Skip to content
Permalink
Browse files

Merge pull request #852 from rwf14f/ct-target-properties

(MODULES-6136) Add zone property of CT target.
  • Loading branch information...
sheenaajay committed Sep 9, 2019
2 parents d56aea8 + 03b27f0 commit 3fc0ae956dfb95511573f59c57d9ae7a007a3fc5
@@ -220,6 +220,8 @@ installed.

* ipvs: The ability to match IP Virtual Server packets.

* ct_target: The ability to set connection tracking parameters for a packet or its associated connection.

#### Properties

The following properties are available in the `firewall` type.
@@ -1125,6 +1127,10 @@ Valid values: `true`, `false`
Indicates that the current packet belongs to an IPVS connection.
##### `zone`
Assign this packet to zone id and only have lookups done in that zone.
#### Parameters
The following parameters are available in the `firewall` type.
@@ -34,6 +34,7 @@
has_feature :string_matching
has_feature :queue_num
has_feature :queue_bypass
has_feature :ct_target

optional_commands(ip6tables: 'ip6tables',
ip6tables_save: 'ip6tables-save')
@@ -164,6 +165,7 @@ def self.iptables_save(*args)
hashlimit_htable_expire: '--hashlimit-htable-expire',
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
bytecode: '-m bpf --bytecode',
zone: '--zone',
}

# These are known booleans that do not take a value, but we want to munge
@@ -258,5 +260,5 @@ def self.iptables_save(*args)
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :name]
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :zone, :name]
end
@@ -43,6 +43,7 @@
has_feature :queue_num
has_feature :queue_bypass
has_feature :ipvs
has_feature :ct_target

optional_commands(iptables: 'iptables',
iptables_save: 'iptables-save')
@@ -170,6 +171,7 @@
hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval',
bytecode: '-m bpf --bytecode',
ipvs: '-m ipvs --ipvs',
zone: '--zone',
}

# These are known booleans that do not take a value, but we want to munge
@@ -304,7 +306,7 @@ def munge_resource_map_from_resource(resource_map_original, compare)
:month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
:src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
:hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :name
:hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :name
]

def insert
@@ -129,6 +129,8 @@
* bpf: The ability to use Berkeley Paket Filter rules.
* ipvs: The ability to match IP Virtual Server packets.
* ct_target: The ability to set connection tracking parameters for a packet or its associated connection.
PUPPETCODE

feature :connection_limiting, 'Connection limiting features.'
@@ -173,7 +175,7 @@
feature :hashlimit, 'Hashlimit features'
feature :bpf, 'Berkeley Paket Filter feature'
feature :ipvs, 'Packet belongs to an IP Virtual Server connection'

feature :ct_target, 'The ability to set connection tracking parameters for a packet or its associated connection'
# provider specific features
feature :iptables, 'The provider provides iptables features.'

@@ -1857,6 +1859,12 @@ def should_to_s(value)
newvalues(:true, :false)
end

newproperty(:zone, required_features: :ct_target) do
desc <<-PUPPETCODE
Assign this packet to zone id and only have lookups done in that zone.
PUPPETCODE
end

autorequire(:firewallchain) do
reqs = []
protocol = nil
@@ -2067,5 +2075,17 @@ def should_to_s(value)
raise 'Either hashlimit_upto or hashlimit_above are required'
end
end

if value(:zone)
unless value(:jump).to_s == 'CT'
raise 'Parameter zone requires jump => CT'
end
end

if value(:jump).to_s == 'CT'
unless value(:table).to_s =~ %r{raw}
raise 'Parameter jump => CT only applies to table => raw'
end
end
end
end
@@ -503,4 +503,27 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
end
end

describe 'test CT target attributes which are not available on some OS', unless:
(os[:family] == 'redhat' && (os[:release].start_with?('5', '6') || host_inventory['facter']['os']['name'] == 'OracleLinux')) || (host_inventory['facter']['os']['family'] == 'Suse') do
before(:all) do
pp = <<-PUPPETCODE
firewall { '1100 - ct_target tests - zone':
proto => 'all',
zone => '4000',
jump => 'CT',
chain => 'PREROUTING',
table => 'raw',
}
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
end

let(:result) { shell('iptables-save') }

it 'zone is set' do
expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1100 - ct_target tests - zone" -j CT --zone 4000})
end
end
end
@@ -261,7 +261,6 @@ class { '::firewall': }
proto => all,
provider => 'ip6tables',
}
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
@@ -368,4 +367,27 @@ class { '::firewall': }
end
end
end

describe 'test CT target attributes which are not available on some OS', unless:
(os[:family] == 'redhat' && (os[:release].start_with?('5', '6') || host_inventory['facter']['os']['name'] == 'OracleLinux')) || (host_inventory['facter']['os']['family'] == 'Suse') do
before(:all) do
pp = <<-PUPPETCODE
firewall { '1100 - ct_target tests - zone':
proto => 'all',
zone => '4000',
jump => 'CT',
chain => 'PREROUTING',
table => 'raw',
}
PUPPETCODE
apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: do_catch_changes)
end

let(:result) { shell('iptables-save') }

it 'zone is set' do
expect(result.stdout).to match(%r{-A PREROUTING -m comment --comment "1100 - ct_target tests - zone" -j CT --zone 4000})
end
end
end
@@ -11,7 +11,7 @@ def iptables_flush_all_tables
end

def ip6tables_flush_all_tables
['filter', 'mangle'].each do |t|
['filter', 'mangle', 'raw'].each do |t|
expect(shell("ip6tables -t #{t} -F").stderr).to eq('')
end
end
@@ -558,6 +558,13 @@
end
end

describe 'ct_target' do
it 'allows me to set zone' do
resource[:zone] = 4000
expect(resource[:zone]).to be 4000
end
end

[:chain, :jump].each do |param|
describe param do
it 'autorequires fwchain when table and provider are undefined' do

0 comments on commit 3fc0ae9

Please sign in to comment.
You can’t perform that action at this time.