Merge "Enable puppet-firewall parsing of --random-fully rules"

centos_pkg_dirs

@@ -31,6 +31,7 @@ config/puppet-modules/puppet-create_resources
 config/puppet-modules/puppet-dnsmasq
 config/puppet-modules/puppet-drbd-0.3.1
 config/puppet-modules/puppet-filemapper
+config/puppet-modules/puppet-firewall-1.8.2
 config/puppet-modules/puppet-haproxy-1.5.0
 config/puppet-modules/puppet-ldap
 config/puppet-modules/puppet-lvm

centos_srpms_centos.lst

@@ -18,6 +18,7 @@ openssh-7.4p1-21.el7.src.rpm
 parted-3.1-29.el7.src.rpm
 puppet-4.8.2-1.el7.src.rpm
 puppet-ceph-2.4.1-1.el7.src.rpm
+puppet-firewall-1.8.2-2.2f892e9git.el7.src.rpm
 puppet-haproxy-1.5.0-4.6ffcb07git.el7.src.rpm
 puppet-horizon-11.5.0-1.el7.src.rpm
 puppet-keystone-11.3.0-1.el7.src.rpm

config/puppet-modules/puppet-firewall-1.8.2/centos/build_srpm.data

@@ -0,0 +1 @@
+TIS_PATCH_VER=PKG_GITREVCOUNT

config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch

@@ -0,0 +1,26 @@
+From cdaacdb829690f7ddfd73d9184b0ebbd24cf363c Mon Sep 17 00:00:00 2001
+From: Steven Webster <steven.webster@windriver.com>
+Date: Fri, 29 Apr 2022 14:10:47 -0400
+Subject: [PATCH] Update package versioning for TIS format
+
+Signed-off-by: Steven Webster <steven.webster@windriver.com>
+---
+ SPECS/puppet-firewall.spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SPECS/puppet-firewall.spec b/SPECS/puppet-firewall.spec
+index 6d42163..f5925f1 100644
+--- a/SPECS/puppet-firewall.spec
++++ b/SPECS/puppet-firewall.spec
+@@ -8,7 +8,7 @@
+
+ Name:           puppet-firewall
+ Version:        1.8.2
+-Release:        2%{?alphatag}%{?dist}
++Release:        2.2f892e9git.el7%{?_tis_dist}.%{tis_patch_ver}
+ Summary:        Manages Firewalls such as iptables
+ License:        ASL 2.0
+
+--
+2.29.2
+

config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/0002-Add-support-for-random-fully-flag.patch

@@ -0,0 +1,33 @@
+From 5df5c090b1a87421f567cc2f79046ec4852f9597 Mon Sep 17 00:00:00 2001
+From: Steven Webster <steven.webster@windriver.com>
+Date: Fri, 29 Apr 2022 14:57:50 -0400
+Subject: [PATCH] Add support for random fully flag
+
+Signed-off-by: Steven Webster <steven.webster@windriver.com>
+---
+ SPECS/puppet-firewall.spec | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/SPECS/puppet-firewall.spec b/SPECS/puppet-firewall.spec
+index f5925f1..87d0410 100644
+--- a/SPECS/puppet-firewall.spec
++++ b/SPECS/puppet-firewall.spec
+@@ -15,6 +15,7 @@ License:        ASL 2.0
+ URL:            http://github.com/puppetlabs/puppetlabs-firewall
+
+ Source0:        https://github.com/puppetlabs/%{upstream_name}/archive/%{commit}.tar.gz#/%{upstream_name}-%{shortcommit}.tar.gz
++Patch0001:      0001-Add-support-for-random-fully-flag.patch
+
+ BuildArch:      noarch
+
+@@ -25,6 +26,7 @@ Manages Firewalls such as iptables
+
+ %prep
+ %setup -q -n %{upstream_name}-%{upstream_version}
++%patch0001 -p1
+
+ find . -type f -name ".*" -exec rm {} +
+ find . -size 0 -exec rm {} +
+--
+2.29.2
+

config/puppet-modules/puppet-firewall-1.8.2/centos/meta_patches/PATCH_ORDER

@@ -0,0 +1,2 @@
+0001-Update-package-versioning-for-TIS-format.patch
+0002-Add-support-for-random-fully-flag.patch

config/puppet-modules/puppet-firewall-1.8.2/centos/patches/0001-Add-support-for-random-fully-flag.patch

