Update firewall to 667a9f6

667a9f6 Merge pull request #529 from jonnytpuppet/test_fix a22bf41 Test fixes 68e5989 Merge pull request #527 from jonnytpuppet/add_match_mark 05e50da add match_mark 875b3fe Merge pull request #525 from jonnytpuppet/tee-support db063e5 Merge pull request #526 from elyscape/arch_linux d6a9344 Merge pull request #528 from puppetlabs/modulesync_updates 3a112d2 beaker gemfile fixes 1ce7153 sync via modulesync ee764c4 sync via modulesync 213a5a2 Gentoo is not Arch Linux 204bfb0 Arch Linux is not a Red Hat distro 29114f5 Merge pull request #515 from peikk0/add-icmpv6-types-neighbour 98a9213 TEE Feature 430cd82 Merge pull request #524 from jonnytpuppet/mssfix d3351a1 Merge pull request #514 from peikk0/add-icmpv6-type-too-big d118975 MSS test fixes 5c5b2f9 Fix tcp-mss acceptance test 8f1ea59 Added support for setting the MSS of a packet. dd04730 Merge pull request #523 from jonnytpuppet/debian_8_ubuntu_1410_fixes 8d45074 Merge pull request #522 from jonnytpuppet/time_iptmodule 2b4bc33 Added iptables-persistent fix for Debian 8 and Ubuntu 14.10 a3695e9 Added support for time ipt_module b26d48b Merge pull request #521 from jonnytpuppet/idemp_fix 93dd79d Fixed lint issue 01c4b5a Merge pull request #520 from jonnytpuppet/idemp_fix 4f7e567 Fixed idempotency bug relating to MODULES-1984 dc44744 Merge pull request #518 from johnduarte/1984-patch-for-centos7 b7182ea (MODULES-1984) Perform daemon-reload on systemd f4ed46b Add support for ICMPv6 types neighbour-{solicitation,advertisement} c535808 Add ICMPv6 type too-big in specs fa71c04 Add support for ICMPv6 type too-big (2)
xbezdick · May 11, 2015 · c47a5b9 · c47a5b9
1 parent 38f4cf2
commit c47a5b9
Show file tree

Hide file tree

Showing 23 changed files with 603 additions and 40 deletions.
diff --git a/Puppetfile b/Puppetfile
@@ -35,7 +35,7 @@ mod 'corosync',
   :git => 'https://github.com/puppetlabs/puppetlabs-corosync.git'
 
 mod 'firewall',
-  :commit => 'e7121fe12f7582695ef774b51742b65a37d462db',
+  :commit => '667a9f67a7ce8eb343c132feb1e00c6e2132d38a',
   :git => 'https://github.com/puppetlabs/puppetlabs-firewall.git'
 
 mod 'galera',

diff --git a/firewall/.travis.yml b/firewall/.travis.yml
@@ -6,18 +6,12 @@ script: "bundle exec rake validate && bundle exec rake lint && bundle exec rake
 matrix:
   fast_finish: true
   include:
-  - rvm: 1.9.3
-    env: PUPPET_GEM_VERSION="~> 3.4.0"
   - rvm: 1.8.7
     env: PUPPET_GEM_VERSION="~> 3.0"
   - rvm: 1.9.3
     env: PUPPET_GEM_VERSION="~> 3.0"
-  - rvm: 1.9.3
-    env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
   - rvm: 2.1.5
     env: PUPPET_GEM_VERSION="~> 3.0"
-  - rvm: 2.1.5
-    env: PUPPET_GEM_VERSION="~> 3.4.0"
   - rvm: 2.1.5
     env: PUPPET_GEM_VERSION="~> 3.0" FUTURE_PARSER="yes"
   - rvm: 1.8.7

diff --git a/firewall/Gemfile b/firewall/Gemfile
@@ -18,20 +18,20 @@ group :development, :unit_tests do
   gem 'json',                    :require => false
 end
 
-beaker_version = ENV['BEAKER_VERSION']
-beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']
 group :system_tests do
-  if beaker_version
+  if beaker_version = ENV['BEAKER_VERSION']
     gem 'beaker', *location_for(beaker_version)
   end
-  if beaker_rspec_version
+  if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION']
     gem 'beaker-rspec', *location_for(beaker_rspec_version)
   else
     gem 'beaker-rspec',  :require => false
   end
   gem 'serverspec',    :require => false
 end
 
