176 changes: 136 additions & 40 deletions README.markdown
View file

Large diffs are not rendered by default.

28 changes: 23 additions & 5 deletions lib/puppet/provider/firewall/ip6tables.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
has_feature :log_level
has_feature :log_prefix
has_feature :mark
has_feature :mss
has_feature :tcp_flags
has_feature :pkttype
has_feature :ishasmorefrags
Expand Down Expand Up @@ -66,6 +67,7 @@ def self.iptables_save(*args)
@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
:clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
Expand All @@ -74,6 +76,7 @@ def self.iptables_save(*args)
:dport => ["-m multiport --dports", "--dport"],
:dst_range => '--dst-range',
:dst_type => "--dst-type",
:gateway => "--gateway",
:gid => "--gid-owner",
:hop_limit => "-m hl --hl-eq",
:icmp => "-m icmp6 --icmpv6-type",
Expand All @@ -89,8 +92,10 @@ def self.iptables_save(*args)
:log_level => "--log-level",
:log_prefix => "--log-prefix",
:mask => "--mask",
:match_mark => "-m mark --mark",
:name => "-m comment --comment",
:mac_source => ["-m mac --mac-source", "--mac-source"],
:mss => "-m tcpmss --mss",
:outiface => "-o",
:pkttype => "-m pkttype --pkt-type",
:port => '-m multiport --ports',
Expand All @@ -105,6 +110,7 @@ def self.iptables_save(*args)
:rsource => "--rsource",
:rttl => "--rttl",
:set_mark => mark_flag,
:set_mss => '--set-mss',
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
Expand All @@ -123,13 +129,22 @@ def self.iptables_save(*args)
:uid => "--uid-owner",
:physdev_in => "--physdev-in",
:physdev_out => "--physdev-out",
:physdev_is_bridged => "--physdev-is-bridged"
:physdev_is_bridged => "--physdev-is-bridged",
:date_start => "--datestart",
:date_stop => "--datestop",
:time_start => "--timestart",
:time_stop => "--timestop",
:month_days => "--monthdays",
:week_days => "--weekdays",
:time_contiguous => "--contiguous",
:kernel_timezone => "--kerneltz",
}

# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
:checksum_fill,
:clamp_mss_to_pmtu,
:ishasmorefrags,
:islastfrag,
:isfirstfrag,
Expand All @@ -138,7 +153,9 @@ def self.iptables_save(*args)
:reap,
:rttl,
:socket,
:physdev_is_bridged
:physdev_is_bridged,
:time_contiguous,
:kernel_timezone,
]

# Properties that use "-m <ipt module name>" (with the potential to have multiple
Expand All @@ -158,6 +175,7 @@ def self.iptables_save(*args)
:addrtype => [:src_type, :dst_type],
:iprange => [:src_range, :dst_range],
:owner => [:uid, :gid],
:time => [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
}

# Create property methods dynamically
Expand Down Expand Up @@ -199,8 +217,8 @@ def self.iptables_save(*args)
:tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject,
:set_mark, :connlimit_above, :connlimit_mask, :connmark]
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss,
:set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]

end
28 changes: 23 additions & 5 deletions lib/puppet/provider/firewall/iptables.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
has_feature :log_level
has_feature :log_prefix
has_feature :mark
has_feature :mss
has_feature :tcp_flags
has_feature :pkttype
has_feature :isfragment
Expand Down Expand Up @@ -52,6 +53,7 @@
@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
:clamp_mss_to_pmtu => "--clamp-mss-to-pmtu",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
Expand All @@ -60,6 +62,7 @@
:dport => ["-m multiport --dports", "--dport"],
:dst_range => "--dst-range",
:dst_type => "--dst-type",
:gateway => "--gateway",
:gid => "--gid-owner",
:icmp => "-m icmp --icmp-type",
:iniface => "-i",
Expand All @@ -73,6 +76,8 @@
:log_prefix => "--log-prefix",
:mac_source => ["-m mac --mac-source", "--mac-source"],
:mask => '--mask',
:match_mark => "-m mark --mark",
:mss => '-m tcpmss --mss',
:name => "-m comment --comment",
:outiface => "-o",
:pkttype => "-m pkttype --pkt-type",
Expand All @@ -89,6 +94,7 @@
:rsource => "--rsource",
:rttl => "--rttl",
:set_mark => mark_flag,
:set_mss => '--set-mss',
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
Expand All @@ -108,21 +114,32 @@
:uid => "--uid-owner",
:physdev_in => "--physdev-in",
:physdev_out => "--physdev-out",
:physdev_is_bridged => "--physdev-is-bridged"
:physdev_is_bridged => "--physdev-is-bridged",
:date_start => "--datestart",
:date_stop => "--datestop",
:time_start => "--timestart",
:time_stop => "--timestop",
:month_days => "--monthdays",
:week_days => "--weekdays",
:time_contiguous => "--contiguous",
:kernel_timezone => "--kerneltz",
}

# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
:checksum_fill,
:clamp_mss_to_pmtu,
:isfragment,
:random,
:rdest,
:reap,
:rsource,
:rttl,
:socket,
:physdev_is_bridged
:physdev_is_bridged,
:time_contiguous,
:kernel_timezone,
]

# Properties that use "-m <ipt module name>" (with the potential to have multiple
Expand All @@ -142,6 +159,7 @@
:addrtype => [:src_type, :dst_type],
:iprange => [:src_range, :dst_range],
:owner => [:uid, :gid],
:time => [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
}

def self.munge_resource_map_from_existing_values(resource_map_original, compare)
Expand Down Expand Up @@ -224,9 +242,9 @@ def munge_resource_map_from_resource(resource_map_original, compare)
:src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :set_mss, :todest,
:tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :match_mark, :mss,
:connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
]

def insert
Expand Down
168 changes: 167 additions & 1 deletion lib/puppet/type/firewall.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
feature :log_level, "The ability to control the log level"
feature :log_prefix, "The ability to add prefixes to log messages"
feature :mark, "Match or Set the netfilter mark value associated with the packet"
feature :mss, "Match a given TCP MSS value or range."
feature :tcp_flags, "The ability to match on particular TCP flag settings"
feature :pkttype, "Match a packet type"
feature :socket, "Match open sockets"
Expand Down Expand Up @@ -356,11 +357,18 @@ def should_to_s(value)
*tcp*.
EOS

newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :cbt, :all].collect do |proto|
newvalues(*[:tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :all].collect do |proto|
[proto, "! #{proto}".to_sym]
end.flatten)
defaultto "tcp"
end

# tcp-specific
newproperty(:mss) do
desc <<-EOS
Match a given TCP MSS value or range.
EOS
end

# tcp-specific
newproperty(:tcp_flags, :required_features => :tcp_flags) do
Expand Down Expand Up @@ -780,6 +788,36 @@ def insync?(is)
EOS
end

# match mark
newproperty(:match_mark, :required_features => :mark) do
desc <<-EOS
Match the Netfilter mark value associated with the packet. Accepts either of:
mark/mask or mark. These will be converted to hex if they are not already.
EOS
munge do |value|
mark_regex = %r{\A((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i
match = value.to_s.match(mark_regex)
if match.nil?
raise ArgumentError, "Match MARK value must be integer or hex between 0 and 0xffffffff"
end
mark = @resource.to_hex32(match[1])

# Values that can't be converted to hex.
# Or contain a trailing slash with no mask.
if mark.nil? or (mark and match[2] and match[3].nil?)
raise ArgumentError, "Match MARK value must be integer or hex between 0 and 0xffffffff"
end

# There should not be a mask on match_mark
unless match[3].nil?
raise ArgumentError, "iptables does not support masks on MARK match rules"
end
value = mark

value
end
end

newproperty(:set_mark, :required_features => :mark) do
desc <<-EOS
Set the Netfilter mark value associated with the packet. Accepts either of:
Expand Down Expand Up @@ -822,6 +860,20 @@ def insync?(is)
end
end

newproperty(:clamp_mss_to_pmtu, :required_features => :iptables) do
desc <<-EOS
Sets the clamp mss to pmtu flag.
EOS

newvalues(:true, :false)
end

newproperty(:set_mss, :required_features => :iptables) do
desc <<-EOS
Sets the TCP MSS value for packets.
EOS
end

newproperty(:pkttype, :required_features => :pkttype) do
desc <<-EOS
Sets the packet type to match.
Expand Down Expand Up @@ -1050,6 +1102,13 @@ def insync?(is)
EOS
end