@@ -0,0 +1,225 @@
+From e4db4b965cd00d295d2dac0802fef78d1d115c17 Mon Sep 17 00:00:00 2001
+From: Steven Webster <steven.webster@windriver.com>
+Date: Mon, 2 May 2022 13:07:49 -0400
+Subject: [PATCH] Add support for random fully flag
+
+Enable puppet-firewall parsing of --random-fully rules
+
+A problem may occur if puppet attempts to inject a firewall rule
+while the underlying iptables/ip6tables has existing rules which
+use the --random-fully flag in the NAT table.
+
+The issue occurs because puppet-firewall first makes a call to
+iptables-save/ip6tables-save to parse the existing rules
+(to determine if the rule already exists).  If it finds a rule
+with --random-fully, it will immediately bail out.
+
+The current version(s) of puppet-firewall in StarlingX are old
+enough that they don't have parsing logic for the --random-fully
+flag that was initially supported in iptables version 1.6.2+.
+
+Now that StarlingX uses iptables 1.8.4, we must account for the
+possibility that various components (ie. kubernetes) will make
+use of --random-fully rules.
+
+This feature has been implemented upstream in the following commits:
+
+https://github.com/puppetlabs/puppetlabs-firewall/commits/
+
+9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
+0ea2b74c0b4a451a37bae8c2ff105b72481ab485
+
+This commit ports back the above commits
+
+Signed-off-by: Steven Webster <steven.webster@windriver.com>
+---
+ lib/puppet/provider/firewall/ip6tables.rb  |  9 +++++-
+ lib/puppet/provider/firewall/iptables.rb   | 12 +++++++-
+ lib/puppet/type/firewall.rb                | 10 +++++++
+ spec/acceptance/firewall_spec.rb           | 32 ++++++++++++++++++++++
+ spec/fixtures/ip6tables/conversion_hash.rb |  7 +++++
+ 5 files changed, 68 insertions(+), 2 deletions(-)
+
+diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
+index c8b3f64..cdb981a 100644
+--- a/lib/puppet/provider/firewall/ip6tables.rb
++++ b/lib/puppet/provider/firewall/ip6tables.rb
+@@ -49,6 +49,11 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
+     mark_flag = '--set-xmark'
+   end
+ 
++  kernelversion = Facter.value('kernelversion')
++  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
++     (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0)
++    has_feature :random_fully
++  end
+ 
+   def initialize(*args)
+     ip6tables_version = Facter.value('ip6tables_version')
+@@ -109,6 +114,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
+     :proto              => "-p",
+     :queue_num          => "--queue-num",
+     :queue_bypass       => "--queue-bypass",
++    :random_fully       => "--random-fully",
+     :rdest              => "--rdest",
+     :reap               => "--reap",
+     :recent             => "-m recent",
+@@ -168,6 +174,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
+     :islastfrag,
+     :isfirstfrag,
+     :log_uid,
++    :random_fully,
+     :rsource,
+     :rdest,
+     :reap,
+@@ -244,7 +251,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
+     :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
+     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+     :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
+-    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
++    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
+     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
+     :src_cc, :dst_cc, :name]
+ 
+diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
+index b05ba43..767bdc0 100644
+--- a/lib/puppet/provider/firewall/iptables.rb
++++ b/lib/puppet/provider/firewall/iptables.rb
+@@ -58,6 +58,12 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
+     mark_flag = '--set-xmark'
+   end
+ 
++  kernelversion = Facter.value('kernelversion')
++  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
++     (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0)
++    has_feature :random_fully
++  end
++
+   @protocol = "IPv4"
+ 
+   @resource_map = {
+@@ -102,6 +108,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
+     :proto                 => "-p",
+     :queue_num             => "--queue-num",
+     :queue_bypass          => "--queue-bypass",
++    :random_fully          => "--random-fully",
+     :random                => "--random",
