Merge pull request #916 from akerl-unpriv/feature/cgroup-support

Add support for cgroup arg

REFERENCE.md

@@ -1316,6 +1316,10 @@ Assign this packet to zone id and only have lookups done in that zone.
 
 Invoke the nf_conntrack_xxx helper module for this packet.
 
+##### `cgroup`
+
+Matches against the net_cls cgroup ID of the packet.
+
 #### Parameters
 
 The following parameters are available in the `firewall` type.

lib/puppet/provider/firewall/iptables.rb

@@ -202,6 +202,7 @@
     ipvs: '-m ipvs --ipvs',
     zone: '--zone',
     helper: '--helper',
+    cgroup: '-m cgroup --cgroup',
   }
 
   # These are known booleans that do not take a value, but we want to munge
@@ -344,7 +345,8 @@ def munge_resource_map_from_resource(resource_map_original, compare)
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup,
+    :rpfilter, :name
   ]
 
   def insert

lib/puppet/type/firewall.rb

@@ -2234,6 +2234,12 @@ def should_to_s(value)
     PUPPETCODE
   end
 
+  newproperty(:cgroup) do
+    desc <<-PUPPETCODE
+      Matches against the net_cls cgroup ID of the packet.
+    PUPPETCODE
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil

spec/fixtures/iptables/conversion_hash.rb

@@ -763,6 +763,13 @@
     produce_warning: true,
     params: {},
   },
+  'cgroup_matching_1' => {
+    line: '-A INPUT -m cgroup --cgroup "0x100001"',
+    table: 'filter',
+    params: {
+      cgroup: '0x100001',
+    },
+  },
 }.freeze
 
 # This hash is for testing converting a hash to an argument line.