+
+
 if facterversion = ENV['FACTER_GEM_VERSION']
   gem 'facter', facterversion, :require => false
 else

diff --git a/firewall/README.markdown b/firewall/README.markdown
@@ -292,6 +292,34 @@ firewall { '100 snat for network foo2':
 }
 ```
 
+
+You can also change the TCP MSS value for VPN client traffic:
+
+```puppet
+firewall { '110 TCPMSS for VPN clients':
+  chain     => 'FORWARD',
+  table     => 'mangle',
+  source    => '10.0.2.0/24',
+  proto     => tcp,
+  tcp_flags => 'SYN,RST SYN',
+  mss       => '1361:1541',
+  set_mss   => '1360',
+  jump      => 'TCPMSS',
+}
+```
+
+The following will mirror all traffic sent to the server to a secondary host on the LAN with the TEE target:
+
+```puppet
+firewall { '503 Mirror traffic to IDS':
+  proto   => all,
+  jump    => 'TEE',
+  gateway => '10.0.0.2',
+  chain   => 'PREROUTING',
+  table   => 'mangle',
+}
+```
+
 The following example creates a new chain and forwards any port 5000 access to it.
 ```puppet
 firewall { '100 forward to MY_CHAIN':
@@ -373,12 +401,12 @@ This type enables you to manage firewall rules within Puppet.
 
  * `ip6tables`: Ip6tables type provider
     * Required binaries: `ip6tables-save`, `ip6tables`.
-    * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+    * Supported features: `address_type`, `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
 
 * `iptables`: Iptables type provider
     * Required binaries: `iptables-save`, `iptables`.
     * Default for `kernel` == `linux`.
-    * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+    * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `mss`, `netmap`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
 
 **Autorequires:**
 
@@ -434,6 +462,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `reject_type`: The ability to control reject messages.
 
+* `set_mss`: Set the TCP MSS of a packet.
+
 * `snat`: Source NATing.
 
 * `socket`: The ability to match open sockets.
@@ -467,6 +497,10 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ctstate`: Matches a packet based on its state in the firewall stateful inspection table, using the conntrack module. Valid values are: 'INVALID', 'ESTABLISHED', 'NEW', 'RELATED'. Requires the `state_match` feature.
 
+* `date_start`: Start Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
+
+* `date_stop`: End Date/Time for the rule to match, which must be in ISO 8601 "T" notation. The possible time range is '1970-01-01T00:00:00' to '2038-01-19T04:17:07'
+
 * `destination`: The destination address to match. For example: `destination => '192.168.1.0/24'`. You can also negate a mask by putting ! in front. For example: `destination  => '! 192.168.2.0/24'`. The destination can also be an IPv6 address if your provider supports it.
 
   For some firewall providers you can pass a range of ports in the format: 'start number-end number'. For example, '1-1024' would cover ports 1 to 1024.
@@ -497,6 +531,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ensure`: Ensures that the resource is present. Valid values are 'present', 'absent'. The default is 'present'.
 
+* `gateway`: Used with TEE target to mirror traffic of a machine to a secondary host on the LAN.
+
 * `gid`: GID or Group owner matching rule. Accepts a string argument only, as iptables does not accept multiple gid in a single statement. Requires the `owner` feature.
 
 * `hop_limit`: Hop limiting value for matched packets. Values must match '/^\d+$/'. Requires the `hop_limiting` feature.
@@ -519,12 +555,14 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `islastfrag`: If true, matches when the packet is the last fragment of a fragmented ipv6 packet. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `islastfrag`.
 
-* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK'.
+* `jump`: The value for the iptables `--jump` parameter. Any valid chain name is allowed, but normal values are: 'QUEUE', 'RETURN', 'DNAT', 'SNAT', 'LOG', 'MASQUERADE', 'REDIRECT', 'MARK', 'TCPMSS'.
 
   For the values 'ACCEPT', 'DROP', and 'REJECT', you must use the generic `action` parameter. This is to enforce the use of generic parameters where possible for maximum cross-platform modeling.
 
   If you set both `accept` and `jump` parameters, you will get an error, because only one of the options should be set. Requires the `iptables` feature.
 
+* `kernel_timezone`: Use the kernel timezone instead of UTC to determine whether a packet meets the time regulations.
+
 * `limit`: Rate limiting value for matched packets. The format is: 'rate/[/second/|/minute|/hour|/day]'. Example values are: '50/sec', '40/min', '30/hour', '10/day'. Requires the  `rate_limiting` feature.
 