+     :rdest                 => "--rdest",
+     :reap                  => "--reap",
+@@ -167,6 +174,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
+     :clamp_mss_to_pmtu,
+     :isfragment,
+     :log_uid,
++    :random_fully,
+     :random,
+     :rdest,
+     :reap,
+@@ -288,7 +296,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
+     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
+     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
+     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
+-    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
++    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
+     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
+     :src_cc, :dst_cc, :name]
+@@ -418,6 +426,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
+         # only replace those -f that are not followed by an l to
+         # distinguish between -f and the '-f' inside of --tcp-flags.
+         values = values.sub(/\s-f(?!l)(?=.*--comment)/, ' -f true')
++      elsif bool == :random
++        values = values.sub(/#{resource_map[bool]}(\s|$)(?!"!")/, "#{resource_map[bool]} true")
+       else
+         # append `true` to booleans that are not already negated (followed by "!")
+         values = values.sub(/#{resource_map[bool]}(?! "!")/, "#{resource_map[bool]} true")
+diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
+index 6deab2b..1637688 100644
+--- a/lib/puppet/type/firewall.rb
++++ b/lib/puppet/type/firewall.rb
+@@ -67,6 +67,7 @@ Puppet::Type.newtype(:firewall) do
+   feature :string_matching, "String matching features"
+   feature :queue_num, "Which NFQUEUE to send packets to"
+   feature :queue_bypass, "If nothing is listening on queue_num, allow packets to bypass the queue"
++  feature :random_fully, "The ability to use --random-fully flag"
+ 
+   # provider specific features
+   feature :iptables, "The provider provides iptables features."
+@@ -569,6 +570,15 @@ Puppet::Type.newtype(:firewall) do
+     EOS
+   end
+ 
++  newproperty(:random_fully, :required_features => :random_fully) do
++    desc <<-EOS
++      When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
++      this boolean will enable randomized port mapping.
++    EOS
++
++    newvalues(:true, :false)
++  end
++
+   newproperty(:random, :required_features => :dnat) do
+     desc <<-EOS
+       When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
+index 8eee85b..617ebe5 100644
+--- a/spec/acceptance/firewall_spec.rb
++++ b/spec/acceptance/firewall_spec.rb
+@@ -2416,5 +2416,37 @@ describe 'firewall basics', docker: true do
+     end
+   end
+ 
++  describe 'random-fully' do
++    supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8')
++                              true
++                            elsif os[:family] == 'debian' && os[:release].start_with?('10')
++                              true
++                            else
++                              false
++                            end
++
++    before(:all) do
++      pp = <<-EOS
++        firewall { '901 - set random-fully':
++          table        => 'nat',
++          chain        => 'POSTROUTING',
++          jump         => 'MASQUERADE',
++          random_fully => true,
++        }
++      EOS
++      apply_manifest(pp, :catch_failures => true)
++    end
++
++    it 'adds random-fully rule', if: supports_random_fully do
++      shell('iptables-save') do |r|
++        expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully})
++      end
++    end
++    it 'adds rule without random-fully', unless: supports_random_fully do
++      shell('iptables-save') do |r|
++        expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
++      end
++    end
++  end
+ 
+ end
+diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
+index 8174875..ad94ac4 100644
+--- a/spec/fixtures/ip6tables/conversion_hash.rb
++++ b/spec/fixtures/ip6tables/conversion_hash.rb
+@@ -33,6 +33,13 @@ ARGS_TO_HASH6 = {
+       :sport => ['547'],
+       :dport => ['546'],
+     },
++  'random-fully' => {
++    line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully',
++    table: 'filter',
++    provider: 'ip6tables',
++    params: {
++      random_fully: 'true',
++    },
+   }
+ }
+ 
+-- 
+2.29.2
+

