Permalink
Browse files

recent iptables

  • Loading branch information...
1 parent 864fa2d commit a0ccbd8b0c7fe8a1fce156854f11ad20d0b310d0 Daniel Black committed Jan 23, 2012
@@ -123,6 +123,14 @@
state => 'INVALID',
}
+firewall { '100 ssh connection limit':
+ action => drop,
+ recent_command => 'update',
+ recent_seconds => 60,
+ recent_hitcount => 4,
+ recent_name => 'sshlimit',
+}
+
resources { 'firewall':
purge => true
}
@@ -39,6 +39,7 @@ def method_missing(meth, *args, &block)
dynamic_methods << :chain
dynamic_methods << :table
dynamic_methods << :action
+ dynamic_methods << :recent_command
if dynamic_methods.include?(meth.to_sym) then
if @property_hash[meth.to_sym] then
@@ -14,6 +14,7 @@
has_feature :icmp_match
has_feature :owner
has_feature :state_match
+ has_feature :recent_match
has_feature :reject_type
has_feature :log_level
has_feature :log_prefix
@@ -40,6 +41,15 @@
:port => '-m multiport --ports',
:proto => "-p",
:reject => "--reject-with",
+ :recent_set => "-m recent --set",
+ :recent_update => "-m recent --update",
+ :recent_remove => "-m recent --remove",
+ :recent_rcheck => "-m recent --rcheck",
+ :recent_rsource => "--rsource",
+ :recent_rdest => "--rdest",
+ :recent_seconds => "--seconds",
+ :recent_hitcount => "--hitcount",
+ :recent_rttl => "--rttl",
:source => "-s",
:state => "-m state --state",
:sport => "-m multiport --sports",
@@ -57,6 +67,8 @@
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+ :recent_update, :recent_set, :recent_rcheck, :recent_remove, :recent_seconds, :recent_hitcount,
+ :recent_rttl, :recent_name, :recent_rsource, :recent_rdest,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark]
def insert
@@ -65,7 +77,7 @@ def insert
end
def update
- debug 'Updating rule %s' % resource[:name]
+ debug 'Updating rule %s' % resource[:name]
iptables update_args
end
@@ -158,6 +170,18 @@ def self.rule_to_hash(line, table, counter)
hash[:log_level] = '4'
end
+ # rsource if the default if rdest isn't set
+ hash[:recent_rsource] = true if ! hash[:recent_rdest]
+
+ hash[:recent_command] = :set if hash.include?(:recent_set)
+ hash[:recent_command] = :update if hash.include?(:recent_update)
+ hash[:recent_command] = :remove if hash.include?(:recent_remove)
+ hash[:recent_command] = :rcheck if hash.include?(:recent_rcheck)
+
+ [:recent_set, :recent_update, :recent_remove, :recent_rcheck].each do |key|
+ hash.delete(key)
+ end
+
hash[:line] = line
hash[:provider] = self.name.to_s
hash[:table] = table
@@ -24,6 +24,7 @@
feature :icmp_match, "Matching ICMP types"
feature :owner, "Matching owners"
feature :state_match, "Matching stateful firewall states"
+ feature :recent_match, "Matching recent packets"
feature :reject_type, "The ability to control reject messages"
feature :log_level, "The ability to control the log level"
feature :log_prefix, "The ability to add prefixes to log messages"
@@ -440,6 +441,37 @@ def should_to_s(value)
end
end
+
+ newproperty(:recent_name) do
+ desc <<-EOS
+ List name for use with recent commands
+ EOS
+ newvalue(/^\S+$/)
+
+ defaultto :DEFAULT
+ end
+
+ newproperty(:recent_command) do
+ desc <<-EOS
+ Command for the recent module
+ EOS
+ newvalues(:set, :update,:remove,:rcheck)
+ end
+
+ newproperty(:recent_seconds) do
+ desc <<-EOS
+ Number of seconds to treat as recent
+ EOS
+ newvalue(/^\d+$/)
+ end
+
+ newproperty(:recent_hitcount) do
+ desc <<-EOS
+ Narrows the recent to those equal or great than this count
+ EOS
+ newvalue(/^\d+$/)
+ end
+
newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.

0 comments on commit a0ccbd8

Please sign in to comment.