diff --git a/REFERENCE.md b/REFERENCE.md index a350538b..d833e3da 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1267,13 +1267,15 @@ Data type: `Optional[Enum['set', 'update', 'rcheck', 'remove', '! set', '! updat Data type: `Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route', - 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]` + 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable', + 'tcp-reset']]` When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. Valid values differ depending on if the protocol is `IPv4` or `IPv6`. IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, - icmp-host-prohibited, or icmp-admin-prohibited. - IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable. + icmp-host-prohibited, icmp-admin-prohibited, or tcp-reset. + IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, + icmp6-port-unreachable, or tcp-reset. ##### `rhitcount` diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 066db2f0..15126da8 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -1261,13 +1261,15 @@ reject: { type: "Optional[Enum['icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable', 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited', 'icmp6-no-route', 'no-route', - 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable']]", + 'icmp6-adm-prohibited', 'adm-prohibited', 'icmp6-addr-unreachable', 'addr-unreach', 'icmp6-port-unreachable', + 'tcp-reset']]", desc: <<-DESC When combined with jump => "REJECT" you can specify a different icmp response to be sent back to the packet sender. Valid values differ depending on if the protocol is `IPv4` or `IPv6`. IPv4 allows: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, - icmp-host-prohibited, or icmp-admin-prohibited. - IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, or icmp6-port-unreachable. + icmp-host-prohibited, icmp-admin-prohibited, or tcp-reset. + IPv6 allows: icmp6-no-route, no-route, icmp6-adm-prohibited, adm-prohibited, icmp6-addr-unreachable, addr-unreach, + icmp6-port-unreachable, or tcp-reset. DESC }, set_mark: { diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index 43e5ca29..f0fbc4d1 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -239,6 +239,12 @@ class { '::firewall': } chain => 'FORWARD', table => 'mangle', } + firewall { '605 - reject with tcp-reset': + proto => tcp, + jump => reject, + reject => 'tcp-reset', + } + firewall { '700 - blah-A Test Rule': jump => 'LOG', log_prefix => 'FW-A-INPUT: ', @@ -477,6 +483,10 @@ class { '::firewall': } expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1541 -m comment --comment "604 - set_mss" -j TCPMSS --set-mss 1360}) end + it 'tcp-reset is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m comment --comment "605 - reject with tcp-reset" -j REJECT --reject-with tcp-reset}) + end + it 'clamp_mss_to_pmtu is set' do expect(result.stdout).to match(%r{-A FORWARD -p (tcp|6) -m tcp --tcp-flags SYN,RST SYN -m comment --comment "601 - clamp_mss_to_pmtu" -j TCPMSS --clamp-mss-to-pmtu}) end diff --git a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb index 30c7523e..c60bc396 100644 --- a/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_ipv6_happy_path_spec.rb @@ -217,6 +217,12 @@ class { '::firewall': } src_type => ['LOCAL', '! LOCAL'], protocol => 'ip6tables', } + firewall { '621 - reject with tcp-reset': + proto => tcp, + jump => reject, + reject => 'tcp-reset', + protocol => 'ip6tables', + } firewall { '801 - ipt_modules tests': proto => tcp, dport => '8080', @@ -396,6 +402,10 @@ class { '::firewall': } expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m addrtype --src-type LOCAL -m addrtype ! --src-type LOCAL -m comment --comment "620 - src_type multiple values" -j ACCEPT}) end + it 'tcp-reset is set' do + expect(result.stdout).to match(%r{-A INPUT -p (tcp|6) -m comment --comment "621 - reject with tcp-reset" -j REJECT --reject-with tcp-reset}) + end + it 'all the modules with multiple args is set' do expect(result.stdout).to match(%r{-A OUTPUT -p (tcp|6) -m physdev\s+--physdev-in eth0 --physdev-out eth1 --physdev-is-bridged -m iprange --src-range 2001::-2002::\s+--dst-range 2003::-2004:: -m owner --uid-owner (0|root) --gid-owner 404 -m tcp --dport 8080 -m addrtype --src-type LOCAL -m addrtype --dst-type UNICAST -m comment --comment "801 - ipt_modules tests" -j REJECT --reject-with icmp6-port-unreachable}) # rubocop:disable Layout/LineLength end