Skip to content

Commit

Permalink
Merge pull request #421 from nemski/bug/master/add_netmap
Browse files Browse the repository at this point in the history
(MODULES-464) Add netmap feature
  • Loading branch information
Morgan Haskel committed Dec 19, 2014
2 parents 46fca46 + f45fa3b commit dc3bd7f
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 3 deletions.
6 changes: 5 additions & 1 deletion README.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ This type enables you to manage firewall rules within Puppet.
* `iptables`: Iptables type provider
* Required binaries: `iptables-save`, `iptables`.
* Default for `kernel` == `linux`.
* Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
* Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.

**Autorequires:**

Expand Down Expand Up @@ -408,6 +408,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov

* `tcp_flags`: The ability to match on particular TCP flag settings.

* `netmap`: The ability to map entire subnets via source or destination nat rules.

#### Parameters

* `action`: This is the action to perform on a match. Valid values for this action are:
Expand Down Expand Up @@ -628,6 +630,8 @@ firewall { '101 blacklist strange traffic':

* `tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature.

* `to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature`.

* `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature.

###Type: firewallchain
Expand Down
4 changes: 3 additions & 1 deletion lib/puppet/provider/firewall/iptables.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
has_feature :recent_limiting
has_feature :snat
has_feature :dnat
has_feature :netmap
has_feature :interface_match
has_feature :icmp_match
has_feature :owner
Expand Down Expand Up @@ -102,6 +103,7 @@
:todest => "--to-destination",
:toports => "--to-ports",
:tosource => "--to-source",
:to => "--to",
:uid => "-m owner --uid-owner",
}

Expand Down Expand Up @@ -156,7 +158,7 @@
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
:tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark,
:tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark,
:connlimit_above, :connlimit_mask, :connmark
]

Expand Down
7 changes: 7 additions & 0 deletions lib/puppet/type/firewall.rb
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
feature :recent_limiting, "The netfilter recent module"
feature :snat, "Source NATing"
feature :dnat, "Destination NATing"
feature :netmap, "NET MAPping"
feature :interface_match, "Interface matching"
feature :icmp_match, "Matching ICMP types"
feature :owner, "Matching owners"
Expand Down Expand Up @@ -469,6 +470,12 @@ def should_to_s(value)
EOS
end

newproperty(:to, :required_features => :netmap) do
desc <<-EOS
For NETMAP this will replace the destination IP
EOS
end

newproperty(:random, :required_features => :dnat) do
desc <<-EOS
When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
Expand Down
50 changes: 50 additions & 0 deletions spec/acceptance/firewall_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1681,4 +1681,54 @@ class { '::firewall': }
end
end

describe 'to' do
context 'Destination netmap 192.168.1.1' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '569 - test':
proto => tcp,
table => 'nat',
chain => 'PREROUTING',
jump => 'NETMAP',
source => '200.200.200.200',
to => '192.168.1.1',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save -t nat') do |r|
expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/)
end
end
end

context 'Source netmap 192.168.1.1' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '569 - test':
proto => tcp,
table => 'nat',
chain => 'POSTROUTING',
jump => 'NETMAP',
destination => '200.200.200.200',
to => '192.168.1.1',
}
EOS

apply_manifest(pp, :catch_failures => true)
end

it 'should contain the rule' do
shell('iptables-save -t nat') do |r|
expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/)
end
end
end
end

end
2 changes: 1 addition & 1 deletion spec/unit/puppet/type/firewall_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@
end
end

[:tosource, :todest].each do |addr|
[:tosource, :todest, :to].each do |addr|
describe addr do
it "should accept #{addr} value as a string" do
@resource[addr] = '127.0.0.1'
Expand Down

0 comments on commit dc3bd7f

Please sign in to comment.