Update Debian's script name

manifests/params.pp

@@ -58,7 +58,7 @@
   }
 
   $service = $::operatingsystem ? {
-    /(?i:Debian|Ubuntu|Mint)/ => 'iptables-persistent',
+    /(?i:Debian|Ubuntu|Mint)/ => 'netfilter-persistent',
     default                   => 'iptables',
   }
 

manifests/rule.pp

@@ -6,6 +6,8 @@
 # $table          - The iptables table to work on (default filter)
 # $chain          - The iptables chain to work on (default INPUT).
 #                   Write it UPPERCASE coherently with iptables syntax
+# $syn            - Add tcp/syn match mark
+#                   Defaults to true if rule matches TCP
 # $in_interface   - The inbound interface for the rule
 # $out_interface  - The outbound interface for the rule
 # $target         - The iptables target for the rule (default ACCEPT)
@@ -49,6 +51,7 @@
   $port           = '',
   $order          = '',
   $rule           = '',
+  $syn            = true,
   $enable         = true,
   $enable_v6      = false,
   $debug          = false ) {
@@ -83,9 +86,18 @@
     default => "-p ${protocol}",
   }
 
+  if $protocol == 'tcp' {
+    $bool_syn = any2bool($syn)
+    $match_syn = $bool_syn? {
+      true    => '--syn',
+      default => '',
+    }
+  }
+
   $true_port = $port ? {
-    ''    => '',
-    default => "--dport ${port}",
+    ''                => '',
+    /(?i:\w*[,:]\w*)/ => "--match multiport --dports ${port}",
+    default           => "--dport ${port}",
   }
 
   $true_in_interface = $in_interface ? {
@@ -98,11 +110,6 @@
     default => "-o ${out_interface}",
   }
 
-  $true_source = $source ? {
-    ''    => '',
-    default => "-s ${source}",
-  }
-
   $true_destination = $destination ? {
     ''    => '',
     default => "-d ${destination}",
@@ -126,8 +133,21 @@
     default   => $destination,
   }
 
-  $array_source_v6 = any2array($source_v6)
-  $array_destination_v6 = any2array($destination_v6)
+  $array_source_v6 = is_array($source_v6) ? {
+    false     => $source_v6 ? {
+      ''      => [],
+      default => [$source_v6],
+    },
+    default   => $source_v6,
+  }
+
+  $array_destination_v6 = is_array($destination_v6) ? {
+    false     => $destination_v6 ? {
+      ''      => [],
+      default => [$destination_v6],
+    },
+    default   => $destination_v6,
+  }
 
   if $debug {
     iptables::debug{ "debug params ${name}":

spec/defines/iptables_rule_spec.rb

@@ -96,7 +96,6 @@
 
     it { should contain_iptables__debug( "debug params iptable1" ).with(
       'true_protocol'   => '-p tcp',
-      'true_source'     => '',
       'array_source_v6' => [],
       'array_source'    => []
     ) }

templates/concat/rule.erb

@@ -10,13 +10,13 @@
 <% scope.lookupvar('array_source').each do |s| -%>
 <% if scope.lookupvar('array_destination').length > 0 -%>
 <% scope.lookupvar('array_destination').each do |d| -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -d <%= d %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -d <%= d %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% else -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -s <%= s %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% end -%>
 <% else -%>
-<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('true_port') %> -j <%= scope.lookupvar('target') %><%= comment %>
+<%= @command %> <%= @chain %> <%= @true_in_interface %> <%= @true_out_interface %> <%= scope.lookupvar('true_protocol') %> <%= scope.lookupvar('match_syn') %> <%= scope.lookupvar('true_port') %> -j <%= scope.lookupvar('target') %><%= comment %>
 <% end -%>
 <% end -%>