config/puppet-modules/puppet-firewall-1.8.2/centos/srpm_path

@@ -0,0 +1 @@
+mirror:Source/puppet-firewall-1.8.2-2.2f892e9git.el7.src.rpm

config/puppet-modules/puppetlabs-firewall-1.12.0/debian/meta_data.yaml

@@ -0,0 +1,11 @@
+---
+debname: puppet-module-puppetlabs-firewall
+debver: 1.12.0-1
+dl_path:
+  name: puppet-module-puppetlabs-firewall-1.12.0-1.tar.gz
+  url: https://salsa.debian.org/puppet-team/puppet-module-puppetlabs-firewall/-/archive/debian/1.12.0-1/puppet-module-puppetlabs-firewall-debian-1.12.0-1.tar.gz
+  md5sum: d54a6e017792ca19f6227cc61222c89b
+  sha256sum: 850d80d0dae673bf5c79e0968437ac37764f3d419502c37a8dcc4ace0f5ebd0a
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true

config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/0001-Add-support-for-random-fully-flag.patch

@@ -0,0 +1,228 @@
+From 7efc7fcf651772e2128a72b21305e86c27b9ecb2 Mon Sep 17 00:00:00 2001
+From: Steven Webster <steven.webster@windriver.com>
+Date: Mon, 2 May 2022 13:36:50 -0400
+Subject: [PATCH] Add support for random fully flag
+
+Enable puppet-firewall parsing of --random-fully rules
+
+A problem may occur if puppet attempts to inject a firewall rule
+while the underlying iptables/ip6tables has existing rules which
+use the --random-fully flag in the NAT table.
+
+The issue occurs because puppet-firewall first makes a call to
+iptables-save/ip6tables-save to parse the existing rules
+(to determine if the rule already exists).  If it finds a rule
+with --random-fully, it will immediately bail out.
+
+The current version(s) of puppet-firewall in StarlingX are old
+enough that they don't have parsing logic for the --random-fully
+flag that was initially supported in iptables version 1.6.2+.
+
+Now that StarlingX uses iptables 1.8.4, we must account for the
+possibility that various components (ie. kubernetes) will make
+use of --random-fully rules.
+
+This feature has been implemented upstream in the following commits:
+
+https://github.com/puppetlabs/puppetlabs-firewall/commits/
+
+9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
+0ea2b74c0b4a451a37bae8c2ff105b72481ab485
+
+This commit ports back the above commits
+
+Signed-off-by: Steven Webster <steven.webster@windriver.com>
+---
+ lib/puppet/provider/firewall/ip6tables.rb  | 10 ++++++-
+ lib/puppet/provider/firewall/iptables.rb   | 12 +++++++-
+ lib/puppet/type/firewall.rb                | 12 ++++++++
+ spec/acceptance/firewall_spec.rb           | 33 ++++++++++++++++++++++
+ spec/fixtures/ip6tables/conversion_hash.rb |  7 +++++
+ 5 files changed, 72 insertions(+), 2 deletions(-)
+
+diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
+index d3c1b3c..7fce8bc 100644
+--- a/lib/puppet/provider/firewall/ip6tables.rb
++++ b/lib/puppet/provider/firewall/ip6tables.rb
+@@ -47,6 +47,12 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
+                 '--set-xmark'
+               end
+ 
++  kernelversion = Facter.value('kernelversion')
++  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
++     (ip6tables_version && Puppet::Util::Package.versioncmp(ip6tables_version, '1.6.2') >= 0)
++    has_feature :random_fully
++  end
++
+   def initialize(*args)
+     ip6tables_version = Facter.value('ip6tables_version')
+     raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables' if ip6tables_version && ip6tables_version.match(%r{1\.3\.\d})
+@@ -103,6 +109,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
+     proto: '-p',
+     queue_num: '--queue-num',
+     queue_bypass: '--queue-bypass',
++    random_fully: '--random-fully',
+     rdest: '--rdest',
+     reap: '--reap',
+     recent: '-m recent',
+@@ -174,6 +181,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
+     :islastfrag,
+     :isfirstfrag,
+     :log_uid,
++    :random_fully,
+     :rsource,
+     :rdest,
+     :reap,
+@@ -253,7 +261,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, parent: :iptables, source: :ip6
+                     :ctstate, :icmp, :hop_limit, :limit, :burst, :length, :recent, :rseconds, :reap,
+                     :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :string, :string_algo,
+                     :string_from, :string_to, :jump, :clamp_mss_to_pmtu, :gateway, :todest,
+-                    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
++                    :tosource, :toports, :checksum_fill, :log_level, :log_prefix, :log_uid, :random_fully, :reject, :set_mss, :set_dscp, :set_dscp_class, :mss, :queue_num, :queue_bypass,
+                     :set_mark, :match_mark, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop, :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
+                     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
+                     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
+diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
+index 00655ea..d86a5c6 100644
+--- a/lib/puppet/provider/firewall/iptables.rb
++++ b/lib/puppet/provider/firewall/iptables.rb
+@@ -56,6 +56,12 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
+                 '--set-xmark'
+               end
+ 
++  kernelversion = Facter.value('kernelversion')
++  if (kernelversion && Puppet::Util::Package.versioncmp(kernelversion, '3.13') >= 0) &&
++     (iptables_version && Puppet::Util::Package.versioncmp(iptables_version, '1.6.2') >= 0)
++    has_feature :random_fully
++  end
++
+   @protocol = 'IPv4'
+ 
+   @resource_map = {
