From 62ca8d2a80a9399b3aeeb8a187b6cdf287041c46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sun, 18 May 2014 16:29:16 -0300
Subject: [PATCH 1/7] Update to new Debian's init script name

---
 manifests/params.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/params.pp b/manifests/params.pp
index beb8181..5ad15c0 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -58,7 +58,7 @@
   }
 
   $service = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => 'iptables-persistent',
+    /(?i:Debian|Ubuntu|Mint)/ => 'netfilters-persistent',
     default                   => 'iptables',
   }
 

From ebc5c028003e72a3a7ea026d5315209dccd0585e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sun, 18 May 2014 16:35:35 -0300
Subject: [PATCH 2/7] Typo

---
 manifests/params.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/params.pp b/manifests/params.pp
index 5ad15c0..03e458e 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -58,7 +58,7 @@
   }
 
   $service = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => 'netfilters-persistent',
+    /(?i:Debian|Ubuntu|Mint)/ => 'netfilter-persistent',
     default                   => 'iptables',
   }
 

From 8eb9e9fa8eb9d5f0cdf843f5c69e160507c85c53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sat, 28 Feb 2015 13:03:13 -0300
Subject: [PATCH 3/7] Add multiport support

---
 manifests/rule.pp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/manifests/rule.pp b/manifests/rule.pp
index 0bb16b5..50b635e 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -84,8 +84,9 @@
   }
 
   $true_port = $port ? {
-    ''    => '',
-    default => "--dport ${port}",
+    ''              => '',
+    (?i:\w*[,:]\w*) => "--match multiport --dports ${port}",
+    default         => "--dport ${port}",
   }
 
   $true_in_interface = $in_interface ? {

From c45c4ba88ff4e571bce9bf724733b4ad64ed25d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sat, 28 Feb 2015 13:47:34 -0300
Subject: [PATCH 4/7] Add multiport support to rules

---
 manifests/rule.pp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/manifests/rule.pp b/manifests/rule.pp
index 50b635e..8a0fb8e 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -84,9 +84,9 @@
   }
 
   $true_port = $port ? {
-    ''              => '',
-    (?i:\w*[,:]\w*) => "--match multiport --dports ${port}",
-    default         => "--dport ${port}",
+    ''                => '',
+    /(?i:\w*[,:]\w*)/ => "--match multiport --dports ${port}",
+    default           => "--dport ${port}",
   }
 
   $true_in_interface = $in_interface ? {

From 0d2b93867c52115b8037e8fe71e33120c13b27fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sat, 28 Feb 2015 14:36:58 -0300
Subject: [PATCH 5/7] Add syn match support for TCP

---
 manifests/rule.pp         | 11 +++++++++++
 templates/concat/rule.erb |  6 +++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/manifests/rule.pp b/manifests/rule.pp
index 8a0fb8e..a069801 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -6,6 +6,8 @@
 # $table          - The iptables table to work on (default filter)
 # $chain          - The iptables chain to work on (default INPUT).
 #                   Write it UPPERCASE coherently with iptables syntax
+# $syn            - Add tcp/syn match mark
+#                   Defaults to true if rule matches TCP
 # $in_interface   - The inbound interface for the rule
 # $out_interface  - The outbound interface for the rule
 # $target         - The iptables target for the rule (default ACCEPT)
@@ -49,6 +51,7 @@
   $port           = '',
   $order          = '',
   $rule           = '',
+  $syn            = true,
   $enable         = true,
   $enable_v6      = false,
   $debug          = false ) {
@@ -83,6 +86,14 @@
     default => "-p ${protocol}",
   }
 
+  if $protocol == 'tcp' {
+    $bool_syn = any2bool($syn)
+    $match_syn = $bool_syn? {
+      true    => '--syn',
+      default => '',
+    }
+  }
+
   $true_port = $port ? {
     ''                => '',
     /(?i:\w*[,:]\w*)/ => "--match multiport --dports ${port}",
diff --git a/templates/concat/rule.erb b/templates/concat/rule.erb
index 3178531..7308adb 100644
--- a/templates/concat/rule.erb
+++ b/templates/concat/rule.erb
@@ -10,13 +10,13 @@
 <% scope.lookupvar('array_source').each do |s| -%>
 <% if scope.lookupvar('array_destination').length > 0 -%>
 <% scope.lookupvar('array_destination').each do |d| -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -d <%= d %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -d <%= d %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% else -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% end -%>
 <% else -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% end -%>

From cfe164b41f9b8d2edd4caa522472ca7ab462699c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sat, 28 Feb 2015 14:47:49 -0300
Subject: [PATCH 6/7] true_source is not used anywhere

---
 manifests/rule.pp                  | 5 -----
 spec/defines/iptables_rule_spec.rb | 1 -
 2 files changed, 6 deletions(-)

diff --git a/manifests/rule.pp b/manifests/rule.pp
index a069801..cfef592 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -110,11 +110,6 @@
     default => "-o ${out_interface}",
   }
 
-  $true_source = $source ? {
-    ''    => '',
-    default => "-s ${source}",
-  }
-
   $true_destination = $destination ? {
     ''    => '',
     default => "-d ${destination}",
diff --git a/spec/defines/iptables_rule_spec.rb b/spec/defines/iptables_rule_spec.rb
index ff3ef71..9b98f1e 100644
--- a/spec/defines/iptables_rule_spec.rb
+++ b/spec/defines/iptables_rule_spec.rb
@@ -96,7 +96,6 @@
     
     it { should contain_iptables__debug( "debug params iptable1" ).with(
       'true_protocol'   => '-p tcp',
-      'true_source'     => '',
       'array_source_v6' => [],
       'array_source'    => []
     ) }

From 04b5b6d26143129b9001aa7853e68932b152b24c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Sat, 28 Feb 2015 14:54:31 -0300
Subject: [PATCH 7/7] Fix ipv6 source and destination checks

---
 manifests/rule.pp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/manifests/rule.pp b/manifests/rule.pp
index cfef592..3999f7a 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -133,8 +133,21 @@
     default   => $destination,
   }
 
-  $array_source_v6 = any2array($source_v6)
-  $array_destination_v6 = any2array($destination_v6)
+  $array_source_v6 = is_array($source_v6) ? {
+    false     => $source_v6 ? {
+      ''      => [],
+      default => [$source_v6],
+    },
+    default   => $source_v6,
+  }
+
+  $array_destination_v6 = is_array($destination_v6) ? {
+    false     => $destination_v6 ? {
+      ''      => [],
+      default => [$destination_v6],
+    },
+    default   => $destination_v6,
+  }
 
   if $debug {
     iptables::debug{ "debug params ${name}":