/firewall/README.markdown +47 -15
- data/modules/firewall/Rakefile +0 -7
- data/modules/firewall/lib/puppet/provider/firewall/ip6tables.rb +50 -7
- data/modules/firewall/lib/puppet/provider/firewall/iptables.rb +147 -31
- data/modules/firewall/lib/puppet/provider/firewallchain/iptables_chain.rb +19 -8
- data/modules/firewall/lib/puppet/type/firewall.rb +207 -3
- data/modules/firewall/lib/puppet/type/firewallchain.rb +73 -2
- data/modules/firewall/lib/puppet/util/firewall.rb +14 -0
- data/modules/firewall/metadata.json +181 -76
- data/modules/firewall/spec/acceptance/basic_spec.rb +8 -0
- data/modules/firewall/spec/acceptance/change_source_spec.rb +77 -0
- data/modules/firewall/spec/acceptance/class_spec.rb +27 -0
- data/modules/firewall/spec/acceptance/firewall_spec.rb +1608 -0
- data/modules/firewall/spec/acceptance/firewallchain_spec.rb +125 -0
- data/modules/firewall/spec/acceptance/ip6_fragment_spec.rb +94 -0
- data/modules/firewall/spec/acceptance/isfragment_spec.rb +92 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-fusion.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/firewall/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/debian-70rc1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/fedora-18-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/sles-11sp1-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/firewall/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/firewall/spec/{system → acceptance}/params_spec.rb +44 -52
- data/modules/firewall/spec/acceptance/purge_spec.rb +124 -0
- data/modules/firewall/spec/acceptance/resource_cmd_spec.rb +93 -0
- data/modules/firewall/spec/acceptance/rules_spec.rb +248 -0
- data/modules/firewall/spec/acceptance/socket_spec.rb +96 -0
- data/modules/firewall/spec/{system → acceptance}/standard_usage_spec.rb +6 -10
- data/modules/firewall/spec/fixtures/ip6tables/conversion_hash.rb +107 -0
- data/modules/firewall/spec/fixtures/iptables/conversion_hash.rb +56 -2
- data/modules/firewall/spec/spec_helper_acceptance.rb +38 -0
- data/modules/firewall/spec/unit/classes/firewall_spec.rb +2 -2
- data/modules/firewall/spec/unit/facter/iptables_persistent_version_spec.rb +8 -5
- data/modules/firewall/spec/unit/facter/iptables_spec.rb +6 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_chain_spec.rb +14 -4
- data/modules/firewall/spec/unit/puppet/provider/iptables_spec.rb +246 -5
- data/modules/firewall/spec/unit/puppet/type/firewall_spec.rb +99 -8
- data/modules/firewall/spec/unit/puppet/type/firewallchain_spec.rb +50 -6
- data/modules/firewall/spec/unit/puppet/util/firewall_spec.rb +21 -0
- data/modules/mysql/CHANGELOG +0 -30
- data/modules/mysql/Gemfile +0 -1
- data/modules/mysql/Gemfile.lock +30 -31
- data/modules/mysql/Modulefile +1 -1
- data/modules/mysql/README.md +2 -49
- data/modules/mysql/files/mysqltuner.pl +1 -1
- data/modules/mysql/lib/puppet/provider/database/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_grant/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/database_user/mysql.rb +1 -1
- data/modules/mysql/lib/puppet/provider/mysql.rb +1 -2
- data/modules/mysql/lib/puppet/provider/mysql_database/mysql.rb +13 -2
- data/modules/mysql/lib/puppet/provider/mysql_user/mysql.rb +12 -0
- data/modules/mysql/lib/puppet/type/database_user.rb +1 -1
- data/modules/mysql/lib/puppet/type/mysql_grant.rb +3 -5
- data/modules/mysql/manifests/client.pp +0 -7
- data/modules/mysql/manifests/server/root_password.pp +0 -2
- data/modules/mysql/manifests/server.pp +0 -6
- data/modules/mysql/metadata.json +79 -81
- data/modules/mysql/spec/classes/mysql_server_spec.rb +0 -74
- data/modules/mysql/spec/system/mysql_server_root_password_spec.rb +1 -7
- data/modules/mysql/spec/system/mysql_server_spec.rb +3 -6
- data/modules/mysql/spec/system/types/mysql_grant_spec.rb +0 -27
- data/modules/mysql/spec/unit/puppet/functions/mysql_deepmerge_spec.rb +1 -1
- data/modules/mysql/spec/unit/puppet/provider/database/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/database_grant/mysql_spec.rb +15 -15
- data/modules/mysql/spec/unit/puppet/provider/database_user/mysql_spec.rb +4 -4
- data/modules/mysql/spec/unit/puppet/provider/mysql_database/mysql_spec.rb +3 -3
- data/modules/mysql/spec/unit/puppet/provider/mysql_user/mysql_spec.rb +3 -3
- data/modules/mysql/templates/my.cnf.erb +2 -4
- data/modules/mysql/tests/mysql_grant.pp +1 -1
- data/modules/postgresql/Changelog +31 -0
- data/modules/postgresql/Gemfile +4 -2
- data/modules/postgresql/Modulefile +1 -1
- data/modules/postgresql/README.md +10 -4
- data/modules/postgresql/Rakefile +0 -1
- data/modules/postgresql/lib/puppet/provider/postgresql_psql/ruby.rb +25 -3
- data/modules/postgresql/manifests/globals.pp +2 -0
- data/modules/postgresql/manifests/params.pp +21 -0
- data/modules/postgresql/manifests/server/config.pp +0 -5
- data/modules/postgresql/manifests/server/config_entry.pp +1 -1
- data/modules/postgresql/manifests/server/database.pp +2 -1
- data/modules/postgresql/manifests/server/db.pp +2 -0
- data/modules/postgresql/manifests/server/grant.pp +20 -16