+@@ -100,6 +106,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
+     proto: '-p',
+     queue_num: '--queue-num',
+     queue_bypass: '--queue-bypass',
++    random_fully: '--random-fully',
+     random: '--random',
+     rdest: '--rdest',
+     reap: '--reap',
+@@ -176,6 +183,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
+     :clamp_mss_to_pmtu,
+     :isfragment,
+     :log_uid,
++    :random_fully,
+     :random,
+     :rdest,
+     :reap,
+@@ -295,7 +303,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
+     :string_from, :string_to, :jump, :goto, :clusterip_new, :clusterip_hashmode,
+     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init, :queue_num, :queue_bypass,
+     :nflog_group, :nflog_prefix, :nflog_range, :nflog_threshold, :clamp_mss_to_pmtu, :gateway,
+-    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
++    :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random_fully, :random, :log_prefix,
+     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
+     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
+     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
+@@ -428,6 +436,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
+                  # only replace those -f that are not followed by an l to
+                  # distinguish between -f and the '-f' inside of --tcp-flags.
+                  values.sub(%r{\s-f(?!l)(?=.*--comment)}, ' -f true')
++               elsif bool == :random
++                 values.sub(%r{#{resource_map[bool]}(\s|$)(?!"!")}, "#{resource_map[bool]} true")
+                else
+                  # append `true` to booleans that are not already negated (followed by "!")
+                  values.sub(%r{#{resource_map[bool]}(?! "!")}, "#{resource_map[bool]} true")
+diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
+index a859f28..fce2fba 100644
+--- a/lib/puppet/type/firewall.rb
++++ b/lib/puppet/type/firewall.rb
+@@ -68,6 +68,7 @@ Puppet::Type.newtype(:firewall) do
+   feature :queue_num, 'Which NFQUEUE to send packets to'
+   feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue'
+   feature :hashlimit, 'Hashlimit features'
++  feature :random_fully, 'The ability to use --random-fully flag'
+ 
+   # provider specific features
+   feature :iptables, 'The provider provides iptables features.'
+@@ -581,6 +582,17 @@ Puppet::Type.newtype(:firewall) do
+     PUPPETCODE
+   end
+ 
++  newproperty(:random_fully, required_features: :random_fully) do
++    desc <<-PUPPETCODE
++      When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
++      this boolean will enable fully randomized port mapping.
++
++      **NOTE** Requires Kernel >= 3.13 and iptables >= 1.6.2
++    PUPPETCODE
++
++    newvalues(:true, :false)
++  end
++
+   newproperty(:random, required_features: :dnat) do
+     desc <<-PUPPETCODE
+       When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT"
+diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
+index f4c3d67..3198ba5 100644
+--- a/spec/acceptance/firewall_spec.rb
++++ b/spec/acceptance/firewall_spec.rb
+@@ -2317,4 +2317,37 @@ describe 'firewall basics', docker: true do
+       end
+     end
+   end
++
++  describe 'random-fully' do
++    supports_random_fully = if os[:family] == 'redhat' && os[:release].start_with?('8')
++                              true
++                            elsif os[:family] == 'debian' && os[:release].start_with?('10')
++                              true
++                            else
++                              false
++                            end
++
++    before(:all) do
++      pp = <<-PUPPETCODE
++        firewall { '901 - set random-fully':
++          table        => 'nat',
++          chain        => 'POSTROUTING',
++          jump         => 'MASQUERADE',
++          random_fully => true,
++        }
++      PUPPETCODE
++      apply_manifest(pp, catch_failures: true)
++    end
++
++
++    it 'adds random-fully rule', if: supports_random_fully do
++      shell('iptables-save') do |r|
++        expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE --random-fully})
++      end
++    end
++    it 'adds rule without random-fully', unless: supports_random_fully do
++      shell('iptables-save') do |r|
++        expect(r.stdout).to match(%r{-A POSTROUTING -p tcp -m comment --comment "901 - set random-fully" -j MASQUERADE})
++    end
++  end
+ end
+diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
+index 748dc8d..00f1018 100644
+--- a/spec/fixtures/ip6tables/conversion_hash.rb
++++ b/spec/fixtures/ip6tables/conversion_hash.rb
+@@ -33,6 +33,13 @@ ARGS_TO_HASH6 = {
+       sport: ['547'],
+       dport: ['546'],
+     },
++  'random-fully' => {
++    line: '-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE --random-fully',
++    table: 'filter',
++    provider: 'ip6tables',
++    params: {
++      random_fully: 'true',
++    },
+   },
+ }.freeze
+ 
+-- 
+2.17.1
+

config/puppet-modules/puppetlabs-firewall-1.12.0/debian/patches/series

@@ -0,0 +1 @@
+0001-Add-support-for-random-fully-flag.patch

debian_pkg_dirs

@@ -23,6 +23,7 @@ config/puppet-modules/puppet-boolean-2.0.2
 config/puppet-modules/puppet-dnsmasq
 config/puppet-modules/puppet-drbd-0.5.2
 config/puppet-modules/puppet-etcd-1.12.3
+config/puppet-modules/puppetlabs-firewall-1.12.0
 config/puppet-modules/puppetlabs-haproxy-2.1.0
 config/puppet-modules/puppetlabs-postgresql-6.7.0
 config/puppet-modules/puppetlabs-stdlib-5.0.0