diff --git a/centos_pkg_dirs b/centos_pkg_dirs index b22e46b39..481769a7e 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -31,6 +31,7 @@ config/puppet-modules/puppet-create_resources config/puppet-modules/puppet-dnsmasq config/puppet-modules/puppet-drbd-0.3.1 config/puppet-modules/puppet-filemapper +config/puppet-modules/puppet-firewall-1.8.2 config/puppet-modules/puppet-haproxy-1.5.0 config/puppet-modules/puppet-ldap config/puppet-modules/puppet-lvm diff --git a/centos_srpms_centos.lst b/centos_srpms_centos.lst index a5c771d1c..b6d8ce0ab 100644 --- a/centos_srpms_centos.lst +++ b/centos_srpms_centos.lst @@ -18,6 +18,7 @@ openssh-7.4p1-21.el7.src.rpm parted-3.1-29.el7.src.rpm puppet-4.8.2-1.el7.src.rpm puppet-ceph-2.4.1-1.el7.src.rpm +puppet-firewall-1.8.2-2.2f892e9git.el7.src.rpm puppet-haproxy-1.5.0-4.6ffcb07git.el7.src.rpm puppet-horizon-11.5.0-1.el7.src.rpm puppet-keystone-11.3.0-1.el7.src.rpm diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/build_srpm.data b/config/puppet-modules/puppet-firewall-1.8.2/centos/build_srpm.data new file mode 100644 index 000000000..69abd61b8 --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/build_srpm.data @@ -0,0 +1 @@ +TIS_PATCH_VER=PKG_GITREVCOUNT diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch new file mode 100644 index 000000000..02cf8ded2 --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch @@ -0,0 +1,26 @@ +From cdaacdb829690f7ddfd73d9184b0ebbd24cf363c Mon Sep 17 00:00:00 2001 +From: Steven Webster +Date: Fri, 29 Apr 2022 14:10:47 -0400 +Subject: [PATCH] Update package versioning for TIS format + +Signed-off-by: Steven Webster +--- + SPECS/puppet-firewall.spec | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SPECS/puppet-firewall.spec b/SPECS/puppet-firewall.spec +index 6d42163..f5925f1 100644 +--- a/SPECS/puppet-firewall.spec ++++ b/SPECS/puppet-firewall.spec +@@ -8,7 +8,7 @@ + + Name: puppet-firewall + Version: 1.8.2 +-Release: 2%{?alphatag}%{?dist} ++Release: 2.2f892e9git.el7%{?_tis_dist}.%{tis_patch_ver} + Summary: Manages Firewalls such as iptables + License: ASL 2.0 + +-- +2.29.2 + diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0002-Add-support-for-random-fully-flag.patch b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0002-Add-support-for-random-fully-flag.patch new file mode 100644 index 000000000..7ab89faf7 --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0002-Add-support-for-random-fully-flag.patch @@ -0,0 +1,33 @@ +From 5df5c090b1a87421f567cc2f79046ec4852f9597 Mon Sep 17 00:00:00 2001 +From: Steven Webster +Date: Fri, 29 Apr 2022 14:57:50 -0400 +Subject: [PATCH] Add support for random fully flag + +Signed-off-by: Steven Webster +--- + SPECS/puppet-firewall.spec | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/SPECS/puppet-firewall.spec b/SPECS/puppet-firewall.spec +index f5925f1..87d0410 100644 +--- a/SPECS/puppet-firewall.spec ++++ b/SPECS/puppet-firewall.spec +@@ -15,6 +15,7 @@ License: ASL 2.0 + URL: http://github.com/puppetlabs/puppetlabs-firewall + + Source0: https://github.com/puppetlabs/%{upstream_name}/archive/%{commit}.tar.gz#/%{upstream_name}-%{shortcommit}.tar.gz ++Patch0001: 0001-Add-support-for-random-fully-flag.patch + + BuildArch: noarch + +@@ -25,6 +26,7 @@ Manages Firewalls such as iptables + + %prep + %setup -q -n %{upstream_name}-%{upstream_version} ++%patch0001 -p1 + + find . -type f -name ".*" -exec rm {} + + find . -size 0 -exec rm {} + +-- +2.29.2 + diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/PATCH_ORDER b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/PATCH_ORDER new file mode 100644 index 000000000..eee61027b --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/PATCH_ORDER @@ -0,0 +1,2 @@ +0001-Update-package-versioning-for-TIS-format.patch +0002-Add-support-for-random-fully-flag.patch diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/patches/0001-Add-support-for-random-fully-flag.patch b/config/puppet-modules/puppet-firewall-1.8.2/centos/patches/0001-Add-support-for-random-fully-flag.patch new file mode 100644 index 000000000..732d74719 --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/patches/0001-Add-support-for-random-fully-flag.patch @@ -0,0 +1,225 @@ +From e4db4b965cd00d295d2dac0802fef78d1d115c17 Mon Sep 17 00:00:00 2001 +From: Steven Webster +Date: Mon, 2 May 2022 13:07:49 -0400 +Subject: [PATCH] Add support for random fully flag + +Enable puppet-firewall parsing of --random-fully rules + +A problem may occur if puppet attempts to inject a firewall rule +while the underlying iptables/ip6tables has existing rules which +use the --random-fully flag in the NAT table. + +The issue occurs because puppet-firewall first makes a call to +iptables-save/ip6tables-save to parse the existing rules +(to determine if the rule already exists). If it finds a rule +with --random-fully, it will immediately bail out. + +The current version(s) of puppet-firewall in StarlingX are old +enough that they don't have parsing logic for the --random-fully +flag that was initially supported in iptables version 1.6.2+. + +Now that StarlingX uses iptables 1.8.4, we must account for the +possibility that various components (ie. kubernetes) will make +use of --random-fully rules. + +This feature has been implemented upstream in the following commits: + +https://github.com/puppetlabs/puppetlabs-firewall/commits/ + +9a4bc6a81cf0cd4a56ba458fadac830a2c4df529 +0ea2b74c0b4a451a37bae8c2ff105b72481ab485 + +This commit ports back the above commits + +Signed-off-by: Steven Webster +--- + lib/puppet/provider/firewall/ip6tables.rb | 9 +++++- + lib/puppet/provider/firewall/iptables.rb | 12 +++++++- + lib/puppet/type/firewall.rb | 10 +++++++ + spec/acceptance/firewall_spec.rb | 32 ++++++++++++++++++++++ + spec/fixtures/ip6tables/conversion_hash.rb | 7 +++++ + 5 files changed, 68 insertions(+), 2 deletions(-) + +diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb +index c8b3f64..cdb981a 100644 +--- a/lib/puppet/provider/firewall/ip6tables.rb ++++ b/lib/puppet/provider/firewall/ip6tables.rb +@@ -49,6 +49,11 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = + mark_flag = '--set-xmark' + end + ++ kernelversion = Facter.value('kernelversion') ++ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && ++ (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0) ++ has_feature :random_fully ++ end + + def initialize(*args) + ip6tables_version = Facter.value('ip6tables_version') +@@ -109,6 +114,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = + :proto => "-p", + :queue_num => "--queue-num", + :queue_bypass => "--queue-bypass", ++ :random_fully => "--random-fully", + :rdest => "--rdest", + :reap => "--reap", + :recent => "-m recent", +@@ -168,6 +174,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = + :islastfrag, + :isfirstfrag, + :log_uid, ++ :random_fully, + :rsource, + :rdest, + :reap, +@@ -244,7 +251,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = + :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, +- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, ++ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, + :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, + :src_cc, :dst_cc, :name] + +diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb +index b05ba43..767bdc0 100644 +--- a/lib/puppet/provider/firewall/iptables.rb ++++ b/lib/puppet/provider/firewall/iptables.rb +@@ -58,6 +58,12 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir + mark_flag = '--set-xmark' + end + ++ kernelversion = Facter.value('kernelversion') ++ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && ++ (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0) ++ has_feature :random_fully ++ end ++ + @protocol = "IPv4" + + @resource_map = { +@@ -102,6 +108,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir + :proto => "-p", + :queue_num => "--queue-num", + :queue_bypass => "--queue-bypass", ++ :random_fully => "--random-fully", + :random => "--random", + :rdest => "--rdest", + :reap => "--reap", +@@ -167,6 +174,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir + :clamp_mss_to_pmtu, + :isfragment, + :log_uid, ++ :random_fully, + :random, + :rdest, + :reap, +@@ -288,7 +296,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir + :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, + :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, + :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, +- :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, ++ :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, + :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, + :src_cc, :dst_cc, :name] +@@ -418,6 +426,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir + # only replace those -f that are not followed by an l to + # distinguish between -f and the '-f' inside of --tcp-flags. + values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true') ++ elsif bool == :random ++ values = values.sub(/#{resource_map[bool]}(\s|$)(?!"