Merge pull request #1059 from cmusik/main

add support for using rpfilter in rules

Author: jordanbreen28

lib/puppet/provider/firewall/iptables.rb

@@ -534,6 +534,17 @@ def self.rule_to_hash(line, table, counter)
         (\s--tunnel-src\s\S+)?
         (\s--next)?}x,
                         '--pol "ipsec\1\2\3\4\5\6\7\8" ')
+
+    # rpfilter also takes multiple parameters; use quote trick again
+    rpfilter_opts = values.scan(%r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+})
+    if rpfilter_opts && rpfilter_opts.length == 1 && rpfilter_opts[0]
+      rpfilter_opts = rpfilter_opts[0][1..-1].reject { |x| x.nil? }
+      values = values.sub(
+        %r{-m\srpfilter(\s(--loose)|\s(--validmark)|\s(--accept-local)|\s(--invert))+},
+        "-m rpfilter \"#{rpfilter_opts.join(' ')}\"",
+      )
+    end
+
     # on some iptables versions, --connlimit-saddr switch is added after the rule is applied
     values = values.gsub(%r{--connlimit-saddr}, '')
 
@@ -632,6 +643,8 @@ def self.rule_to_hash(line, table, counter)
       hash[prop] = hash[prop].split(';') unless hash[prop].nil?
     end
 
+    hash[:rpfilter] = hash[:rpfilter].split(' ') unless hash[:rpfilter].nil?
+
     ## clean up DSCP class to HEX mappings
     valid_dscp_classes = {
       '0x0a' => 'af11',
@@ -918,6 +931,8 @@ def general_args
         one, two = resource_value.split(' ')
         args << one
         args << two
+      elsif res == :rpfilter
+        args << resource_value
       elsif resource_value.is_a?(Array)
         args << resource_value.join(',')
       elsif !resource_value.nil?

lib/puppet/type/firewall.rb

@@ -1705,7 +1705,7 @@ def insync?(is)
     newvalues(:true, :false)
   end
 
-  newproperty(:rpfilter, required_features: :rpfilter) do
+  newproperty(:rpfilter, required_features: :rpfilter, array_matching: :all) do
     desc <<-PUPPETCODE
       Enable the rpfilter module.
     PUPPETCODE
@@ -1714,6 +1714,10 @@ def insync?(is)
     munge do |value|
       _value = '--' + value
     end
+
+    def insync?(is)
+      is.to_set == should.to_set
+    end
   end
 
   newproperty(:socket, required_features: :socket) do

spec/acceptance/firewall_attributes_happy_path_spec.rb

@@ -331,6 +331,12 @@ class { '::firewall': }
             physdev_is_bridged => true,
           }
           firewall { '900 - set rpfilter':
+            table    => 'raw',
+            chain    => 'PREROUTING',
+            action   => 'accept',
+            rpfilter => [ 'invert', 'validmark', 'loose', 'accept-local' ],
+          }
+          firewall { '901 - set rpfilter':
             table    => 'raw',
             chain    => 'PREROUTING',
             action   => 'accept',
@@ -421,6 +427,12 @@ class { '::firewall': }
     it 'toports is set' do
       expect(result.stdout).to match(%r{-A PREROUTING -p icmp -m comment --comment "574 - toports" -j REDIRECT --to-ports 2222})
     end
+    it 'rpfilter is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --loose --validmark --accept-local --invert -m comment --comment "900 - set rpfilter" -j ACCEPT})
+    end
+    it 'single rpfilter is set' do
+      expect(result.stdout).to match(%r{-A PREROUTING -p tcp -m rpfilter --invert -m comment --comment "901 - set rpfilter" -j ACCEPT})
+    end
     it 'limit is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m multiport --dports 572 -m limit --limit 500\/sec -m comment --comment "572 - limit" -j ACCEPT})
     end