newproperty(:gateway, :required_features => :iptables) do
desc <<-EOS
The TEE target will clone a packet and redirect this clone to another
machine on the local network segment. gateway is the target host's IP.
EOS
end

newproperty(:ipset, :required_features => :ipset) do
desc <<-EOS
Matches against the specified ipset list.
Expand Down Expand Up @@ -1102,6 +1161,101 @@ def insync?(is)
newvalues(:true, :false)
end

newproperty(:date_start, :required_features => :iptables) do
desc <<-EOS
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
EOS
end

newproperty(:date_stop, :required_features => :iptables) do
desc <<-EOS
Only match during the given time, which must be in ISO 8601 "T" notation.
The possible time range is 1970-01-01T00:00:00 to 2038-01-19T04:17:07
EOS
end

newproperty(:time_start, :required_features => :iptables) do
desc <<-EOS
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
EOS

munge do |value|
if value =~ /^([0-9]):/
value = "0#{value}"
end

if value =~ /^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$/
value = "#{value}:00"
end

value
end
end

newproperty(:time_stop, :required_features => :iptables) do
desc <<-EOS
Only match during the given daytime. The possible time range is 00:00:00 to 23:59:59.
Leading zeroes are allowed (e.g. "06:03") and correctly interpreted as base-10.
EOS

munge do |value|
if value =~ /^([0-9]):/
value = "0#{value}"
end

if value =~ /^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$/
value = "#{value}:00"
end

value
end
end

newproperty(:month_days, :required_features => :iptables) do
desc <<-EOS
Only match on the given days of the month. Possible values are 1 to 31.
Note that specifying 31 will of course not match on months which do not have a 31st day;
the same goes for 28- or 29-day February.
EOS

validate do |value|
month = value.to_i
if month >= 1 and month <=31
value
else
raise ArgumentError,
"month_days must be in the range of 1-31"
end
end
end

newproperty(:week_days, :required_features => :iptables) do
desc <<-EOS
Only match on the given weekdays. Possible values are Mon, Tue, Wed, Thu, Fri, Sat, Sun.
EOS

newvalues(:Mon, :Tue, :Wed, :Thu, :Fri, :Sat, :Sun)
end

newproperty(:time_contiguous, :required_features => :iptables) do
desc <<-EOS
When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
EOS

newvalues(:true, :false)
end

newproperty(:kernel_timezone, :required_features => :iptables) do
desc <<-EOS
Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
EOS

newvalues(:true, :false)
end


autorequire(:firewallchain) do
reqs = []
protocol = nil
Expand Down Expand Up @@ -1194,6 +1348,18 @@ def insync?(is)
end
end

if value(:jump).to_s == "TCPMSS"
unless value(:set_mss) || value(:clamp_mss_to_pmtu)
self.fail "When using jump => TCPMSS, the set_mss or clamp_mss_to_pmtu property is required"
end
end

if value(:jump).to_s == "TEE"
unless value(:gateway)
self.fail "When using jump => TEE, the gateway property is required"
end
end

if value(:jump).to_s == "DNAT"
unless value(:table).to_s =~ /nat/
self.fail "Parameter jump => DNAT only applies to table => nat"
Expand Down
3 changes: 3 additions & 0 deletions lib/puppet/util/firewall.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,15 @@ def icmp_name_to_number(value_icmp, protocol)
elsif protocol == 'inet6'
case value_icmp
when "destination-unreachable" then "1"
when "too-big" then "2"
when "time-exceeded" then "3"
when "parameter-problem" then "4"
when "echo-request" then "128"
when "echo-reply" then "129"
when "router-solicitation" then "133"
when "router-advertisement" then "134"
when "neighbour-solicitation" then "135"
when "neighbour-advertisement" then "136"
when "redirect" then "137"
else nil
end
Expand Down
2 changes: 1 addition & 1 deletion manifests/linux/gentoo.pp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# = Class: firewall::linux::gentoo
#
# Manages `iptables` and `ip6tables` services, and creates files used for
# persistence, on Arch Linux systems.
# persistence, on Gentoo Linux systems.
#
# == Parameters:
#
Expand Down
12 changes: 12 additions & 0 deletions manifests/linux/redhat.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,18 @@
}
}