 * `line`: Read-only property for caching the rule line.
@@ -535,6 +573,12 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `mask`: Sets the mask to use when `recent` is enabled. Requires the `mask` feature.
 
+* `month_days`: Only match on the given days of the month. Possible values are '1' to '31'. Note that specifying 31 will of course not match on months which do not have a 31st day; the same goes for 28- or 29-day February.
+
+* `match_mark`: Match the Netfilter mark value associated with the packet.  Accepts either of mark/mask or mark. These will be converted to hex if they are not already. Requires the `mark` feature.
+
+* `mss`: Sets a given TCP MSS value or range to match.
+
 * `name`: The canonical name of the rule. This name is also used for ordering, so make sure you prefix the rule with a number. For example:
 
 ```puppet
@@ -626,6 +670,8 @@ firewall { '101 blacklist strange traffic':
 
 * `set_mark`: Set the Netfilter mark value associated with the packet. Accepts either  'mark/mask' or 'mark'. These will be converted to hex if they are not already. Requires the `mark` feature.
 
+* `set_mss`: When combined with `jump => 'TCPMSS'` specifies the value of the MSS field.
+
 * `socket`: If 'true', matches if an open socket can be found by doing a socket lookup on the packet. Valid values are 'true', 'false'. Requires the `socket` feature.
 
 * `source`: The source address. For example: `source => '192.168.2.0/24'`. You can also negate a mask by putting ! in front. For example: `source => '! 192.168.2.0/24'`. The source can also be an IPv6 address if your provider supports it.
@@ -668,6 +714,12 @@ firewall { '101 blacklist strange traffic':
 
    Note that you specify flags in the order that iptables `--list` rules would list them to avoid having Puppet think you changed the flags. For example, 'FIN,SYN,RST,ACK SYN' matches packets with the SYN bit set and the ACK, RST and FIN bits cleared. Such packets are used to request TCP connection initiation. Requires the `tcp_flags` feature.
 
+* `time_contiguous`: When time_stop is smaller than time_start value, match this as a single time period instead distinct intervals.
+
+* `time_start`: Start time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
+
+* `time_stop`: End time for the rule to match. The possible time range is '00:00:00' to '23:59:59'. Leading zeroes are allowed (e.g. '06:03') and correctly interpreted as base-10.
+
 * `todest`: When using `jump => 'DNAT'`, you can specify the new destination address using this parameter. Requires the `dnat` feature.
 
 * `toports`: For DNAT this is the port that will replace the destination port. Requires the `dnat` feature.
@@ -678,6 +730,8 @@ firewall { '101 blacklist strange traffic':
 
 * `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.
 
+* `week_days`: Only match on the given weekdays. Possible values are 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat', 'Sun'.
+
 ###Type: firewallchain
 
 Enables you to manage rule chains for firewalls.

diff --git a/firewall/lib/puppet/provider/firewall/ip6tables.rb b/firewall/lib/puppet/provider/firewall/ip6tables.rb
@@ -16,6 +16,7 @@
   has_feature :log_level
   has_feature :log_prefix
   has_feature :mark
+  has_feature :mss
   has_feature :tcp_flags
   has_feature :pkttype
   has_feature :ishasmorefrags
@@ -74,6 +75,7 @@ def self.iptables_save(*args)
     :dport              => ["-m multiport --dports", "--dport"],
     :dst_range          => '--dst-range',
     :dst_type           => "--dst-type",
+    :gateway            => "--gateway",
     :gid                => "--gid-owner",
     :hop_limit          => "-m hl --hl-eq",
     :icmp               => "-m icmp6 --icmpv6-type",
@@ -89,8 +91,10 @@ def self.iptables_save(*args)
     :log_level          => "--log-level",
     :log_prefix         => "--log-prefix",
     :mask               => "--mask",
+    :match_mark         => "-m mark --mark",
     :name               => "-m comment --comment",
     :mac_source         => ["-m mac --mac-source", "--mac-source"],
+    :mss                => "-m tcpmss --mss",
     :outiface           => "-o",
     :pkttype            => "-m pkttype --pkt-type",
     :port               => '-m multiport --ports',
@@ -105,6 +109,7 @@ def self.iptables_save(*args)
     :rsource            => "--rsource",
     :rttl               => "--rttl",
     :set_mark           => mark_flag,
+    :set_mss            => '--set-mss',
     :socket             => "-m socket",
     :source             => "-s",
     :sport              => ["-m multiport --sports", "--sport"],
@@ -123,7 +128,15 @@ def self.iptables_save(*args)
     :uid                => "--uid-owner",
