adding iptables string matching extension

Simon Humbert · Simon Humbert · commit 3655c6bd33d6 · 2016-05-03T17:18:50.000-04:00
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -31,6 +31,7 @@
   has_feature :mask
   has_feature :ipset
   has_feature :length
+  has_feature :string_matching
 
   optional_commands({
     :ip6tables      => 'ip6tables',
@@ -127,6 +128,10 @@ def self.iptables_save(*args)
     :stat_packet        => '--packet',
     :stat_probability   => '--probability',
     :state              => "-m state --state",
+    :string             => "-m string --string",
+    :string_algo        => "--algo",
+    :string_from        => "--from",
+    :string_to          => "--to",
     :table              => "-t",
     :tcp_flags          => "-m tcp --tcp-flags",
     :todest             => "--to-destination",
@@ -224,7 +229,8 @@ def self.iptables_save(*args)
     :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
     :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
     :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+    :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
     :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss,
     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone]
 
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -35,6 +35,7 @@
   has_feature :ipset
   has_feature :clusterip
   has_feature :length
+  has_feature :string_matching
 
   optional_commands({
     :iptables => 'iptables',
@@ -113,6 +114,10 @@
     :stat_packet           => '--packet',
     :stat_probability      => '--probability',
     :state                 => "-m state --state",
+    :string                => "-m string --string",
+    :string_algo           => "--algo",
+    :string_from           => "--from",
+    :string_to             => "--to",
     :table                 => "-t",
     :tcp_flags             => "-m tcp --tcp-flags",
     :todest                => "--to-destination",
@@ -258,7 +263,8 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :length, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+    :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
     :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -60,6 +60,7 @@
   feature :ipset, "Match against specified ipset list"
   feature :clusterip, "Configure a simple cluster of nodes that share a certain IP and MAC address without an explicit load balancer in front of them."
   feature :length, "Match the length of layer-3 payload"
+  feature :string_matching, "String matching features"
 
   # provider specific features
   feature :iptables, "The provider provides iptables features."
@@ -1416,6 +1417,37 @@ def insync?(is)
     end
   end
 
+  newproperty(:string, :required_features => :string_matching) do
+    desc <<-EOS
+      String matching feature. Matches the packet against the pattern
+      given as an argument.
+    EOS
+
+    munge do |value|
+       value = "'" + value + "'"
+    end
+  end
+
+  newproperty(:string_algo, :required_features => :string_matching) do
+    desc <<-EOS
+      String matching feature, pattern matching strategy.
+    EOS
+
+    newvalues(:bm, :kmp)
+  end
+
+  newproperty(:string_from, :required_features => :string_matching) do
+    desc <<-EOS
+      String matching feature, offset from which we start looking for any matching.
+    EOS
+  end
+
+  newproperty(:string_to, :required_features => :string_matching) do
+    desc <<-EOS
+      String matching feature, offset  up  to which we should scan.
+    EOS
+  end
+
 
   autorequire(:firewallchain) do
     reqs = []
