From a9f8c6122cbb6be51f03b37c58c0c08dc553f4c4 Mon Sep 17 00:00:00 2001 From: Jason Stangroome Date: Fri, 12 Dec 2014 21:06:34 +1100 Subject: [PATCH] (MODULES-1592) Allow src_type and dst_type prefixed with '! ' to pass validation --- lib/puppet/type/firewall.rb | 12 +++++--- spec/acceptance/firewall_spec.rb | 49 ++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index e851b7015..7f5942920 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -322,8 +322,10 @@ def should_to_s(value) * XRESOLVE - undocumented EOS - newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, - :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE) + newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, + :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type| + [address_type, "! #{address_type}".to_sym] + end.flatten) end newproperty(:src_type, :required_features => :address_type) do @@ -348,8 +350,10 @@ def should_to_s(value) * XRESOLVE - undocumented EOS - newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, - :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE) + newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST, + :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type| + [address_type, "! #{address_type}".to_sym] + end.flatten) end newproperty(:proto) do diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 3509ef814..cc2483247 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -584,6 +584,30 @@ class { '::firewall': } end end + context '! MULTICAST' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '563 - test inversion': + proto => tcp, + action => accept, + #{type} => '! MULTICAST', + } + EOS + + apply_manifest(pp, :catch_failures => true) + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'should contain the rule' do + shell('iptables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "563 - test inversion" -j ACCEPT/) + end + end + end + context 'BROKEN' do it 'fails' do pp = <<-EOS @@ -1617,6 +1641,31 @@ class { '::firewall': } end end + context '! MULTICAST' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '603 - test inversion': + proto => tcp, + action => accept, + #{type} => '! MULTICAST', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT/) + end + end + end + context 'BROKEN' do it 'fails' do pp = <<-EOS