if ($::operatingsystem != 'Amazon')
and (($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0)) {
if $ensure == 'running' {
exec { '/usr/bin/systemctl daemon-reload':
require => Package[$package_name],
before => Service[$service_name],
unless => '/usr/bin/systemctl is-active iptables'
}
}
}

service { $service_name:
ensure => $ensure,
enable => $enable,
Expand Down
20 changes: 12 additions & 8 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,6 @@
$service_name = 'iptables'
$package_name = undef
}
'Archlinux': {
$service_name = ['iptables','ip6tables']
$package_name = undef
}
'Fedora': {
if versioncmp($::operatingsystemrelease, '15') >= 0 {
$package_name = 'iptables-services'
Expand All @@ -33,7 +29,7 @@
'Debian': {
if versioncmp($::operatingsystemrelease, '8.0') >= 0 {
$service_name = 'netfilter-persistent'
$package_name = 'netfilter-persistent'
$package_name = 'iptables-persistent'
} else {
$service_name = 'iptables-persistent'
$package_name = 'iptables-persistent'
Expand All @@ -43,7 +39,7 @@
'Ubuntu': {
if versioncmp($::operatingsystemrelease, '14.10') >= 0 {
$service_name = 'netfilter-persistent'
$package_name = 'netfilter-persistent'
$package_name = 'iptables-persistent'
} else {
$service_name = 'iptables-persistent'
$package_name = 'iptables-persistent'
Expand All @@ -61,8 +57,16 @@
$package_name = 'net-firewall/iptables'
}
default: {
$package_name = undef
$service_name = 'iptables'
case $::operatingsystem {
'Archlinux': {
$service_name = ['iptables','ip6tables']
$package_name = undef
}
default: {
$service_name = 'iptables'
$package_name = undef
}
}
}
}
}
7 changes: 4 additions & 3 deletions metadata.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "puppetlabs-firewall",
"version": "1.5.0",
"version": "1.6.0",
"author": "Puppet Labs",
"summary": "Manages Firewalls such as iptables",
"license": "Apache-2.0",
Expand Down Expand Up @@ -50,7 +50,8 @@
"operatingsystem": "Debian",
"operatingsystemrelease": [
"6",
"7"
"7",
"8"
]
},
{
Expand Down Expand Up @@ -79,6 +80,6 @@
}
],
"dependencies": [

]
}
118 changes: 118 additions & 0 deletions spec/acceptance/firewall_mss_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
require 'spec_helper_acceptance'

describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

before(:all) do
shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end

describe 'mss ipv4 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'502 - set_mss':
proto => 'tcp',
tcp_flags => 'SYN,RST SYN',
jump => 'TCPMSS',
set_mss => '1360',
mss => '1361:1541',
chain => 'FORWARD',
table => 'mangle',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
end
end
end

context 'clamp_mss_to_pmtu' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
proto => 'tcp',
chain => 'FORWARD',
tcp_flags => 'SYN,RST SYN',
jump => 'TCPMSS',
clamp_mss_to_pmtu => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
end
end
end
end

if default['platform'] !~ /el-5/
describe 'mss ipv6 tests' do
context '1360' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'502 - set_mss':
proto => 'tcp',
tcp_flags => 'SYN,RST SYN',
jump => 'TCPMSS',
set_mss => '1360',
mss => '1361:1541',
chain => 'FORWARD',
table => 'mangle',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "502 - set_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360/)
end
end
end

context 'clamp_mss_to_pmtu' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'503 - clamp_mss_to_pmtu':
proto => 'tcp',
chain => 'FORWARD',
tcp_flags => 'SYN,RST SYN',
jump => 'TCPMSS',
clamp_mss_to_pmtu => true,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/)
end
end
end
end
end

end
2 changes: 1 addition & 1 deletion spec/acceptance/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -833,7 +833,7 @@ class { '::firewall': }
end
end


if default['platform'] !~ /el-5/ and default['platform'] !~ /ubuntu-10\.04/ and default['platform'] !~ /debian-6/ and default['platform'] !~ /sles/
describe 'checksum_fill' do
context 'virbr' do
Expand Down
65 changes: 65 additions & 0 deletions spec/acceptance/firewall_tee_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
require 'spec_helper_acceptance'

describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

before(:all) do
shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end

if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /ubuntu-1204/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
describe 'tee_gateway' do
context '10.0.0.2' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'810 - tee_gateway':
chain => 'PREROUTING',
table => 'mangle',
jump => 'TEE',
gateway => '10.0.0.2',
proto => all,
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A PREROUTING -m comment --comment "810 - tee_gateway" -j TEE --gateway 10.0.0.2/)
end
end
end
end

describe 'tee_gateway6' do
context '2001:db8::1' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall {
'811 - tee_gateway6':
chain => 'PREROUTING',
table => 'mangle',
jump => 'TEE',
gateway => '2001:db8::1',
proto => all,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A PREROUTING -m comment --comment "811 - tee_gateway6" -j TEE --gateway 2001:db8::1/)
end
end
end
end
end

end
81 changes: 81 additions & 0 deletions spec/acceptance/firewall_time_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
require 'spec_helper_acceptance'

describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do


before(:all) do
shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end

if default['platform'] =~ /ubuntu-1404/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /debian-8/ or default['platform'] =~ /el-7/
describe "time tests ipv4" do
context 'set all time parameters' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
dport => '8080',
action => accept,
chain => 'OUTPUT',
date_start => '2016-01-19T04:17:07',
date_stop => '2038-01-19T04:17:07',
time_start => '6:00',
time_stop => '17:00:00',
month_days => '7',
week_days => 'Tue',
kernel_timezone => true,
}
EOS

apply_manifest(pp, :catch_failures => true)
unless fact('selinux') == 'true'
apply_manifest(pp, :catch_changes => true)
end
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m comment --comment "805 - test" -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -j ACCEPT/)
end
end
end
end

describe "time tests ipv6" do
context 'set all time parameters' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '805 - test':
proto => tcp,
dport => '8080',
action => accept,
chain => 'OUTPUT',
date_start => '2016-01-19T04:17:07',
date_stop => '2038-01-19T04:17:07',
time_start => '6:00',
time_stop => '17:00:00',
month_days => '7',
week_days => 'Tue',
kernel_timezone => true,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
unless fact('selinux') == 'true'
apply_manifest(pp, :catch_changes => true)
end
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --dports 8080 -m comment --comment "805 - test" -m time --timestart 06:00:00 --timestop 17:00:00 --monthdays 7 --weekdays Tue --datestart 2016-01-19T04:17:07 --datestop 2038-01-19T04:17:07 --kerneltz -j ACCEPT/)
end
end
end
end
end
end
58 changes: 58 additions & 0 deletions spec/acceptance/match_mark_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
require 'spec_helper_acceptance'

describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

before(:all) do
shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end

if default['platform'] !~ /el-5/
describe 'match_mark' do
context '0x1' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '503 match_mark - test':
proto => 'all',
match_mark => '0x1',
action => reject,
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save') do |r|
expect(r.stdout).to match(/-A INPUT -m comment --comment "503 match_mark - test" -m mark --mark 0x1 -j REJECT --reject-with icmp-port-unreachable/)
end
end
end
end

describe 'match_mark_ip6' do
context '0x1' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '503 match_mark ip6tables - test':
proto => 'all',
match_mark => '0x1',
action => reject,
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A INPUT -m comment --comment "503 match_mark ip6tables - test" -m mark --mark 0x1 -j REJECT --reject-with icmp6-port-unreachable/)
end
end
end
end
end
end
6 changes: 6 additions & 0 deletions spec/acceptance/params_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
require 'spec_helper_acceptance'

describe "param based tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

before(:all) do
shell('iptables --flush; iptables -t nat --flush; iptables -t mangle --flush')
shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush')
end

it 'test various params', :unless => (default['platform'].match(/el-5/) || fact('operatingsystem') == 'SLES') do
iptables_flush_all_tables

Expand Down
46 changes: 46 additions & 0 deletions spec/fixtures/iptables/conversion_hash.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -543,6 +543,29 @@
:proto => 'udp',
},
},
'match_mark' => {
:line => '-A INPUT -p tcp -m comment --comment "066 REJECT connlimit_above 10 with mask 32 and mark matches" -m mark --mark 0x1 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with icmp-port-unreachable',
:table => 'filter',
:params => {
:proto => 'tcp',
:connlimit_above => '10',
:connlimit_mask => '32',
:match_mark => '0x1',
:action => 'reject',
},
},
'clamp_mss_to_pmtu' => {
:line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "067 change max segment size" -j TCPMSS --clamp-mss-to-pmtu',
:table => 'filter',
:params => {
:name => '067 change max segment size',
:table => 'filter',
:proto => 'tcp',
:tcp_flags => 'SYN,RST SYN',
:jump => 'TCPMSS',
:clamp_mss_to_pmtu => true,
},
},
}