!")/, "#{resource_map[bool]} true") + else + # append `true` to booleans that are not already negated (followed by "!") + values = values.sub(/#{resource_map[bool]}(?! "!")/, "#{resource_map[bool]} true") +diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb +index 6deab2b..1637688 100644 +--- a/lib/puppet/type/firewall.rb ++++ b/lib/puppet/type/firewall.rb +@@ -67,6 +67,7 @@ Puppet::Type.newtype(:firewall) do + feature :string_matching, "String matching features" + feature :queue_num, "Which NFQUEUE to send packets to" + feature :queue_bypass, "If nothing is listening on queue_num, allow packets to bypass the queue" ++ feature :random_fully, "The ability to use --random-fully flag" + + # provider specific features + feature :iptables, "The provider provides iptables features." +@@ -569,6 +570,15 @@ Puppet::Type.newtype(:firewall) do + EOS + end + ++ newproperty(:random_fully, :required_features => :random_fully) do ++ desc <<-EOS ++ When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" ++ this boolean will enable randomized port mapping. ++ EOS ++ ++ newvalues(:true, :false) ++ end ++ + newproperty(:random, :required_features => :dnat) do + desc <<-EOS + When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" +diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb +index 8eee85b..617ebe5 100644 +--- a/spec/acceptance/firewall_spec.rb ++++ b/spec/acceptance/firewall_spec.rb +@@ -2416,5 +2416,37 @@ describe 'firewall basics', docker: true do + end + end + ++ describe 'random-fully' do ++ supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8') ++ true ++ elsif os[:family] == 'debian' && os[:release].start_with?('10') ++ true ++ else ++ false ++ end ++ ++ before(:all) do ++ pp = <<-EOS ++ firewall { '901 - set random-fully': ++ table => 'nat', ++ chain => 'POSTROUTING', ++ jump => 'MASQUERADE', ++ random_fully => true, ++ } ++ EOS ++ apply_manifest(pp, :catch_failures => true) ++ end ++ ++ it 'adds random-fully rule', if: supports_random_fully do ++ shell('iptables-save') do |r| ++ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully}) ++ end ++ end ++ it 'adds rule without random-fully', unless: supports_random_fully do ++ shell('iptables-save') do |r| ++ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE}) ++ end ++ end ++ end + + end +diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb +index 8174875..ad94ac4 100644 +--- a/spec/fixtures/ip6tables/conversion_hash.rb ++++ b/spec/fixtures/ip6tables/conversion_hash.rb +@@ -33,6 +33,13 @@ ARGS_TO_HASH6 = { + :sport => ['547'], + :dport => ['546'], + }, ++ 'random-fully' => { ++ line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully', ++ table: 'filter', ++ provider: 'ip6tables', ++ params: { ++ random_fully: 'true', ++ }, + } + } + +-- +2.29.2 + diff --git a/config/puppet-modules/puppet-firewall-1.8.2/centos/srpm_path b/config/puppet-modules/puppet-firewall-1.8.2/centos/srpm_path new file mode 100644 index 000000000..929190fce --- /dev/null +++ b/config/puppet-modules/puppet-firewall-1.8.2/centos/srpm_path @@ -0,0 +1 @@ +mirror:Source/puppet-firewall-1.8.2-2.2f892e9git.el7.src.rpm diff --git a/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/meta_data.yaml b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/meta_data.yaml new file mode 100644 index 000000000..8b2153033 --- /dev/null +++ b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/meta_data.yaml @@ -0,0 +1,11 @@ +--- +debname: puppet-module-puppetlabs-firewall +debver: 1.12.0-1 +dl_path: + name: puppet-module-puppetlabs-firewall-1.12.0-1.tar.gz + url: https://salsa.debian.org/puppet-team/puppet-module-puppetlabs-firewall/-/archive/debian/1.12.0-1/puppet-module-puppetlabs-firewall-debian-1.12.0-1.tar.gz + md5sum: d54a6e017792ca19f6227cc61222c89b + sha256sum: 850d80d0dae673bf5c79e0968437ac37764f3d419502c37a8dcc4ace0f5ebd0a +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true diff --git a/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/0001-Add-support-for-random-fully-flag.patch b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/0001-Add-support-for-random-fully-flag.patch new file mode 100644 index 000000000..338946cb7 --- /dev/null +++ b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/0001-Add-support-for-random-fully-flag.patch @@ -0,0 +1,228 @@ +From 7efc7fcf651772e2128a72b21305e86c27b9ecb2 Mon Sep 17 00:00:00 2001 +From: Steven Webster +Date: Mon, 2 May 2022 13:36:50 -0400 +Subject: [PATCH] Add support for random fully flag + +Enable puppet-firewall parsing of --random-fully rules + +A problem may occur if puppet attempts to inject a firewall rule +while the underlying iptables/ip6tables has existing rules which +use the --random-fully flag in the NAT table. + +The issue occurs because puppet-firewall first makes a call to +iptables-save/ip6tables-save to parse the existing rules +(to determine if the rule already exists). If it finds a rule +with --random-fully, it will immediately bail out. + +The current version(s) of puppet-firewall in StarlingX are old +enough that they don't have parsing logic for the --random-fully +flag that was initially supported in iptables version 1.6.2+. + +Now that StarlingX uses iptables 1.8.4, we must account for the +possibility that various components (ie. kubernetes) will make +use of --random-fully rules. + +This feature has been implemented upstream in the following commits: + +https://github.com/puppetlabs/puppetlabs-firewall/commits/ + +9a4bc6a81cf0cd4a56ba458fadac830a2c4df529 +0ea2b74c0b4a451a37bae8c2ff105b72481ab485 + +This commit ports back the above commits + +Signed-off-by: Steven Webster +--- + lib/puppet/provider/firewall/ip6tables.rb | 10 ++++++- + lib/puppet/provider/firewall/iptables.rb | 12 +++++++- + lib/puppet/type/firewall.rb | 12 ++++++++ + spec/acceptance/firewall_spec.rb | 33 ++++++++++++++++++++++ + spec/fixtures/ip6tables/conversion_hash.rb | 7 +++++ + 5 files changed, 72 insertions(+), 2 deletions(-) + +diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb +index d3c1b3c..7fce8bc 100644 +--- a/lib/puppet/provider/firewall/ip6tables.rb ++++ b/lib/puppet/provider/firewall/ip6tables.rb +@@ -47,6 +47,12 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 + '--set-xmark' + end + ++ kernelversion = Facter.value('kernelversion') ++ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && ++ (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0) ++ has_feature :random_fully ++ end ++ + def initialize(*args) + ip6tables_version = Facter.value('ip6tables_version') + raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d}) +@@ -103,6 +109,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 + proto: '-p', + queue_num: '--queue-num', + queue_bypass: '--queue-bypass', ++ random_fully: '--random-fully', + rdest: '--rdest', + reap: '--reap', + recent: '-m recent', +@@ -174,6 +181,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 + :islastfrag, + :isfirstfrag, + :log_uid, ++ :random_fully, + :rsource, + :rdest, + :reap, +@@ -253,7 +261,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6 + :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap, + :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo, + :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest, +- :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, ++ :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass, + :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, + :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, + :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, +diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb +index 00655ea..d86a5c6 100644 +--- a/lib/puppet/provider/firewall/iptables.rb ++++ b/lib/puppet/provider/firewall/iptables.rb +@@ -56,6 +56,12 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa + '--set-xmark' + end + ++ kernelversion = Facter.value('kernelversion') ++ if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) && ++ (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0) ++ has_feature :random_fully ++ end ++ + @protocol = 'IPv4' + + @resource_map = { +@@ -100,6 +106,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa + proto: '-p', + queue_num: '--queue-num', + queue_bypass: '--queue-bypass', ++ random_fully: '--random-fully', + random: '--random', + rdest: '--rdest', + reap: '--reap', +@@ -176,6 +183,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa + :clamp_mss_to_pmtu, + :isfragment, + :log_uid, ++ :random_fully, + :random, + :rdest, + :reap, +@@ -295,7 +303,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa + :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode, + :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass, + :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway, +- :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix, ++ :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix, + :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, + :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, + :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, +@@ -428,6 +436,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa + # only replace those -f that are not followed by an l to + # distinguish between -f and the '-f' inside of --tcp-flags. + values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true') ++ elsif bool == :random ++ values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true") + else + # append `true` to booleans that are not already negated (followed by "!") + values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true") +diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb +index a859f28..fce2fba 100644 +--- a/lib/puppet/type/firewall.rb ++++ b/lib/puppet/type/firewall.rb +@@ -68,6 +68,7 @@ Puppet::Type.newtype(:firewall) do + feature :queue_num, 'Which NFQUEUE to send packets to' + feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue' + feature :hashlimit, 'Hashlimit features' ++ feature :random_fully, 'The ability to use --random-fully flag' + + # provider specific features + feature :iptables, 'The provider provides iptables features.' +@@ -581,6 +582,17 @@ Puppet::Type.newtype(:firewall) do + PUPPETCODE + end + ++ newproperty(:random_fully, required_features: :random_fully) do ++ desc <<-PUPPETCODE ++ When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" ++ this boolean will enable fully randomized port mapping. ++ ++ **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2 ++ PUPPETCODE ++ ++ newvalues(:true, :false) ++ end ++ + newproperty(:random, required_features: :dnat) do + desc <<-PUPPETCODE + When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" +diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb +index f4c3d67..3198ba5 100644 +--- a/spec/acceptance/firewall_spec.rb ++++ b/spec/acceptance/firewall_spec.rb +@@ -2317,4 +2317,37 @@ describe 'firewall basics', docker: true do + end + end + end ++ ++ describe 'random-fully' do ++ supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8') ++ true ++ elsif os[:family] == 'debian' && os[:release].start_with?('10') ++ true ++ else ++ false ++ end ++ ++ before(:all) do ++ pp = <<-PUPPETCODE ++ firewall { '901 - set random-fully': ++ table => 'nat', ++ chain => 'POSTROUTING', ++ jump => 'MASQUERADE', ++ random_fully => true, ++ } ++ PUPPETCODE ++ apply_manifest(pp, catch_failures: true) ++ end ++ ++ ++ it 'adds random-fully rule', if: supports_random_fully do ++ shell('iptables-save') do |r| ++ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully}) ++ end ++ end ++ it 'adds rule without random-fully', unless: supports_random_fully do ++ shell('iptables-save') do |r| ++ expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE}) ++ end ++ end + end +diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb +index 748dc8d..00f1018 100644 +--- a/spec/fixtures/ip6tables/conversion_hash.rb ++++ b/spec/fixtures/ip6tables/conversion_hash.rb +@@ -33,6 +33,13 @@ ARGS_TO_HASH6 = { + sport: ['547'], + dport: ['546'], + }, ++ 'random-fully' => { ++ line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully', ++ table: 'filter', ++ provider: 'ip6tables', ++ params: { ++ random_fully: 'true', ++ }, + }, + }.freeze + +-- +2.17.1 + diff --git a/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/series b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/series new file mode 100644 index 000000000..d80d48e4a --- /dev/null +++ b/config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/series @@ -0,0 +1 @@ +0001-Add-support-for-random-fully-flag.patch diff --git a/debian_pkg_dirs b/debian_pkg_dirs index 120225dba..da4892ebc 100644 --- a/debian_pkg_dirs +++ b/debian_pkg_dirs @@ -23,6 +23,7 @@ config/puppet-modules/puppet-boolean-2.0.2 config/puppet-modules/puppet-dnsmasq config/puppet-modules/puppet-drbd-0.5.2 config/puppet-modules/puppet-etcd-1.12.3 +config/puppet-modules/puppetlabs-firewall-1.12.0 config/puppet-modules/puppetlabs-haproxy-2.1.0 config/puppet-modules/puppetlabs-postgresql-6.7.0 config/puppet-modules/puppetlabs-stdlib-5.0.0