puppetlabs · daianamezdrea · Apr 30, 2020 · Apr 22, 2020
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -17,6 +17,9 @@
   has_feature :log_level
   has_feature :log_prefix
   has_feature :log_uid
+  has_feature :log_tcp_sequence
+  has_feature :log_tcp_options
+  has_feature :log_ip_options
   has_feature :mark
   has_feature :mss
   has_feature :tcp_flags
@@ -114,6 +117,9 @@ def self.iptables_save(*args)
     log_level: '--log-level',
     log_prefix: '--log-prefix',
     log_uid: '--log-uid',
+    log_tcp_sequence: '--log-tcp-sequence',
+    log_tcp_options: '--log-tcp-options',
+    log_ip_options: '--log-ip-options',
     mask: '--mask',
     match_mark: '-m mark --mark',
     name: '-m comment --comment',
@@ -199,6 +205,9 @@ def self.iptables_save(*args)
     :islastfrag,
     :isfirstfrag,
     :log_uid,
+    :log_tcp_sequence,
+    :log_tcp_options,
+    :log_ip_options,
     :rsource,
     :rdest,
     :reap,
@@ -283,7 +292,8 @@ def self.iptables_save(*args)
                     :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
                     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
                     :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
-                    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
+                    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options,
+                    :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -22,6 +22,9 @@
   has_feature :log_level
   has_feature :log_prefix
   has_feature :log_uid
+  has_feature :log_tcp_sequence
+  has_feature :log_tcp_options
+  has_feature :log_ip_options
   has_feature :mark
   has_feature :mss
   has_feature :nflog_group
@@ -107,6 +110,9 @@
     log_level: '--log-level',
     log_prefix: '--log-prefix',
     log_uid: '--log-uid',
+    log_tcp_sequence: '--log-tcp-sequence',
+    log_tcp_options: '--log-tcp-options',
+    log_ip_options: '--log-ip-options',
     mac_source: ['-m mac --mac-source', '--mac-source'],
     mask: '--mask',
     match_mark: '-m mark --mark',
@@ -205,6 +211,9 @@
     :clamp_mss_to_pmtu,
     :isfragment,
     :log_uid,
+    :log_tcp_sequence,
+    :log_tcp_options,
+    :log_ip_options,
     :random_fully,
     :random,
     :rdest,
@@ -331,7 +340,7 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
     :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
-    :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+    :log_level, :log_uid, :log_tcp_sequence, :log_tcp_options, :log_ip_options, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -35,7 +35,8 @@
         * Required binaries: ip6tables-save, ip6tables.
         * Supported features: address_type, connection_limiting, conntrack, dnat, hop_limiting, icmp_match,
         interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfirstfrag,
-        ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid, mark, mask, mss,
+        ishasmorefrags, islastfrag, length, log_level, log_prefix, log_uid,
+        log_tcp_sequence, log_tcp_options, log_ip_options, mask, mss,
         owner, pkttype, queue_bypass, queue_num, rate_limiting, recent_limiting, reject_type,
         snat, socket, state_match, string_matching, tcp_flags, hashlimit, bpf.
 
@@ -45,7 +46,8 @@
         * Default for kernel == linux.
         * Supported features: address_type, clusterip, connection_limiting, conntrack, dnat, icmp_match,
         interface_match, iprange, ipsec_dir, ipsec_policy, ipset, iptables, isfragment, length,
-        log_level, log_prefix, log_uid, mark, mask, mss, netmap, nflog_group, nflog_prefix,
+        log_level, log_prefix, log_uid, log_tcp_sequence, log_tcp_options, log_ip_options,
+        mark, mask, mss, netmap, nflog_group, nflog_prefix,
         nflog_range, nflog_threshold, owner, pkttype, queue_bypass, queue_num, rate_limiting,
         recent_limiting, reject_type, snat, socket, state_match, string_matching, tcp_flags, bpf.
 
@@ -90,6 +92,12 @@
 
       * log_uid: The ability to log the userid of the process which generated the packet.
 
