diff --git a/README.markdown b/README.markdown index 01e8dc114..8e46d36f4 100644 --- a/README.markdown +++ b/README.markdown @@ -437,6 +437,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature. + * `checksum_fill`: When using a `jump` value of 'CHECKSUM' this boolean will make sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are true or false. Requires the `iptables` feature. + * `connlimit_above`: Connection limiting value for matched connections above n. Values must match '/^\d+$/'. Requires the `connection_limiting` feature. * `connlimit_mask`: Connection limiting by subnet mask for matched connections. Apply a subnet mask of /0 to /32 for IPv4, and a subnet mask of /0 to /128 for IPv6. Values must match '/^\d+$/'. Requires the `connection_limiting` feature. diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index b1e390220..8acae8f2e 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -65,6 +65,7 @@ def self.iptables_save(*args) @resource_map = { :burst => "--limit-burst", + :checksum_fill => "--checksum-fill", :connlimit_above => "-m connlimit --connlimit-above", :connlimit_mask => "--connlimit-mask", :connmark => "-m connmark --mark", @@ -128,6 +129,7 @@ def self.iptables_save(*args) # These are known booleans that do not take a value, but we want to munge # to true if they exist. @known_booleans = [ + :checksum_fill, :ishasmorefrags, :islastfrag, :isfirstfrag, @@ -198,7 +200,7 @@ def self.iptables_save(*args) :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, - :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark, - :connlimit_above, :connlimit_mask, :connmark] + :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, + :set_mark, :connlimit_above, :connlimit_mask, :connmark] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index b4713eefa..089689cdf 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -51,6 +51,7 @@ @resource_map = { :burst => "--limit-burst", + :checksum_fill => "--checksum-fill", :connlimit_above => "-m connlimit --connlimit-above", :connlimit_mask => "--connlimit-mask", :connmark => "-m connmark --mark", @@ -113,6 +114,7 @@ # These are known booleans that do not take a value, but we want to munge # to true if they exist. @known_booleans = [ + :checksum_fill, :isfragment, :random, :rdest, @@ -223,7 +225,7 @@ def munge_resource_map_from_resource(resource_map_original, compare) :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, - :tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark, + :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :connlimit_above, :connlimit_mask, :connmark ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 46756e341..3add88788 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -1060,6 +1060,14 @@ def insync?(is) EOS end + newproperty(:checksum_fill, :required_features => :iptables) do + desc <<-EOS + Compute and fill missing packet checksums. + EOS + + newvalues(:true, :false) + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line. @@ -1252,5 +1260,11 @@ def insync?(is) self.fail "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'" end + if value(:checksum_fill) + unless value(:jump).to_s == "CHECKSUM" && value(:table).to_s == "mangle" + self.fail "Parameter checksum_fill requires jump => CHECKSUM and table => mangle" + end + end + end end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 8c29dee36..331d831ae 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -833,6 +833,62 @@ class { '::firewall': } end end + describe 'checksum_fill' do + context 'virbr' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '576 - test': + proto => udp, + table => 'mangle', + outiface => 'virbr0', + chain => 'POSTROUTING', + dport => '68', + jump => 'CHECKSUM', + checksum_fill => true, + provider => iptables, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save -t mangle') do |r| + expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/) + end + end + end + end + + describe 'checksum_fill6' do + context 'virbr' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '576 - test': + proto => udp, + table => 'mangle', + outiface => 'virbr0', + chain => 'POSTROUTING', + dport => '68', + jump => 'CHECKSUM', + checksum_fill => true, + provider => ip6tables, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save -t mangle') do |r| + expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/) + end + end + end + end + # RHEL5 does not support --random if default['platform'] !~ /el-5/ describe 'random' do