Skip to content

Commit

Permalink
Merge pull request #383 from vzctl/ipset
Browse files Browse the repository at this point in the history
add ipset support
  • Loading branch information
hunner committed Oct 23, 2014
2 parents dfb5e54 + e7f9a38 commit 4ed1b43
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 3 deletions.
2 changes: 2 additions & 0 deletions README.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov

* `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature.

* `ipset`: Matches IP sets. Value must be `ipset_name (src|dst|src,dst)` and can be negated by putting ! in front. Requires ipset kernel module.

* `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature.

* `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.
Expand Down
9 changes: 7 additions & 2 deletions lib/puppet/provider/firewall/iptables.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
has_feature :ipsec_dir
has_feature :ipsec_policy
has_feature :mask
has_feature :ipset

optional_commands({
:iptables => 'iptables',
Expand Down Expand Up @@ -62,6 +63,7 @@
:iniface => "-i",
:ipsec_dir => "-m policy --dir",
:ipsec_policy => "--pol",
:ipset => "-m set --match-set",
:isfragment => "-f",
:jump => "-j",
:limit => "-m limit --limit",
Expand Down Expand Up @@ -153,7 +155,7 @@
:src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port,
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :jump, :todest,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
]
Expand Down Expand Up @@ -222,6 +224,8 @@ def self.rule_to_hash(line, table, counter)
# --tcp-flags takes two values; we cheat by adding " around it
# so it behaves like --comment
values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"')
# ditto for --match-set
values = values.sub(/(!\s+)?--match-set (\S*) (\S*)/, '--match-set "\1\2 \3"')
# we do a similar thing for negated address masks (source and destination).
values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"')
# the actual rule will have the ! mark before the option.
Expand Down Expand Up @@ -327,6 +331,7 @@ def self.rule_to_hash(line, table, counter)
:dport,
:dst_range,
:dst_type,
:ipset,
:port,
:proto,
:source,
Expand Down Expand Up @@ -502,7 +507,7 @@ def general_args
# our tcp_flags takes a single string with comma lists separated
# by space
# --tcp-flags expects two arguments
if res == :tcp_flags
if res == :tcp_flags or res == :ipset
one, two = resource_value.split(' ')
args << one
args << two
Expand Down
13 changes: 12 additions & 1 deletion lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
feature :ipsec_policy, "Match IPsec policy"
feature :ipsec_dir, "Match IPsec policy direction"
feature :mask, "Ability to match recent rules based on the ipv4 mask"
feature :ipset, "Match against specified ipset list"

# provider specific features
feature :iptables, "The provider provides iptables features."
Expand Down Expand Up @@ -879,7 +880,7 @@ def should_to_s(value)

newproperty(:isfirstfrag, :required_features => :isfirstfrag) do
desc <<-EOS
If true, matches if the packet is the first fragment.
If true, matches if the packet is the first fragment.
Sadly cannot be negated. ipv6.
EOS

Expand Down Expand Up @@ -964,6 +965,16 @@ def should_to_s(value)
EOS
end

newproperty(:ipset, :required_features => :ipset) do
desc <<-EOS
Matches against the specified ipset list.
Requires ipset kernel module.
The value is the name of the blacklist, followed by a space, and then
'src' and/or 'dst' separated by a comma.
For example: 'blacklist src,dst'
EOS
end

newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
Expand Down

0 comments on commit 4ed1b43

Please sign in to comment.