- data/modules/postgresql/manifests/server/initdb.pp +27 -3
- data/modules/postgresql/manifests/server/pg_hba_rule.pp +2 -4
- data/modules/postgresql/manifests/server/role.pp +8 -2
- data/modules/postgresql/manifests/server/service.pp +5 -0
- data/modules/postgresql/manifests/server.pp +2 -0
- data/modules/postgresql/metadata.json +88 -65
- data/modules/postgresql/spec/acceptance/client_spec.rb +18 -0
- data/modules/postgresql/spec/{system → acceptance}/common_patterns_spec.rb +8 -14
- data/modules/postgresql/spec/{system → acceptance}/contrib_spec.rb +4 -9
- data/modules/postgresql/spec/acceptance/lib/devel_spec.rb +17 -0
- data/modules/postgresql/spec/acceptance/lib/java_spec.rb +20 -0
- data/modules/postgresql/spec/acceptance/lib/python_spec.rb +19 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-510-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-59-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64-pe.yml +12 -0
- data/modules/postgresql/spec/acceptance/nodesets/centos-64-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-607-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/debian-73-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/default.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-10044-x64.yml +10 -0
- data/modules/postgresql/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml +10 -0
- data/modules/postgresql/spec/{system → acceptance}/postgresql_psql_spec.rb +6 -14
- data/modules/postgresql/spec/{system → acceptance}/server/config_entry_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/database_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/db_spec.rb +47 -42
- data/modules/postgresql/spec/{system → acceptance}/server/grant_spec.rb +6 -12
- data/modules/postgresql/spec/{system → acceptance}/server/pg_hba_rule_spec.rb +10 -23
- data/modules/postgresql/spec/{system → acceptance}/server/plperl_spec.rb +6 -10
- data/modules/postgresql/spec/{system → acceptance}/server/role_spec.rb +13 -28
- data/modules/postgresql/spec/acceptance/server/table_grant_spec.rb +124 -0
- data/modules/postgresql/spec/{system → acceptance}/server/tablespace_spec.rb +8 -22
- data/modules/postgresql/spec/{system → acceptance}/server_spec.rb +38 -61
- data/modules/postgresql/spec/{system → acceptance}/validate_db_connection_spec.rb +8 -20
- data/modules/postgresql/spec/spec_helper_acceptance.rb +70 -0
- data/modules/postgresql/spec/unit/classes/globals_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/lib/devel_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/params_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/repo_spec.rb +1 -1
- data/modules/postgresql/spec/unit/classes/server/initdb_spec.rb +2 -1
- data/modules/postgresql/spec/unit/classes/server/plperl_spec.rb +2 -2
- data/modules/postgresql/spec/unit/classes/server_spec.rb +9 -2
- data/modules/postgresql/spec/unit/puppet/provider/postgresql_psql/ruby_spec.rb +15 -17
- data/modules/rbenv/bin/autospec +0 -0
- data/modules/rbenv/bin/facter +0 -0
- data/modules/rbenv/bin/filebucket +0 -0
- data/modules/rbenv/bin/hiera +0 -0
- data/modules/rbenv/bin/htmldiff +0 -0
- data/modules/rbenv/bin/ldiff +0 -0
- data/modules/rbenv/bin/pi +0 -0
- data/modules/rbenv/bin/puppet +0 -0
- data/modules/rbenv/bin/puppet-lint +0 -0
- data/modules/rbenv/bin/puppet-module +0 -0
- data/modules/rbenv/bin/puppetca +0 -0
- data/modules/rbenv/bin/puppetd +0 -0
- data/modules/rbenv/bin/puppetdoc +0 -0
- data/modules/rbenv/bin/puppetmasterd +0 -0
- data/modules/rbenv/bin/puppetqd +0 -0
- data/modules/rbenv/bin/puppetrun +0 -0
- data/modules/rbenv/bin/rake +0 -0
- data/modules/rbenv/bin/ralsh +0 -0
- data/modules/rbenv/bin/rspec +0 -0
- data/modules/rbenv/bin/rspec-puppet-init +0 -0
- data/modules/stdlib/spec/monkey_patches/alias_should_to_must.rb +0 -0
- data/modules/stdlib/spec/monkey_patches/publicize_methods.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/abs_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/bool2num_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/capitalize_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chomp_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/chop_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_at_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/delete_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/dirname_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/downcase_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/empty_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/flatten_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/grep_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_interface_with_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_address_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/has_ip_network_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/max_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/min_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/reject_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/to_bytes_spec.rb +0 -0
