Support parsing and creating IPv6 TCP Option rules

greatflyingsteve · greatflyingsteve · commit 1d283f28ec1d · 2023-05-26T03:43:16.000-07:00
Provide the same support for rule parse and create for IPv6 as the
previous commit provided for IPv4
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -29,6 +29,7 @@
   has_feature :nflog_prefix
   has_feature :nflog_range
   has_feature :nflog_threshold
+  has_feature :tcp_option
   has_feature :tcp_flags
   has_feature :pkttype
   has_feature :ishasmorefrags
@@ -183,7 +184,8 @@ def self.iptables_save(*args)
     string_from: '--from',
     string_to: '--to',
     table: '-t',
-    tcp_flags: '-m tcp --tcp-flags',
+    tcp_option: '--tcp-option',
+    tcp_flags: '--tcp-flags',
     todest: '--to-destination',
     toports: '--to-ports',
     tosource: '--to-source',
@@ -312,7 +314,7 @@ def self.iptables_save(*args)
   @resource_list = [:table, :source, :destination, :iniface, :outiface, :physdev_in,
                     :physdev_out, :physdev_is_bridged, :physdev_is_in, :physdev_is_out,
                     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
-                    :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
+                    :tcp_option, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port, :src_type,
                     :dst_type, :socket, :pkttype, :ipsec_dir, :ipsec_policy, :state,
                     :ctstate, :ctproto, :ctorigsrc, :ctorigdst, :ctreplsrc, :ctrepldst,
                     :ctorigsrcport, :ctorigdstport, :ctreplsrcport, :ctrepldstport, :ctstatus, :ctexpire, :ctdir,
diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
@@ -49,7 +49,94 @@
     params: {
       random_fully: 'true',
     }
-  }
+  },
+  'tcp_flags_1' => {
+    line: '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+    compare_all: true,
+    table: 'filter',
+    chain: 'INPUT',
+    proto: 'tcp',
+    params: {
+      name: '000 initiation',
+      tcp_flags: 'SYN,RST,ACK,FIN SYN',
+      proto: 'tcp',
+      chain: 'INPUT',
+      line: '-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK,FIN SYN -m comment --comment "000 initiation"',
+      provider: 'ip6tables',
+      table: 'filter',
+      ensure: :present,
+    },
+  },
+  'tcp_option_1' => {
+    line: '-A INPUT -p tcp -m tcp --tcp-option 8 -m comment --comment "001 tcp_option works alone"',
+    compare_all: true,
+    table: 'filter',
+    chain: 'INPUT',
+    proto: 'tcp',
+    params: {
+      chain: 'INPUT',
+      ensure: :present,
+      line: '-A INPUT -p tcp -m tcp --tcp-option 8 -m comment --comment "001 tcp_option works alone"',
+      name: '001 tcp_option works alone',
+      proto: 'tcp',
+      provider: 'ip6tables',
+      table: 'filter',
+      tcp_option: '8',
+    },
+  },
+  'tcp_option_2' => {
+    line: '-A INPUT -p tcp -m tcp ! --tcp-option 8 -m comment --comment "002 tcp_option works alone, negated"',
+    compare_all: true,
+    table: 'filter',
+    chain: 'INPUT',
+    proto: 'tcp',
+    params: {
+      chain: 'INPUT',
+      ensure: :present,
+      line: '-A INPUT -p tcp -m tcp ! --tcp-option 8 -m comment --comment "002 tcp_option works alone, negated"',
+      name: '002 tcp_option works alone, negated',
+      proto: 'tcp',
+      provider: 'ip6tables',
+      table: 'filter',
+      tcp_option: '! 8',
+    },
+  },
+  'tcp_option_with_tcp_flags_1' => {
+    line: '-A INPUT -p tcp -m tcp --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "000 initiation"',
+    table: 'filter',
+    compare_all: true,
+    chain: 'INPUT',
+    proto: 'tcp',
+    params: {
+      chain: 'INPUT',
+      ensure: :present,
+      line: '-A INPUT -p tcp -m tcp --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "000 initiation"',
+      name: '000 initiation',
+      proto: 'tcp',
+      provider: 'ip6tables',
+      table: 'filter',
+      tcp_flags: 'FIN,SYN,RST,ACK SYN',
+      tcp_option: '8',
+    },
+  },
+  'tcp_option_with_tcp_flags_2' => {
+    line: '-A INPUT -p tcp -m tcp ! --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "000 initiation"',
+    table: 'filter',
+    compare_all: true,
+    chain: 'INPUT',
+    proto: 'tcp',
+    params: {
+      chain: 'INPUT',
+      ensure: :present,
+      line: '-A INPUT -p tcp -m tcp ! --tcp-option 8 --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "000 initiation"',
+      name: '000 initiation',
+      proto: 'tcp',
+      provider: 'ip6tables',
+      table: 'filter',
+      tcp_flags: 'FIN,SYN,RST,ACK SYN',
+      tcp_option: '! 8',
+    },
+  },
 }.freeze
 
 # This hash is for testing converting a hash to an argument line.
@@ -141,4 +228,55 @@
     },
     args: ['-t', :filter, '-p', :tcp, '-j', 'NFLOG', '--nflog-group', 1, '--nflog-prefix', 'myprefix', '-m', 'comment', '--comment', '100 nflog'],
   },
+  'tcp_flags_1' => {
+    params: {
+      name: '000 initiation',
+      tcp_flags: 'SYN,RST,ACK,FIN SYN',
+      table: 'filter',
+    },
+
+    args: ['-t', :filter, '-p', :tcp, '-m', 'tcp', '--tcp-flags', 'SYN,RST,ACK,FIN', 'SYN', '-m', 'comment', '--comment', '000 initiation'],
+  },
+  'tcp_option_1' => {
+    params: {
+      name: '000 initiation',
+      table: 'filter',
+      chain: 'INPUT',
+      proto: 'tcp',
+      tcp_option: '8',
+    },
+    args: ['-t', :filter, '-p', :tcp, '-m', 'tcp', '--tcp-option', '8', '-m', 'comment', '--comment', '000 initiation'],
+  },
+  'tcp_option_2' => {
+    params: {
+      name: '000 initiation',
+      table: 'filter',
+      chain: 'INPUT',
+      proto: 'tcp',
+      tcp_option: '! 8',
+    },
+    args: ['-t', :filter, '-p', :tcp, '-m', 'tcp', '!', '--tcp-option', '8', '-m', 'comment', '--comment', '000 initiation'],
+  },
+  'tcp_option_with_tcp_flags_1' => {
+    params: {
+      name: '000 initiation',
+      table: 'filter',
+      chain: 'INPUT',
+      proto: 'tcp',
+      tcp_flags: 'FIN,SYN,RST,ACK SYN',
+      tcp_option: '8',
+    },
+    args: ['-t', :filter, '-p', :tcp, '-m', 'tcp', '--tcp-option', '8', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'comment', '--comment', '000 initiation'],
+  },
+  'tcp_option_with_tcp_flags_2' => {
+    params: {
+      name: '000 initiation',
+      table: 'filter',
+      chain: 'INPUT',
+      proto: 'tcp',
+      tcp_flags: 'FIN,SYN,RST,ACK SYN',
+      tcp_option: '! 8',
+    },
+    args: ['-t', :filter, '-p', :tcp, '-m', 'tcp', '!', '--tcp-option', '8', '--tcp-flags', 'FIN,SYN,RST,ACK', 'SYN', '-m', 'comment', '--comment', '000 initiation'],
+  },
 }.freeze
