Skip to content

Commit

Permalink
MODULES-1636: add iptables --checksum-fill support
Browse files Browse the repository at this point in the history
  • Loading branch information
Marc Olzheim committed Mar 11, 2015
1 parent ff48d31 commit 07667a0
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 3 deletions.
2 changes: 2 additions & 0 deletions README.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov

* `chain`: Name of the chain to use. You can provide a user-based chain or use one of the following built-in chains:'INPUT','FORWARD','OUTPUT','PREROUTING', or 'POSTROUTING'. The default value is 'INPUT'. Values must match '/^[a-zA-Z0-9\-_]+$/'. Requires the `iptables` feature.

* `checksum_fill`: When using a `jump` value of 'CHECKSUM' this boolean will make sure that a checksum is calculated and filled in a packet that lacks a checksum. Valid values are true or false. Requires the `iptables` feature.

* `connlimit_above`: Connection limiting value for matched connections above n. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.

* `connlimit_mask`: Connection limiting by subnet mask for matched connections. Apply a subnet mask of /0 to /32 for IPv4, and a subnet mask of /0 to /128 for IPv6. Values must match '/^\d+$/'. Requires the `connection_limiting` feature.
Expand Down
6 changes: 4 additions & 2 deletions lib/puppet/provider/firewall/ip6tables.rb
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ def self.iptables_save(*args)

@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
Expand Down Expand Up @@ -128,6 +129,7 @@ def self.iptables_save(*args)
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
:checksum_fill,
:ishasmorefrags,
:islastfrag,
:isfirstfrag,
Expand Down Expand Up @@ -198,7 +200,7 @@ def self.iptables_save(*args)
:dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :log_level, :log_prefix, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark]
:tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject,
:set_mark, :connlimit_above, :connlimit_mask, :connmark]

end
4 changes: 3 additions & 1 deletion lib/puppet/provider/firewall/iptables.rb
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@

@resource_map = {
:burst => "--limit-burst",
:checksum_fill => "--checksum-fill",
:connlimit_above => "-m connlimit --connlimit-above",
:connlimit_mask => "--connlimit-mask",
:connmark => "-m connmark --mark",
Expand Down Expand Up @@ -113,6 +114,7 @@
# These are known booleans that do not take a value, but we want to munge
# to true if they exist.
@known_booleans = [
:checksum_fill,
:isfragment,
:random,
:rdest,
Expand Down Expand Up @@ -223,7 +225,7 @@ def munge_resource_map_from_resource(resource_map_original, compare)
:src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark,
:tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
]

Expand Down
14 changes: 14 additions & 0 deletions lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1060,6 +1060,14 @@ def insync?(is)
EOS
end

newproperty(:checksum_fill, :required_features => :iptables) do
desc <<-EOS
Compute and fill missing packet checksums.
EOS

newvalues(:true, :false)
end

newparam(:line) do
desc <<-EOS
Read-only property for caching the rule line.
Expand Down Expand Up @@ -1252,5 +1260,11 @@ def insync?(is)
self.fail "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'"
end

if value(:checksum_fill)
unless value(:jump).to_s == "CHECKSUM" && value(:table).to_s == "mangle"
self.fail "Parameter checksum_fill requires jump => CHECKSUM and table => mangle"
end
end

end
end
56 changes: 56 additions & 0 deletions spec/acceptance/firewall_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -833,6 +833,62 @@ class { '::firewall': }
end
end

describe 'checksum_fill' do
context 'virbr' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '576 - test':
proto => udp,
table => 'mangle',
outiface => 'virbr0',
chain => 'POSTROUTING',
dport => '68',
jump => 'CHECKSUM',
checksum_fill => true,
provider => iptables,
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save -t mangle') do |r|
expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/)
end
end
end
end

describe 'checksum_fill6' do
context 'virbr' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '576 - test':
proto => udp,
table => 'mangle',
outiface => 'virbr0',
chain => 'POSTROUTING',
dport => '68',
jump => 'CHECKSUM',
checksum_fill => true,
provider => ip6tables,
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('ip6tables-save -t mangle') do |r|
expect(r.stdout).to match(/-A POSTROUTING -o virbr0 -p udp -m multiport --dports 68 -m comment --comment "576 - test" -j CHECKSUM --checksum-fill/)
end
end
end
end

# RHEL5 does not support --random
if default['platform'] !~ /el-5/
describe 'random' do
Expand Down

0 comments on commit 07667a0

Please sign in to comment.