- data/modules/stdlib/spec/unit/puppet/parser/functions/validate_slength_spec.rb +0 -0
- metadata +92 -77
- data/modules/apt/manifests/unattended_upgrades.pp +0 -68
- data/modules/apt/spec/classes/unattended_upgrades_spec.rb +0 -204
- data/modules/apt/spec/system/apt_builddep_spec.rb +0 -38
- data/modules/apt/spec/system/apt_key_spec.rb +0 -53
- data/modules/apt/spec/system/apt_ppa_spec.rb +0 -59
- data/modules/apt/spec/system/apt_source_spec.rb +0 -51
- data/modules/apt/spec/system/basic_spec.rb +0 -10
- data/modules/apt/spec/system/class_spec.rb +0 -20
- data/modules/apt/templates/10periodic.erb +0 -12
- data/modules/apt/templates/50unattended-upgrades.erb +0 -53
- data/modules/apt/tests/unattended-upgrades.pp +0 -1
- data/modules/concat/README.markdown +0 -150
- data/modules/concat/spec/defines/init_spec.rb +0 -115
- data/modules/concat/spec/fixtures/manifests/site.pp +0 -0
- data/modules/firewall/spec/spec_helper_system.rb +0 -49
- data/modules/firewall/spec/system/class_spec.rb +0 -39
- data/modules/firewall/spec/system/purge_spec.rb +0 -29
- data/modules/firewall/spec/system/resource_cmd_spec.rb +0 -53
- data/modules/mysql/manifests/server/providers.pp +0 -8
- data/modules/mysql/tests/bindings.pp +0 -3
- data/modules/postgresql/Gemfile.lock +0 -74
- data/modules/postgresql/spec/spec_helper_system.rb +0 -66
- data/modules/postgresql/spec/system/client_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/devel_spec.rb +0 -22
- data/modules/postgresql/spec/system/lib/java_spec.rb +0 -25
- data/modules/postgresql/spec/system/lib/python_spec.rb +0 -24
- data/modules/postgresql/spec/system/server/table_grant_spec.rb +0 -72
@@ -8,6 +8,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
8
8
|
|
9
9
|
has_feature :iptables
|
10
10
|
has_feature :rate_limiting
|
11
|
+
has_feature :recent_limiting
|
11
12
|
has_feature :snat
|
12
13
|
has_feature :dnat
|
13
14
|
has_feature :interface_match
|
@@ -24,6 +25,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
24
25
|
has_feature :socket
|
25
26
|
has_feature :address_type
|
26
27
|
has_feature :iprange
|
28
|
+
has_feature :ipsec_dir
|
29
|
+
has_feature :ipsec_policy
|
27
30
|
|
28
31
|
optional_commands({
|
29
32
|
:iptables => 'iptables',
|
@@ -43,10 +46,11 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
43
46
|
|
44
47
|
@resource_map = {
|
45
48
|
:burst => "--limit-burst",
|
49
|
+
:ctstate => "-m conntrack --ctstate",
|
46
50
|
:destination => "-d",
|
47
51
|
:dst_type => "-m addrtype --dst-type",
|
48
52
|
:dst_range => "-m iprange --dst-range",
|
49
|
-
:dport => ["-m multiport --dports", "
|
53
|
+
:dport => ["-m multiport --dports", "--dport"],
|
50
54
|
:gid => "-m owner --gid-owner",
|
51
55
|
:icmp => "-m icmp --icmp-type",
|
52
56
|
:iniface => "-i",
|
@@ -58,13 +62,22 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
58
62
|
:outiface => "-o",
|
59
63
|
:port => '-m multiport --ports',
|
60
64
|
:proto => "-p",
|
65
|
+
:random => "--random",
|
66
|
+
:rdest => "--rdest",
|
67
|
+
:reap => "--reap",
|
68
|
+
:recent => "-m recent",
|
61
69
|
:reject => "--reject-with",
|
70
|
+
:rhitcount => "--hitcount",
|
71
|
+
:rname => "--name",
|
72
|
+
:rseconds => "--seconds",
|
73
|
+
:rsource => "--rsource",
|
74
|
+
:rttl => "--rttl",
|
62
75
|
:set_mark => mark_flag,
|
63
76
|
:socket => "-m socket",
|
64
77
|
:source => "-s",
|
65
78
|
:src_type => "-m addrtype --src-type",
|
66
79
|
:src_range => "-m iprange --src-range",
|
67
|
-
:sport => ["-m multiport --sports", "
|
80
|
+
:sport => ["-m multiport --sports", "--sport"],
|
68
81
|
:state => "-m state --state",
|
69
82
|
:table => "-t",
|
70
83
|
:tcp_flags => "-m tcp --tcp-flags",
|
@@ -74,16 +87,47 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
74
87
|
:uid => "-m owner --uid-owner",
|
75
88
|
:pkttype => "-m pkttype --pkt-type",
|
76
89
|
:isfragment => "-f",
|
90
|
+
:ipsec_dir => "-m policy --dir",
|
91
|
+
:ipsec_policy => "--pol",
|
77
92
|
}
|
78
93
|
|
94
|
+
# These are known booleans that do not take a value, but we want to munge
|
95
|
+
# to true if they exist.
|
96
|
+
@known_booleans = [
|
97
|
+
:isfragment,
|
98
|
+
:random,
|
99
|
+
:rdest,
|
100
|
+
:reap,
|
101
|
+
:rsource,
|
102
|
+
:rttl,
|
103
|
+
:socket
|
104
|
+
]
|
105
|
+
|
106
|
+
|
79
107
|
# Create property methods dynamically
|
80
108
|
(@resource_map.keys << :chain << :table << :action).each do |property|
|
81
|
-
|
82
|
-
|
109
|
+
if @known_booleans.include?(property) then
|
110
|
+
# The boolean properties default to '' which should be read as false
|
111
|
+
define_method "#{property}" do
|
112
|
+
@property_hash[property] = :false if @property_hash[property] == nil
|
113
|
+
@property_hash[property.to_sym]
|
114
|
+
end
|
115
|
+
else
|
116
|
+
define_method "#{property}" do
|
117
|
+
@property_hash[property.to_sym]
|
118
|
+
end
|
83
119
|
end
|
84
120
|
|
85
|
-
|
86
|
-
|
121
|
+
if property == :chain
|
122
|
+
define_method "#{property}=" do |value|
|
123
|
+
if @property_hash[:chain] != value
|
124
|
+
raise ArgumentError, "Modifying the chain for existing rules is not supported."
