Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--reap flag is not added to iptables command #340

Merged
merged 1 commit into from
Apr 3, 2014
Merged

--reap flag is not added to iptables command #340

merged 1 commit into from
Apr 3, 2014

Conversation

simon-martin
Copy link
Contributor

In lib/puppet/provider/firewall/iptables.rb we test on boolean flags when building iptables args:

    # If socket is true then do not add the value as -m socket is standalone
    if known_booleans.include?(res) then
      if resource[res] == :true then
        resource_value = nil
      else
        # If the property is not :true then we don't want to add the value
        # to the args list
        next
      end
    end

This evaluates to false on the reap flag in a definition like this:
firewall { '001 rate limit ssh attempts':
port => [22],
proto => tcp,
tcp_flags => "FIN,SYN,RST,ACK SYN",
recent => 'rcheck',
rsource => true,
rname => 'ssh-syn4',
rseconds => 30,
rhitcount => 3,
reap => true,
jump => drop,
}

This is because the value is not defined as a string, so the reap flag is not added to the args. This patch defines reap as a string true or false to match others like rsource.

@simon-martin
In lib/puppet/provider/firewall/iptables.rb we test on boolean flags …
a237ef9 
…when building iptables args:

        # If socket is true then do not add the value as -m socket is standalone
        if known_booleans.include?(res) then
          if resource[res] == :true then
            resource_value = nil
          else
            # If the property is not :true then we don't want to add the value
            # to the args list
            next
          end
        end

This evaluates to false on the reap flag in a definition like this:
    firewall { '001 rate limit ssh attempts':
        port   => [22],
        proto  => tcp,
        tcp_flags => "FIN,SYN,RST,ACK SYN",
        recent => 'rcheck',
        rsource => true,
        rname => 'ssh-syn4',
        rseconds => 30,
        rhitcount => 3,
        reap => true,
        jump => drop,
    }

This is because the value is not defined as a string, so the reap flag is not added to the args. This patch defines reap as a string true or false to match others like rsource.
apenney pushed a commit that referenced this pull request Apr 3, 2014
Merge pull request #340 from simon-martin/master
eecbfa8 
--reap flag is not added to iptables command
@apenney apenney merged commit eecbfa8 into puppetlabs:master Apr 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bugfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@simon-martin @apenney @david22swan