From 2add7c56dce908644e936a76c48f34eeab20adcc Mon Sep 17 00:00:00 2001 From: "Joshua B. Bussdieker" Date: Thu, 14 May 2015 16:29:28 -0700 Subject: [PATCH] Add support for clamp-mss-to-pmtu --- lib/puppet/provider/firewall/ip6tables.rb | 4 +- lib/puppet/provider/firewall/iptables.rb | 4 +- lib/puppet/type/firewall.rb | 12 ++++- spec/acceptance/firewall_mss_spec.rb | 53 ++++++++++++++++++++++- spec/fixtures/iptables/conversion_hash.rb | 23 ++++++++++ 5 files changed, 90 insertions(+), 6 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index 1e2f2ed09..2a05dcf69 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -67,6 +67,7 @@ def self.iptables_save(*args) @resource_map = { :burst => "--limit-burst", :checksum_fill => "--checksum-fill", + :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu", :connlimit_above => "-m connlimit --connlimit-above", :connlimit_mask => "--connlimit-mask", :connmark => "-m connmark --mark", @@ -143,6 +144,7 @@ def self.iptables_save(*args) # to true if they exist. @known_booleans = [ :checksum_fill, + :clamp_mss_to_pmtu, :ishasmorefrags, :islastfrag, :isfirstfrag, @@ -215,7 +217,7 @@ def self.iptables_save(*args) :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :todest, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest, :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :reject, :set_mss, :mss, :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone] diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 7557ac71a..9c099fee7 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -53,6 +53,7 @@ @resource_map = { :burst => "--limit-burst", :checksum_fill => "--checksum-fill", + :clamp_mss_to_pmtu => "--clamp-mss-to-pmtu", :connlimit_above => "-m connlimit --connlimit-above", :connlimit_mask => "--connlimit-mask", :connmark => "-m connmark --mark", @@ -128,6 +129,7 @@ # to true if they exist. @known_booleans = [ :checksum_fill, + :clamp_mss_to_pmtu, :isfragment, :random, :rdest, @@ -240,7 +242,7 @@ def munge_resource_map_from_resource(resource_map_original, compare) :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, - :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :gateway, :set_mss, :todest, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :set_mss, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, :log_level, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 0994504cb..9af7d3eee 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -860,6 +860,14 @@ def insync?(is) end end + newproperty(:clamp_mss_to_pmtu, :required_features => :iptables) do + desc <<-EOS + Sets the clamp mss to pmtu flag. + EOS + + newvalues(:true, :false) + end + newproperty(:set_mss, :required_features => :iptables) do desc <<-EOS Sets the TCP MSS value for packets. @@ -1341,8 +1349,8 @@ def insync?(is) end if value(:jump).to_s == "TCPMSS" - unless value(:set_mss) - self.fail "When using jump => TCPMSS, the set_mss property is required" + unless value(:set_mss) || value(:clamp_mss_to_pmtu) + self.fail "When using jump => TCPMSS, the set_mss or clamp_mss_to_pmtu property is required" end end diff --git a/spec/acceptance/firewall_mss_spec.rb b/spec/acceptance/firewall_mss_spec.rb index 379801550..167c9586e 100644 --- a/spec/acceptance/firewall_mss_spec.rb +++ b/spec/acceptance/firewall_mss_spec.rb @@ -7,7 +7,7 @@ shell('ip6tables --flush; ip6tables -t nat --flush; ip6tables -t mangle --flush') end - describe 'set_mss' do + describe 'mss ipv4 tests' do context '1360' do it 'applies' do pp = <<-EOS @@ -33,10 +33,34 @@ class { '::firewall': } end end end + + context 'clamp_mss_to_pmtu' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { + '503 - clamp_mss_to_pmtu': + proto => 'tcp', + chain => 'FORWARD', + tcp_flags => 'SYN,RST SYN', + jump => 'TCPMSS', + clamp_mss_to_pmtu => true, + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/) + end + end + end end if default['platform'] !~ /el-5/ - describe 'set_mss6' do + describe 'mss ipv6 tests' do context '1360' do it 'applies' do pp = <<-EOS @@ -63,6 +87,31 @@ class { '::firewall': } end end end + + context 'clamp_mss_to_pmtu' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { + '503 - clamp_mss_to_pmtu': + proto => 'tcp', + chain => 'FORWARD', + tcp_flags => 'SYN,RST SYN', + jump => 'TCPMSS', + clamp_mss_to_pmtu => true, + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "503 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu/) + end + end + end end end diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 7ccaf48ea..ecd0887fc 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -554,6 +554,18 @@ :action => 'reject', }, }, + 'clamp_mss_to_pmtu' => { + :line => '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "067 change max segment size" -j TCPMSS --clamp-mss-to-pmtu', + :table => 'filter', + :params => { + :name => '067 change max segment size', + :table => 'filter', + :proto => 'tcp', + :tcp_flags => 'SYN,RST SYN', + :jump => 'TCPMSS', + :clamp_mss_to_pmtu => true, + }, + }, } # This hash is for testing converting a hash to an argument line. @@ -1069,4 +1081,15 @@ }, :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment", "066 REJECT connlimit_above 10 with mask 32 and mark matches", "-j", "REJECT", "-m", "mark", "--mark", "0x1", "-m", "connlimit", "--connlimit-above", "10", "--connlimit-mask", "32"], }, + 'clamp_mss_to_pmtu' => { + :params => { + :name => '067 change max segment size', + :table => 'filter', + :proto => 'tcp', + :tcp_flags => 'SYN,RST SYN', + :jump => 'TCPMSS', + :clamp_mss_to_pmtu => true, + }, + :args => ["-t", :filter, "-p", :tcp, "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-m", "comment", "--comment", "067 change max segment size", "-j", "TCPMSS", "--clamp-mss-to-pmtu"], + }, }