|
125
|
+
end
|
126
|
+
end
|
127
|
+
else
|
128
|
+
define_method "#{property}=" do |value|
|
129
|
+
@property_hash[:needs_change] = true
|
130
|
+
end
|
87
131
|
end
|
88
132
|
end
|
89
133
|
|
@@ -91,11 +135,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
91
135
|
# we need it to properly parse and apply rules, if the order of resource
|
92
136
|
# changes between puppet runs, the changed rules will be re-applied again.
|
93
137
|
# This order can be determined by going through iptables source code or just tweaking and trying manually
|
94
|
-
@resource_list = [
|
95
|
-
:
|
96
|
-
:
|
97
|
-
:
|
98
|
-
:
|
138
|
+
@resource_list = [
|
139
|
+
:table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
|
140
|
+
:src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
|
141
|
+
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
|
142
|
+
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
|
143
|
+
:rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
|
144
|
+
:toports, :random, :log_prefix, :log_level, :reject, :set_mark
|
145
|
+
]
|
99
146
|
|
100
147
|
def insert
|
101
148
|
debug 'Inserting rule %s' % resource[:name]
|
@@ -154,10 +201,6 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
154
201
|
keys = []
|
155
202
|
values = line.dup
|
156
203
|
|
157
|
-
# These are known booleans that do not take a value, but we want to munge
|
158
|
-
# to true if they exist.
|
159
|
-
known_booleans = [:socket, :isfragment]
|
160
|
-
|
161
204
|
####################
|
162
205
|
# PRE-PARSE CLUDGING
|
163
206
|
####################
|
@@ -165,25 +208,47 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
165
208
|
# --tcp-flags takes two values; we cheat by adding " around it
|
166
209
|
# so it behaves like --comment
|
167
210
|
values = values.sub(/--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1 \2"')
|
211
|
+
# we do a similar thing for negated address masks (source and destination).
|
212
|
+
values = values.sub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
|
213
|
+
# the actual rule will have the ! mark before the option.
|
214
|
+
values = values.sub(/(!)\s*(-\S+)\s*(\S*)/, '\2 "\1 \3"')
|
215
|
+
# The match extension for tcp & udp are optional and throws off the @resource_map.
|
216
|
+
values = values.sub(/-m (tcp|udp) (--(s|d)port|-m multiport)/, '\2')
|
168
217
|
|
169
218
|
# Trick the system for booleans
|
170
|
-
known_booleans.each do |bool|
|
171
|
-
|
172
|
-
values = values.sub(/#{@resource_map[bool]}/, '-m socket true')
|
173
|
-
end
|
219
|
+
@known_booleans.each do |bool|
|
220
|
+
# append "true" because all params are expected to have values
|
174
221
|
if bool == :isfragment then
|
222
|
+
# -f requires special matching:
|
175
223
|
# only replace those -f that are not followed by an l to
|
176
224
|
# distinguish between -f and the '-f' inside of --tcp-flags.
|
177
225
|
values = values.sub(/-f(?!l)(?=.*--comment)/, '-f true')
|
226
|
+
else
|
227
|
+
values = values.sub(/#{@resource_map[bool]}/, "#{@resource_map[bool]} true")
|
178
228
|
end
|
179
229
|
end
|
180
230
|
|
231
|
+
############
|
232
|
+
# Populate parser_list with used value, in the correct order
|
233
|
+
############
|
234
|
+
map_index={}
|
235
|
+
@resource_map.each_pair do |map_k,map_v|
|
236
|
+
[map_v].flatten.each do |v|
|
237
|
+
ind=values.index(/\s#{v}/)
|
238
|
+
next unless ind
|
239
|
+
map_index[map_k]=ind
|
240
|
+
end
|
241
|
+
end
|
242
|
+
# Generate parser_list based on the index of the found option
|
243
|
+
parser_list=[]
|
244
|
+
map_index.sort_by{|k,v| v}.each{|mapi| parser_list << mapi.first }
|
245
|
+
|
181
246
|
############
|
182
247
|
# MAIN PARSE
|
183
248
|
############
|
184
249
|
|
185
250
|
# Here we iterate across our values to generate an array of keys
|
186
|
-
|
251
|
+
parser_list.reverse.each do |k|
|
187
252
|
resource_map_key = @resource_map[k]
|
188
253
|
[resource_map_key].flatten.each do |opt|
|
189
254
|
if values.slice!(/\s#{opt}/)
|
@@ -206,17 +271,20 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
206
271
|
|
207
272
|
# Normalise all rules to CIDR notation.
|
208
273
|
[:source, :destination].each do |prop|
|
209
|
-
|
274
|
+
next if hash[prop].nil?
|
275
|
+
m = hash[prop].match(/(!?)\s?(.*)/)
|
276
|
+
neg = "! " if m[1] == "!"
