From c97f04e65febde4fba9663ff641e98ae384eecc9 Mon Sep 17 00:00:00 2001 From: Les Aker Date: Mon, 4 May 2020 15:47:14 -0400 Subject: [PATCH] add cgroup support --- REFERENCE.md | 4 ++++ lib/puppet/provider/firewall/iptables.rb | 4 +++- lib/puppet/type/firewall.rb | 6 ++++++ spec/fixtures/iptables/conversion_hash.rb | 7 +++++++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/REFERENCE.md b/REFERENCE.md index d0eb3908d..b5fd806d0 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1316,6 +1316,10 @@ Assign this packet to zone id and only have lookups done in that zone. Invoke the nf_conntrack_xxx helper module for this packet. +##### `cgroup` + +Matches against the net_cls cgroup ID of the packet. + #### Parameters The following parameters are available in the `firewall` type. diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index c0afbcb78..b4c369cb4 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -196,6 +196,7 @@ ipvs: '-m ipvs --ipvs', zone: '--zone', helper: '--helper', + cgroup: '-m cgroup --cgroup', } # These are known booleans that do not take a value, but we want to munge @@ -335,7 +336,8 @@ def munge_resource_map_from_resource(resource_map_original, compare) :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :rpfilter, :name + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :zone, :helper, :cgroup, + :rpfilter, :name ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index a3eef4818..98eb18517 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -2196,6 +2196,12 @@ def should_to_s(value) PUPPETCODE end + newproperty(:cgroup) do + desc <<-PUPPETCODE + Matches against the net_cls cgroup ID of the packet. + PUPPETCODE + end + autorequire(:firewallchain) do reqs = [] protocol = nil diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 5eea78d17..937d13eeb 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -763,6 +763,13 @@ produce_warning: true, params: {}, }, + 'cgroup_matching_1' => { + line: '-A INPUT -m cgroup --cgroup "0x100001"', + table: 'filter', + params: { + cgroup: '0x100001', + }, + }, }.freeze # This hash is for testing converting a hash to an argument line.