+      * log_tcp_sequence: The ability to log TCP sequence numbers.
+
+      * log_tcp_options: The ability to log TCP packet header.
+
+      * log_ip_options: The ability to log IP/IPv6 packet header.
+
       * mark: The ability to match or set the netfilter mark value associated with the packet.
 
       * mask: The ability to match recent rules based on the ipv4 mask.
@@ -153,6 +161,9 @@
   feature :log_level, 'The ability to control the log level'
   feature :log_prefix, 'The ability to add prefixes to log messages'
   feature :log_uid, 'Add UIDs to log messages'
+  feature :log_tcp_sequence, 'Add TCP sequence numbers to log messages'
+  feature :log_tcp_options, 'Add TCP packet header to log messages'
+  feature :log_ip_options, 'Add IP/IPv6 packet header to log messages'
   feature :mark, 'Match or Set the netfilter mark value associated with the packet'
   feature :mss, 'Match a given TCP MSS value or range.'
   feature :tcp_flags, 'The ability to match on particular TCP flag settings'
@@ -796,6 +807,33 @@ def should_to_s(value)
     newvalues(:true, :false)
   end
 
+  newproperty(:log_tcp_sequence, required_features: :log_tcp_sequence) do
+    desc <<-PUPPETCODE
+      When combined with jump => "LOG" enables logging of the TCP sequence
+      numbers.
+    PUPPETCODE
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:log_tcp_options, required_features: :log_tcp_options) do
+    desc <<-PUPPETCODE
+      When combined with jump => "LOG" logging of the TCP packet
+      header.
+    PUPPETCODE
+
+    newvalues(:true, :false)
+  end
+
+  newproperty(:log_ip_options, required_features: :log_ip_options) do
+    desc <<-PUPPETCODE
+      When combined with jump => "LOG" logging of the TCP IP/IPv6
+      packet header.
+    PUPPETCODE
+
+    newvalues(:true, :false)
+  end
+
   newproperty(:nflog_group, required_features: :nflog_group) do
     desc <<-PUPPETCODE
       Used with the jump target NFLOG.
@@ -2349,9 +2387,10 @@ def should_to_s(value)
       end
     end
 
-    if value(:log_prefix) || value(:log_level) || value(:log_uid) == :true
+    if value(:log_prefix) || value(:log_level) || value(:log_uid) ||
+       value(:log_tcp_sequence) || value(:log_tcp_options) || value(:log_ip_options) == :true
       unless value(:jump).to_s == 'LOG'
-        raise 'Parameter log_prefix, log_level and log_uid require jump => LOG'
+        raise 'Parameter log_prefix, log_level, log_tcp_sequence, log_tcp_options, log_ip_options  and log_uid require jump => LOG'
       end
     end
 

diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -243,10 +243,13 @@ class { '::firewall': }
             jump       => 'LOG',
             log_prefix => 'FW-A-INPUT: ',
           }
-          firewall { '701 - log_uid':
-            chain   => 'OUTPUT',
-            jump    => 'LOG',
-            log_uid => true,
+          firewall { '701 - log_uid, tcp-sequences and options':
+            chain            => 'OUTPUT',
+            jump             => 'LOG',
+            log_uid          => true,
+            log_tcp_sequence => true,
+            log_tcp_options  => true,
+            log_ip_options   => true,
           }
           firewall { '711 - physdev_in':
             chain => 'FORWARD',
@@ -433,8 +436,8 @@ class { '::firewall': }
     it 'comment containing "-A "' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "700 - blah-A Test Rule" -j LOG --log-prefix "FW-A-INPUT: "})
     end
-    it 'set log_uid' do
-      expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid" -j LOG --log-uid})
+    it 'set log_uid, log_tcp_sequence, log_tcp_options, log_ip_options' do
+      expect(result.stdout).to match(%r{-A OUTPUT -p tcp -m comment --comment "701 - log_uid, tcp-sequences and options" -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid})
     end
     it 'set physdev_in' do
       expect(result.stdout).to match(%r{-A FORWARD -p tcp -m physdev\s+--physdev-in eth0 -m multiport --dports 711 -m comment --comment "711 - physdev_in" -j ACCEPT})