Skip to content

Commit

Permalink
Add tcp-reset as an allowed option for --reject-with.
Browse files Browse the repository at this point in the history
Resolves #1184
  • Loading branch information
gcoxmoz committed Mar 8, 2024
1 parent 982528e commit 94a9cf6
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 6 deletions.
8 changes: 5 additions & 3 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -1267,13 +1267,15 @@ Data type: `Optional[Enum['set', 'update', 'rcheck', 'remove', '! set', '! updat

Data type: `Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route',
'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]`
'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable',
'tcp-reset']]`

When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender.
Valid values differ depending on if the protocol is `IPv4` or `IPv6`.
IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited,
icmp-host-prohibited, or icmp-admin-prohibited.
IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable.
icmp-host-prohibited, icmp-admin-prohibited, or tcp-reset.
IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach,
icmp6-port-unreachable, or tcp-reset.

##### `rhitcount`

Expand Down
8 changes: 5 additions & 3 deletions lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1261,13 +1261,15 @@
reject: {
type: "Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route',
'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]",
'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable',
'tcp-reset']]",
desc: <<-DESC
When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender.
Valid values differ depending on if the protocol is `IPv4` or `IPv6`.
IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited,
icmp-host-prohibited, or icmp-admin-prohibited.
IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable.
icmp-host-prohibited, icmp-admin-prohibited, or tcp-reset.
IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach,
icmp6-port-unreachable, or tcp-reset.
DESC
},
set_mark: {
Expand Down
10 changes: 10 additions & 0 deletions spec/acceptance/firewall_attributes_happy_path_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,12 @@ class { '::firewall': }
chain => 'FORWARD',
table => 'mangle',
}
firewall { '605 - reject with tcp-reset':
proto => tcp,
jump => reject,
reject => 'tcp-reset',
}
firewall { '700 - blah-A Test Rule':
jump => 'LOG',
log_prefix => 'FW-A-INPUT: ',
Expand Down Expand Up @@ -477,6 +483,10 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "604 - set_mss" -j TCPMSS --set-mss 1360})
end

it 'tcp-reset is set' do
expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m comment --comment "605 - reject with tcp-reset" -j REJECT --reject-with tcp-reset})
end

it 'clamp_mss_to_pmtu is set' do
expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m comment --comment "601 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu})
end
Expand Down
10 changes: 10 additions & 0 deletions spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,12 @@ class { '::firewall': }
src_type => ['LOCAL', '! LOCAL'],
protocol => 'ip6tables',
}
firewall { '621 - reject with tcp-reset':
proto => tcp,
jump => reject,
reject => 'tcp-reset',
protocol => 'ip6tables',
}
firewall { '801 - ipt_modules tests':
proto => tcp,
dport => '8080',
Expand Down Expand Up @@ -396,6 +402,10 @@ class { '::firewall': }
expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT})
end

it 'tcp-reset is set' do
expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m comment --comment "621 - reject with tcp-reset" -j REJECT --reject-with tcp-reset})
end

it 'all the modules with multiple args is set' do
expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m tcp --dport 8080 -m addrtype --src-type LOCAL -m addrtype --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength
end
Expand Down

0 comments on commit 94a9cf6

Please sign in to comment.