(MODULES-1592) Allow src_type and dst_type prefixed with '! ' to pass…

… validation
redhat-openstack · Jun 15, 2015 · a9f8c61 · a9f8c61
1 parent 27d063d
commit a9f8c61
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 4 deletions.
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -322,8 +322,10 @@ def should_to_s(value)
       * XRESOLVE - undocumented
     EOS
 
-    newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
-              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+    newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type|
+      [address_type, "! #{address_type}".to_sym]
+    end.flatten)
   end
 
   newproperty(:src_type, :required_features => :address_type) do
@@ -348,8 +350,10 @@ def should_to_s(value)
       * XRESOLVE - undocumented
     EOS
 
-    newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
-              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+    newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type|
+      [address_type, "! #{address_type}".to_sym]
+    end.flatten)
   end
 
   newproperty(:proto) do

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
@@ -584,6 +584,30 @@ class { '::firewall': }
         end
       end
 
+      context '! MULTICAST' do
+        it 'applies' do
+          pp = <<-EOS
+            class { '::firewall': }
+            firewall { '563 - test inversion':
+              proto  => tcp,
+              action => accept,
+              #{type} => '! MULTICAST',
+            }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+          unless fact('selinux') == 'true'
+            apply_manifest(pp, :catch_changes => true)
+          end
+        end
+
+        it 'should contain the rule' do
+          shell('iptables-save') do |r|
+            expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "563 - test inversion" -j ACCEPT/)
+          end
+        end
+      end
+
       context 'BROKEN' do
         it 'fails' do
           pp = <<-EOS
@@ -1617,6 +1641,31 @@ class { '::firewall': }
             end
           end
 
+          context '! MULTICAST' do
+            it 'applies' do
+              pp = <<-EOS
+            class { '::firewall': }
+            firewall { '603 - test inversion':
+              proto    => tcp,
+              action   => accept,
+              #{type}  => '! MULTICAST',
+              provider => 'ip6tables',
+            }
+              EOS
+
+              apply_manifest(pp, :catch_failures => true)
+              unless fact('selinux') == 'true'
+                apply_manifest(pp, :catch_changes => true)
+              end
+            end
+
+            it 'should contain the rule' do
+              shell('ip6tables-save') do |r|
+                expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT/)
+              end
+            end
+          end
+
           context 'BROKEN' do
             it 'fails' do
               pp = <<-EOS