|
277
|
+
hash[prop] = "#{neg}#{Puppet::Util::IPCidr.new(m[2]).cidr}"
|
210
278
|
end
|
211
279
|
|
212
|
-
[:dport, :sport, :port, :state].each do |prop|
|
280
|
+
[:dport, :sport, :port, :state, :ctstate].each do |prop|
|
213
281
|
hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
|
214
282
|
end
|
215
283
|
|
216
284
|
# Convert booleans removing the previous cludge we did
|
217
|
-
known_booleans.each do |bool|
|
285
|
+
@known_booleans.each do |bool|
|
218
286
|
if hash[bool] != nil then
|
219
|
-
|
287
|
+
if hash[bool] != "true" then
|
220
288
|
raise "Parser error: #{bool} was meant to be a boolean but received value: #{hash[bool]}."
|
221
289
|
end
|
222
290
|
end
|
@@ -234,7 +302,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
234
302
|
|
235
303
|
# States should always be sorted. This ensures that the output from
|
236
304
|
# iptables-save and user supplied resources is consistent.
|
237
|
-
hash[:state]
|
305
|
+
hash[:state] = hash[:state].sort unless hash[:state].nil?
|
306
|
+
hash[:ctstate] = hash[:ctstate].sort unless hash[:ctstate].nil?
|
238
307
|
|
239
308
|
# This forces all existing, commentless rules or rules with invalid comments to be moved
|
240
309
|
# to the bottom of the stack.
|
@@ -309,17 +378,21 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
309
378
|
args = []
|
310
379
|
resource_list = self.class.instance_variable_get('@resource_list')
|
311
380
|
resource_map = self.class.instance_variable_get('@resource_map')
|
381
|
+
known_booleans = self.class.instance_variable_get('@known_booleans')
|
312
382
|
|
313
383
|
resource_list.each do |res|
|
314
384
|
resource_value = nil
|
315
385
|
if (resource[res]) then
|
316
386
|
resource_value = resource[res]
|
317
387
|
# If socket is true then do not add the value as -m socket is standalone
|
318
|
-
if res
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
388
|
+
if known_booleans.include?(res) then
|
389
|
+
if resource[res] == :true then
|
390
|
+
resource_value = nil
|
391
|
+
else
|
392
|
+
# If the property is not :true then we don't want to add the value
|
393
|
+
# to the args list
|
394
|
+
next
|
395
|
+
end
|
323
396
|
end
|
324
397
|
elsif res == :jump and resource[:action] then
|
325
398
|
# In this case, we are substituting jump for action
|
@@ -330,6 +403,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
330
403
|
|
331
404
|
args << [resource_map[res]].flatten.first.split(' ')
|
332
405
|
|
406
|
+
# On negations, the '!' has to be before the option (eg: "! -d 1.2.3.4")
|
407
|
+
if resource_value.is_a?(String) and resource_value.sub!(/^!\s*/, '') then
|
408
|
+
# we do this after adding the 'dash' argument because of ones like "-m multiport --dports", where we want it before the "--dports" but after "-m multiport".
|
409
|
+
# so we insert before whatever the last argument is
|
410
|
+
args.insert(-2, '!')
|
411
|
+
end
|
412
|
+
|
413
|
+
|
333
414
|
# For sport and dport, convert hyphens to colons since the type
|
334
415
|
# expects hyphens for ranges of ports.
|
335
416
|
if [:sport, :dport, :port].include?(res) then
|
@@ -369,8 +450,43 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
|
|
369
450
|
# No rules at all? Just bail now.
|
370
451
|
return 1 if rules.empty?
|
371
452
|
|
453
|
+
# Add our rule to the end of the array of known rules
|
372
454
|
my_rule = resource[:name].to_s
|
373
455
|
rules << my_rule
|
374
|
-
|
456
|
+
|
457
|
+
unmanaged_rule_regex = /^9[0-9]{3}\s[a-f0-9]{32}$/
|
458
|
+
# Find if this is a new rule or an existing rule, then find how many
|
459
|
+
# unmanaged rules preceed it.
|
460
|
+
if rules.length == rules.uniq.length
|
461
|
+
# This is a new rule so find its ordered location.
|
462
|
+
new_rule_location = rules.sort.uniq.index(my_rule)
|
463
|
+
if new_rule_location == 0
|
464
|
+
# The rule will be the first rule in the chain because nothing came
|
465
|
+
# before it.
|
466
|
+
offset_rule = rules[0]
|
467
|
+
else
|
468
|
+
# This rule will come after other managed rules, so find the rule
|
469
|
+
# immediately preceeding it.
|
470
|
+
offset_rule = rules.sort.uniq[new_rule_location - 1]
|
471
|
+
end
|
472
|
+
else
|
473
|
+
# This is a pre-existing rule, so find the offset from the original
|
474
|
+
# ordering.
|
475
|
+
offset_rule = my_rule
|
476
|
+
end
|
477
|
+
# Count how many unmanaged rules are ahead of the target rule so we know
|
478
|
+
# how much to add to the insert order
|
479
|
+
unnamed_offset = rules[0..rules.index(offset_rule)].inject(0) do |sum,rule|
|
480
|
+
# This regex matches the names given to unmanaged rules (a number
|
481
|
+
# 9000-9999 followed by an MD5 hash).
|
482
|
+
sum + (rule.match(unmanaged_rule_regex) ? 1 : 0)
|
483
|
+
end
|
484
|
+
|
485
|
+
# We want our rules to come before unmanaged rules
|
486
|
+
unnamed_offset -= 1 if offset_rule.match(unmanaged_rule_regex)
