diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index e851b7015..7f5942920 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -322,8 +322,10 @@ def should_to_s(value) * XRESOLVE - undocumented EOS - newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, - :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE) + newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, + :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type| + [address_type, "! #{address_type}".to_sym] + end.flatten) end newproperty(:src_type, :required_features => :address_type) do @@ -348,8 +350,10 @@ def should_to_s(value) * XRESOLVE - undocumented EOS - newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, - :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE) + newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, + :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type| + [address_type, "! #{address_type}".to_sym] + end.flatten) end newproperty(:proto) do diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 3509ef814..cc2483247 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -584,6 +584,30 @@ class { '::firewall': } end end + context '! MULTICAST' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '563 - test inversion': + proto => tcp, + action => accept, + #{type} => '! MULTICAST', + } + EOS + + apply_manifest(pp, :catch_failures => true) + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'should contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "563 - test inversion" -j ACCEPT/) + end + end + end + context 'BROKEN' do it 'fails' do pp = <<-EOS @@ -1617,6 +1641,31 @@ class { '::firewall': } end end + context '! MULTICAST' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '603 - test inversion': + proto => tcp, + action => accept, + #{type} => '! MULTICAST', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT/) + end + end + end + context 'BROKEN' do it 'fails' do pp = <<-EOS