     :physdev_in         => "--physdev-in",
     :physdev_out        => "--physdev-out",
-    :physdev_is_bridged => "--physdev-is-bridged"
+    :physdev_is_bridged => "--physdev-is-bridged",
+    :date_start         => "--datestart",
+    :date_stop          => "--datestop",
+    :time_start         => "--timestart",
+    :time_stop          => "--timestop",
+    :month_days         => "--monthdays",
+    :week_days          => "--weekdays",
+    :time_contiguous    => "--contiguous",
+    :kernel_timezone    => "--kerneltz",
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -138,7 +151,9 @@ def self.iptables_save(*args)
     :reap,
     :rttl,
     :socket,
-    :physdev_is_bridged
+    :physdev_is_bridged,
+    :time_contiguous,
+    :kernel_timezone,
   ]
 
   # Properties that use "-m <ipt module name>" (with the potential to have multiple 
@@ -158,6 +173,7 @@ def self.iptables_save(*args)
     :addrtype  => [:src_type, :dst_type],
     :iprange   => [:src_range, :dst_range],
     :owner     => [:uid, :gid],
+    :time      => [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
   }
 
   # Create property methods dynamically
@@ -199,8 +215,8 @@ def self.iptables_save(*args)
     :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
     :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
     :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
-    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject,
-    :set_mark, :connlimit_above, :connlimit_mask, :connmark]
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :todest,
+    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss,
+    :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
 
 end
diff --git a/firewall/lib/puppet/provider/firewall/iptables.rb b/firewall/lib/puppet/provider/firewall/iptables.rb
@@ -21,6 +21,7 @@
   has_feature :log_level
   has_feature :log_prefix
   has_feature :mark
+  has_feature :mss
   has_feature :tcp_flags
   has_feature :pkttype
   has_feature :isfragment
@@ -60,6 +61,7 @@
     :dport              => ["-m multiport --dports", "--dport"],
     :dst_range          => "--dst-range",
     :dst_type           => "--dst-type",
+    :gateway            => "--gateway",
     :gid                => "--gid-owner",
     :icmp               => "-m icmp --icmp-type",
     :iniface            => "-i",
@@ -73,6 +75,8 @@
     :log_prefix         => "--log-prefix",
     :mac_source         => ["-m mac --mac-source", "--mac-source"],
     :mask               => '--mask',
+    :match_mark         => "-m mark --mark",
+    :mss                => '-m tcpmss --mss',
     :name               => "-m comment --comment",
     :outiface           => "-o",
     :pkttype            => "-m pkttype --pkt-type",
@@ -89,6 +93,7 @@
     :rsource            => "--rsource",
     :rttl               => "--rttl",
     :set_mark           => mark_flag,
+    :set_mss            => '--set-mss',
     :socket             => "-m socket",
     :source             => "-s",
     :sport              => ["-m multiport --sports", "--sport"],
@@ -108,7 +113,15 @@
     :uid                => "--uid-owner",
     :physdev_in         => "--physdev-in",
     :physdev_out        => "--physdev-out",
-    :physdev_is_bridged => "--physdev-is-bridged"
+    :physdev_is_bridged => "--physdev-is-bridged",
+    :date_start         => "--datestart",
+    :date_stop          => "--datestop",
+    :time_start         => "--timestart",
+    :time_stop          => "--timestop",
+    :month_days         => "--monthdays",
+    :week_days          => "--weekdays",
+    :time_contiguous    => "--contiguous",
+    :kernel_timezone    => "--kerneltz",
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -122,7 +135,9 @@
     :rsource,
     :rttl,
     :socket,
-    :physdev_is_bridged
+    :physdev_is_bridged,
+    :time_contiguous,
+    :kernel_timezone,
   ]
 
   # Properties that use "-m <ipt module name>" (with the potential to have multiple 
@@ -142,6 +157,7 @@
     :addrtype  => [:src_type, :dst_type],
     :iprange   => [:src_range, :dst_range],
     :owner     => [:uid, :gid],
+    :time      => [:time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
   }
 
   def self.munge_resource_map_from_existing_values(resource_map_original, compare)
@@ -224,9 +240,9 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
-    :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark,
-    :connlimit_above, :connlimit_mask, :connmark
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :set_mss, :todest,
+    :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :match_mark, :mss,
+    :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone
   ]
 
   def insert