|
487
|
+
|
488
|
+
# Insert our new or updated rule in the correct order of named rules, but
|
489
|
+
# offset for unnamed rules.
|
490
|
+
rules.sort.index(my_rule) + 1 + unnamed_offset
|
375
491
|
end
|
376
492
|
end
|
@@ -41,11 +41,11 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
|
|
41
41
|
Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/
|
42
42
|
|
43
43
|
def create
|
44
|
-
# can't create internal chains
|
45
|
-
if @resource[:name] =~ InternalChains
|
46
|
-
self.warn "Attempting to create internal chain #{@resource[:name]}"
|
47
|
-
end
|
48
44
|
allvalidchains do |t, chain, table, protocol|
|
45
|
+
if chain =~ InternalChains
|
46
|
+
# can't create internal chains
|
47
|
+
warning "Attempting to create internal chain #{@resource[:name]}"
|
48
|
+
end
|
49
49
|
if properties[:ensure] == protocol
|
50
50
|
debug "Skipping Inserting chain #{chain} on table #{table} (#{protocol}) already exists"
|
51
51
|
else
|
@@ -59,17 +59,28 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
|
|
59
59
|
end
|
60
60
|
|
61
61
|
def destroy
|
62
|
-
# can't delete internal chains
|
63
|
-
if @resource[:name] =~ InternalChains
|
64
|
-
self.warn "Attempting to destroy internal chain #{@resource[:name]}"
|
65
|
-
end
|
66
62
|
allvalidchains do |t, chain, table|
|
63
|
+
if chain =~ InternalChains
|
64
|
+
# can't delete internal chains
|
65
|
+
warning "Attempting to destroy internal chain #{@resource[:name]}"
|
66
|
+
end
|
67
67
|
debug "Deleting chain #{chain} on table #{table}"
|
68
68
|
t.call ['-t',table,'-X',chain]
|
69
69
|
end
|
70
70
|
end
|
71
71
|
|
72
72
|
def exists?
|
73
|
+
allvalidchains do |t, chain|
|
74
|
+
if chain =~ InternalChains
|
75
|
+
# If the chain isn't present, it's likely because the module isn't loaded.
|
76
|
+
# If this is true, then we fall into 2 cases
|
77
|
+
# 1) It'll be loaded on demand
|
78
|
+
# 2) It won't be loaded on demand, and we throw an error
|
79
|
+
# This is the intended behavior as it's not the provider's job to load kernel modules
|
80
|
+
# So we pretend it exists...
|
81
|
+
return true
|
82
|
+
end
|
83
|
+
end
|
73
84
|
properties[:ensure] == :present
|
74
85
|
end
|
75
86
|
|
@@ -28,7 +28,9 @@ Puppet::Type.newtype(:firewall) do
|
|
28
28
|
installed.
|
29
29
|
EOS
|
30
30
|
|
31
|
+
feature :hop_limiting, "Hop limiting features."
|
31
32
|
feature :rate_limiting, "Rate limiting features."
|
33
|
+
feature :recent_limiting, "The netfilter recent module"
|
32
34
|
feature :snat, "Source NATing"
|
33
35
|
feature :dnat, "Destination NATing"
|
34
36
|
feature :interface_match, "Interface matching"
|
@@ -45,6 +47,11 @@ Puppet::Type.newtype(:firewall) do
|
|
45
47
|
feature :isfragment, "Match fragments"
|
46
48
|
feature :address_type, "The ability match on source or destination address type"
|
47
49
|
feature :iprange, "The ability match on source or destination IP range "
|
50
|
+
feature :ishasmorefrags, "Match a non-last fragment of a fragmented ipv6 packet - might be first"
|
51
|
+
feature :islastfrag, "Match the last fragment of an ipv6 packet"
|
52
|
+
feature :isfirstfrag, "Match the first fragment of a fragmented ipv6 packet"
|
53
|
+
feature :ipsec_policy, "Match IPsec policy"
|
54
|
+
feature :ipsec_dir, "Match IPsec policy direction"
|
48
55
|
|
49
56
|
# provider specific features
|
50
57
|
feature :iptables, "The provider provides iptables features."
|
@@ -103,12 +110,16 @@ Puppet::Type.newtype(:firewall) do
|
|
103
110
|
|
104
111
|
source => '192.168.2.0/24'
|
105
112
|
|
113
|
+
You can also negate a mask by putting ! in front. For example:
|
114
|
+
|
115
|
+
source => '! 192.168.2.0/24'
|
116
|
+
|
106
117
|
The source can also be an IPv6 address if your provider supports it.
|
107
118
|
EOS
|
108
119
|
|
109
120
|
munge do |value|
|
110
121
|
begin
|
111
|
-
@resource.
|
122
|
+
@resource.host_to_mask(value)
|
112
123
|
rescue Exception => e
|
113
124
|
self.fail("host_to_ip failed for #{value}, exception #{e}")
|
114
125
|
end
|
@@ -134,12 +145,16 @@ Puppet::Type.newtype(:firewall) do
|
|
134
145
|
|
135
146
|
destination => '192.168.1.0/24'
|
136
147
|
|
148
|
+
You can also negate a mask by putting ! in front. For example:
|
149
|
+
|
150
|
+
destination => '! 192.168.2.0/24'
|
151
|
+
|
137
152
|
The destination can also be an IPv6 address if your provider supports it.
|
138
153
|
EOS
|
139
154
|
|
140
155
|
munge do |value|
|
141
156
|
begin
|
142
|
-
@resource.
