add physdev support

rebased from puppetlabs/puppetlabs-firewall#82
strider · Jan 18, 2015 · 3f592aa · 3f592aa
1 parent d7d3c56
commit 3f592aa
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -119,6 +119,7 @@ def self.iptables_save(*args)
     :toports          => "--to-ports",
     :tosource         => "--to-source",
     :uid              => "-m owner --uid-owner",
+    :bridge           => "-m physdev",
   }
 
   # These are known booleans that do not take a value, but we want to munge

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
@@ -105,6 +105,7 @@
     :tosource         => "--to-source",
     :to               => "--to",
     :uid              => "-m owner --uid-owner",
+    :bridge           => "-m physdev",
   }
 
   # These are known booleans that do not take a value, but we want to munge

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
@@ -1033,6 +1033,19 @@ def should_to_s(value)
     newvalues(/^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i)
   end
 
+  newproperty(:bridge, :required_features => :iptables) do
+    desc <<-EOS
+      Match if the packet is being bridged.
+    EOS
+    munge do |value|
+      if ! value.to_s.start_with?("--")
+        "--" + value.to_s
+      else
+        value
+      end
+    end
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil
@@ -1191,5 +1204,11 @@ def should_to_s(value)
       self.fail "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'"
     end
 
+    if value(:bridged)
+      unless value(:chain).to_s =~ /FORWARD/
+        self.fail "Parameter isbridged only applies to the FORWARD chain"
+      end
+    end
+
   end
 end