diff --git a/README.markdown b/README.markdown index 7a5c40595..d34723217 100644 --- a/README.markdown +++ b/README.markdown @@ -446,6 +446,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `ipsec_policy`: Sets the ipsec policy type. Valid values are 'none', 'ipsec'. Requires the `ipsec_policy` feature. +* `ipset`: Matches IP sets. Value must be `ipset_name (src|dst|src,dst)` and can be negated by putting ! in front. Requires ipset kernel module. + * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature. * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`. diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 09816a3a2..300d5255d 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -29,6 +29,7 @@ has_feature :ipsec_dir has_feature :ipsec_policy has_feature :mask + has_feature :ipset optional_commands({ :iptables => 'iptables', @@ -62,6 +63,7 @@ :iniface => "-i", :ipsec_dir => "-m policy --dir", :ipsec_policy => "--pol", + :ipset => "-m set --match-set", :isfragment => "-f", :jump => "-j", :limit => "-m limit --limit", @@ -153,7 +155,7 @@ :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :jump, :todest, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark, :connlimit_above, :connlimit_mask, :connmark ] @@ -222,6 +224,8 @@ def self.rule_to_hash(line, table, counter) # --tcp-flags takes two values; we cheat by adding " around it # so it behaves like --comment values = values.gsub(/(!\s+)?--tcp-flags (\S*) (\S*)/, '--tcp-flags "\1\2 \3"') + # ditto for --match-set + values = values.sub(/(!\s+)?--match-set (\S*) (\S*)/, '--match-set "\1\2 \3"') # we do a similar thing for negated address masks (source and destination). values = values.gsub(/(-\S+) (!)\s?(\S*)/,'\1 "\2 \3"') # the actual rule will have the ! mark before the option. @@ -327,6 +331,7 @@ def self.rule_to_hash(line, table, counter) :dport, :dst_range, :dst_type, + :ipset, :port, :proto, :source, @@ -502,7 +507,7 @@ def general_args # our tcp_flags takes a single string with comma lists separated # by space # --tcp-flags expects two arguments - if res == :tcp_flags + if res == :tcp_flags or res == :ipset one, two = resource_value.split(' ') args << one args << two diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 66f0f0656..ce699da0e 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -54,6 +54,7 @@ feature :ipsec_policy, "Match IPsec policy" feature :ipsec_dir, "Match IPsec policy direction" feature :mask, "Ability to match recent rules based on the ipv4 mask" + feature :ipset, "Match against specified ipset list" # provider specific features feature :iptables, "The provider provides iptables features." @@ -879,7 +880,7 @@ def should_to_s(value) newproperty(:isfirstfrag, :required_features => :isfirstfrag) do desc <<-EOS - If true, matches if the packet is the first fragment. + If true, matches if the packet is the first fragment. Sadly cannot be negated. ipv6. EOS @@ -964,6 +965,16 @@ def should_to_s(value) EOS end + newproperty(:ipset, :required_features => :ipset) do + desc <<-EOS + Matches against the specified ipset list. + Requires ipset kernel module. + The value is the name of the blacklist, followed by a space, and then + 'src' and/or 'dst' separated by a comma. + For example: 'blacklist src,dst' + EOS + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line.