|
157
|
+
@resource.host_to_mask(value)
|
143
158
|
rescue Exception => e
|
144
159
|
self.fail("host_to_ip failed for #{value}, exception #{e}")
|
145
160
|
end
|
@@ -441,6 +456,15 @@ Puppet::Type.newtype(:firewall) do
|
|
441
456
|
EOS
|
442
457
|
end
|
443
458
|
|
459
|
+
newproperty(:random, :required_features => :dnat) do
|
460
|
+
desc <<-EOS
|
461
|
+
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
|
462
|
+
this boolean will enable randomized port mapping.
|
463
|
+
EOS
|
464
|
+
|
465
|
+
newvalues(:true, :false)
|
466
|
+
end
|
467
|
+
|
444
468
|
# Reject ICMP type
|
445
469
|
newproperty(:reject, :required_features => :reject_type) do
|
446
470
|
desc <<-EOS
|
@@ -549,6 +573,46 @@ Puppet::Type.newtype(:firewall) do
|
|
549
573
|
end
|
550
574
|
end
|
551
575
|
|
576
|
+
newproperty(:ctstate, :array_matching => :all, :required_features =>
|
577
|
+
:state_match) do
|
578
|
+
|
579
|
+
desc <<-EOS
|
580
|
+
Matches a packet based on its state in the firewall stateful inspection
|
581
|
+
table, using the conntrack module. Values can be:
|
582
|
+
|
583
|
+
* INVALID
|
584
|
+
* ESTABLISHED
|
585
|
+
* NEW
|
586
|
+
* RELATED
|
587
|
+
EOS
|
588
|
+
|
589
|
+
newvalues(:INVALID,:ESTABLISHED,:NEW,:RELATED)
|
590
|
+
|
591
|
+
# States should always be sorted. This normalizes the resource states to
|
592
|
+
# keep it consistent with the sorted result from iptables-save.
|
593
|
+
def should=(values)
|
594
|
+
@should = super(values).sort_by {|sym| sym.to_s}
|
595
|
+
end
|
596
|
+
|
597
|
+
def is_to_s(value)
|
598
|
+
should_to_s(value)
|
599
|
+
end
|
600
|
+
|
601
|
+
def should_to_s(value)
|
602
|
+
value = [value] unless value.is_a?(Array)
|
603
|
+
value.join(',')
|
604
|
+
end
|
605
|
+
end
|
606
|
+
|
607
|
+
|
608
|
+
# Hop limiting properties
|
609
|
+
newproperty(:hop_limit, :required_features => :hop_limiting) do
|
610
|
+
desc <<-EOS
|
611
|
+
Hop limiting value for matched packets.
|
612
|
+
EOS
|
613
|
+
newvalue(/^\d+$/)
|
614
|
+
end
|
615
|
+
|
552
616
|
# Rate limiting properties
|
553
617
|
newproperty(:limit, :required_features => :rate_limiting) do
|
554
618
|
desc <<-EOS
|
@@ -640,6 +704,104 @@ Puppet::Type.newtype(:firewall) do
|
|
640
704
|
newvalues(:true, :false)
|
641
705
|
end
|
642
706
|
|
707
|
+
newproperty(:recent, :required_features => :recent_limiting) do
|
708
|
+
desc <<-EOS
|
709
|
+
Enable the recent module. Takes as an argument one of set, update,
|
710
|
+
rcheck or remove. For example:
|
711
|
+
|
712
|
+
# If anyone's appeared on the 'badguy' blacklist within
|
713
|
+
# the last 60 seconds, drop their traffic, and update the timestamp.
|
714
|
+
firewall { '100 Drop badguy traffic':
|
715
|
+
recent => 'update',
|
716
|
+
rseconds => 60,
|
717
|
+
rsource => true,
|
718
|
+
rname => 'badguy',
|
719
|
+
action => 'DROP',
|
720
|
+
chain => 'FORWARD',
|
721
|
+
}
|
722
|
+
# No-one should be sending us traffic on eth0 from localhost
|
723
|
+
# Blacklist them
|
724
|
+
firewall { '101 blacklist strange traffic':
|
725
|
+
recent => 'set',
|
726
|
+
rsource => true,
|
727
|
+
rname => 'badguy',
|
728
|
+
destination => '127.0.0.0/8',
|
729
|
+
iniface => 'eth0',
|
730
|
+
action => 'DROP',
|
731
|
+
chain => 'FORWARD',
|
732
|
+
}
|
733
|
+
EOS
|
734
|
+
|
735
|
+
newvalues(:set, :update, :rcheck, :remove)
|
736
|
+
munge do |value|
|
737
|
+
value = "--" + value
|
738
|
+
end
|
739
|
+
end
|
740
|
+
|
741
|
+
newproperty(:rdest, :required_features => :recent_limiting) do
|
742
|
+
desc <<-EOS
|
743
|
+
Recent module; add the destination IP address to the list.
|
744
|
+
Must be boolean true.
|
745
|
+
EOS
|
746
|
+
|
747
|
+
newvalues(:true, :false)
|
748
|
+
end
|
749
|
+
|
750
|
+
newproperty(:rsource, :required_features => :recent_limiting) do
|
751
|
+
desc <<-EOS
|
752
|
+
Recent module; add the source IP address to the list.
|
753
|
+
Must be boolean true.