# This hash is for testing converting a hash to an argument line.
Expand Down Expand Up @@ -1046,4 +1069,27 @@
},
:args => ["-t", :filter, "-s", "0.0.0.0/32", "-d", "255.255.255.255/32", "-p", :udp, "-m", "multiport", "!", "--sports", "68,69", "-m", "multiport", "!", "--dports", "67,66", "-m", "comment", "--comment", "065 negate dport and sport", "-j", "ACCEPT"],
},
'match_mark' => {
:params => {
:name => '066 REJECT connlimit_above 10 with mask 32 and mark matches',
:table => 'filter',
:proto => 'tcp',
:connlimit_above => '10',
:connlimit_mask => '32',
:match_mark => '0x1',
:action => 'reject',
},
:args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "066 REJECT connlimit_above 10 with mask 32 and mark matches", "-j", "REJECT", "-m", "mark", "--mark", "0x1", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "32"],
},
'clamp_mss_to_pmtu' => {
:params => {
:name => '067 change max segment size',
:table => 'filter',
:proto => 'tcp',
:tcp_flags => 'SYN,RST SYN',
:jump => 'TCPMSS',
:clamp_mss_to_pmtu => true,
},
:args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-m", "comment", "--comment", "067 change max segment size", "-j", "TCPMSS", "--clamp-mss-to-pmtu"],
},
}
2 changes: 1 addition & 1 deletion spec/unit/classes/firewall_linux_archlinux_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
describe 'firewall::linux::archlinux', :type => :class do
let(:facts) do
{
:osfamily => 'RedHat',
:osfamily => 'Archlinux',
:operatingsystem => 'Archlinux'
}
end
Expand Down
8 changes: 4 additions & 4 deletions spec/unit/classes/firewall_linux_debian_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,13 @@
:operatingsystem => 'Debian',
:operatingsystemrelease => 'jessie/sid'
}}
it { should contain_package('netfilter-persistent').with(
it { should contain_package('iptables-persistent').with(
:ensure => 'present'
)}
it { should contain_service('netfilter-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[netfilter-persistent]'
:require => 'Package[iptables-persistent]'
)}
end

Expand All @@ -63,13 +63,13 @@
:operatingsystem => 'Debian',
:operatingsystemrelease => '8.0'
}}
it { should contain_package('netfilter-persistent').with(
it { should contain_package('iptables-persistent').with(
:ensure => 'present'
)}
it { should contain_service('netfilter-persistent').with(
:ensure => nil,
:enable => 'true',
:require => 'Package[netfilter-persistent]'
:require => 'Package[iptables-persistent]'
)}
end

Expand Down
3 changes: 2 additions & 1 deletion spec/unit/puppet/type/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
end

describe ':proto' do
[:tcp, :udp, :icmp, :esp, :ah, :vrrp, :igmp, :ipencap, :ospf, :gre, :all].each do |proto|
[:tcp, :udp, :icmp, :esp, :ah, :vrrp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :all].each do |proto|
it "should accept proto value #{proto}" do
@resource[:proto] = proto
@resource[:proto].should == proto
Expand Down Expand Up @@ -275,6 +275,7 @@
},
:ip6tables => {
'1' => 'destination-unreachable',
'2' => 'too-big',
'3' => 'time-exceeded',
'4' => 'parameter-problem',
'128' => 'echo-request',
Expand Down
2 changes: 2 additions & 0 deletions spec/unit/puppet/util/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@
specify { subject.icmp_name_to_number('echo-reply', proto).should == '129' }
specify { subject.icmp_name_to_number('router-solicitation', proto).should == '133' }
specify { subject.icmp_name_to_number('router-advertisement', proto).should == '134' }
specify { subject.icmp_name_to_number('neighbour-solicitation', proto).should == '135' }
specify { subject.icmp_name_to_number('neighbour-advertisement', proto).should == '136' }
specify { subject.icmp_name_to_number('redirect', proto).should == '137' }
end
end
Expand Down