Add support for parsing and using --tcp-option #1126
Merged
Commits on May 26, 2023
-
Fix Rubocop 'Metrics/BlockLength' config
Rubocop's maximum value for allowed block length needs to be incremented by hand each time the 'firewall' type gains a new feature, because the maximum block length is hand-tuned to the size of that 'newtype' block. Having the 'Metrics/BlockLength' cop instead ignore lengths for the 'newtype' and 'provider' methods (which inherently have very long blocks) instead solves the problem for all 'newtype' and 'provider' blocks at one fell swoop, and with addition of one inline disable comment for the 'validate' block in the 'firewall' type, means all remaining block length warnings are squelched by a max value of only 64 lines.
-
Support parsing iptables rules with --tcp-option
Add the ability to parse iptables rules we encounter that include the '--tcp-option' flag, instead of issuing a "Skipping unparseable iptables rule" warning. Every Firewall resource requires a full parse of all rules, and the warning appears each time the problem rule is parsed; therefore these warning messages are noisy (especially on long rule sets), and there is no way to work around this, make the parser ignore the rule, or create other rules with Puppet in any order aside from "above the unparseable rule."
-
Support creating rules that match a TCP option
Add support (and unit tests) for creating rules that use iptables' '--tcp-option' flag to match the presence or non-presence of numbered TCP options. Remove special casing from '--tcp-flags', previously the only argument from the TCP match extension other than '--dport' and '--sport', and have the TCP match extension treated as a module only during rule assembly, because due to its inconsistent usage in iptables-save output when multiport portspecs are used, '-m tcp' or '-m udp' will throw off parsing badly if preset. Resolves puppetlabs#1124
-
Move ip6tables provider tests to correct file
Move tests for the ip6tables provider into the ip6tables provider unit test file. Even if it's subclassed from iptables, it should be reasonable to expect running all tests in the ip6tables provider's tests file to include all tests for the ip6tables provider. Also update several test definitions that had fallen out of sync with the iptables provider's test framework so the test cases for ip6tables are also no longer sensitive to specific hash order and stringified 'true'.
-
Support parsing and creating IPv6 TCP Option rules
Provide the same support for rule parse and create for IPv6 as the previous commit provided for IPv4
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.