|
754
|
+
EOS
|
755
|
+
|
756
|
+
newvalues(:true, :false)
|
757
|
+
end
|
758
|
+
|
759
|
+
newproperty(:rname, :required_features => :recent_limiting) do
|
760
|
+
desc <<-EOS
|
761
|
+
Recent module; The name of the list. Takes a string argument.
|
762
|
+
EOS
|
763
|
+
end
|
764
|
+
|
765
|
+
newproperty(:rseconds, :required_features => :recent_limiting) do
|
766
|
+
desc <<-EOS
|
767
|
+
Recent module; used in conjunction with one of `recent => 'rcheck'` or
|
768
|
+
`recent => 'update'`. When used, this will narrow the match to only
|
769
|
+
happen when the address is in the list and was seen within the last given
|
770
|
+
number of seconds.
|
771
|
+
EOS
|
772
|
+
end
|
773
|
+
|
774
|
+
newproperty(:reap, :required_features => :recent_limiting) do
|
775
|
+
desc <<-EOS
|
776
|
+
Recent module; can only be used in conjunction with the `rseconds`
|
777
|
+
attribute. When used, this will cause entries older than 'seconds' to be
|
778
|
+
purged. Must be boolean true.
|
779
|
+
EOS
|
780
|
+
end
|
781
|
+
|
782
|
+
newproperty(:rhitcount, :required_features => :recent_limiting) do
|
783
|
+
desc <<-EOS
|
784
|
+
Recent module; used in conjunction with `recent => 'update'` or `recent
|
785
|
+
=> 'rcheck'. When used, this will narrow the match to only happen when
|
786
|
+
the address is in the list and packets had been received greater than or
|
787
|
+
equal to the given value.
|
788
|
+
EOS
|
789
|
+
end
|
790
|
+
|
791
|
+
newproperty(:rttl, :required_features => :recent_limiting) do
|
792
|
+
desc <<-EOS
|
793
|
+
Recent module; may only be used in conjunction with one of `recent =>
|
794
|
+
'rcheck'` or `recent => 'update'`. When used, this will narrow the match
|
795
|
+
to only happen when the address is in the list and the TTL of the current
|
796
|
+
packet matches that of the packet which hit the `recent => 'set'` rule.
|
797
|
+
This may be useful if you have problems with people faking their source
|
798
|
+
address in order to DoS you via this module by disallowing others access
|
799
|
+
to your site by sending bogus packets to you. Must be boolean true.
|
800
|
+
EOS
|
801
|
+
|
802
|
+
newvalues(:true, :false)
|
803
|
+
end
|
804
|
+
|
643
805
|
newproperty(:socket, :required_features => :socket) do
|
644
806
|
desc <<-EOS
|
645
807
|
If true, matches if an open socket can be found by doing a coket lookup
|
@@ -649,6 +811,47 @@ Puppet::Type.newtype(:firewall) do
|
|
649
811
|
newvalues(:true, :false)
|
650
812
|
end
|
651
813
|
|
814
|
+
newproperty(:ishasmorefrags, :required_features => :ishasmorefrags) do
|
815
|
+
desc <<-EOS
|
816
|
+
If true, matches if the packet has it's 'more fragments' bit set. ipv6.
|
817
|
+
EOS
|
818
|
+
|
819
|
+
newvalues(:true, :false)
|
820
|
+
end
|
821
|
+
|
822
|
+
newproperty(:islastfrag, :required_features => :islastfrag) do
|
823
|
+
desc <<-EOS
|
824
|
+
If true, matches if the packet is the last fragment. ipv6.
|
825
|
+
EOS
|
826
|
+
|
827
|
+
newvalues(:true, :false)
|
828
|
+
end
|
829
|
+
|
830
|
+
newproperty(:isfirstfrag, :required_features => :isfirstfrag) do
|
831
|
+
desc <<-EOS
|
832
|
+
If true, matches if the packet is the first fragment.
|
833
|
+
Sadly cannot be negated. ipv6.
|
834
|
+
EOS
|
835
|
+
|
836
|
+
newvalues(:true, :false)
|
837
|
+
end
|
838
|
+
|
839
|
+
newproperty(:ipsec_policy, :required_features => :ipsec_policy) do
|
840
|
+
desc <<-EOS
|
841
|
+
Sets the ipsec policy type
|
842
|
+
EOS
|
843
|
+
|
844
|
+
newvalues(:none, :ipsec)
|
845
|
+
end
|
846
|
+
|
847
|
+
newproperty(:ipsec_dir, :required_features => :ipsec_dir) do
|
848
|
+
desc <<-EOS
|
849
|
+
Sets the ipsec policy direction
|
850
|
+
EOS
|
851
|
+
|
852
|
+
newvalues(:in, :out)
|
853
|
+
end
|
854
|
+
|
652
855
|
newparam(:line) do
|
653
856
|
desc <<-EOS
|
654
857
|
Read-only property for caching the rule line.
|
@@ -667,8 +870,9 @@ Puppet::Type.newtype(:firewall) do
|
|
667
870
|
end
|
668
871
|
|
669
872
|
unless protocol.nil?
|
873
|
+
table = value(:table)
|
670
874
|
[value(:chain), value(:jump)].each do |chain|
|
671
|
-
reqs << "#{chain}:#{
|
875
|
+
reqs << "#{chain}:#{table}:#{protocol}" unless ( chain.nil? || (['INPUT', 'OUTPUT', 'FORWARD'].include?(chain) && table == :filter) )
|
672
876
|
end
|
673
877
|
end
|
674
878
|
|