From cc93565bfd065c82606ed78b9aa54c4bcc1d185d Mon Sep 17 00:00:00 2001
From: Morgan Haskel <morgan@puppetlabs.com>
Date: Tue, 30 Dec 2014 16:19:10 -0800
Subject: [PATCH] MODULES-1612 - sync socket

---
 README.markdown                           |  2 +-
 lib/puppet/provider/firewall/ip6tables.rb | 21 ++++++---
 spec/acceptance/firewall_spec.rb          | 55 +++++++++++++++++++++++
 3 files changed, 72 insertions(+), 6 deletions(-)

diff --git a/README.markdown b/README.markdown
index 362a74e43..265d6efdb 100644
--- a/README.markdown
+++ b/README.markdown
@@ -339,7 +339,7 @@ This type enables you to manage firewall rules within Puppet.
 
  * `ip6tables`: Ip6tables type provider
     * Required binaries: `ip6tables-save`, `ip6tables`.
-    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `state_match`, `tcp_flags`.
+    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
 
 * `iptables`: Iptables type provider
     * Required binaries: `iptables-save`, `iptables`.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 6b5d8f963..77156ec0a 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -21,6 +21,7 @@
   has_feature :ishasmorefrags
   has_feature :islastfrag
   has_feature :isfirstfrag
+  has_feature :socket
   has_feature :address_type
   has_feature :iprange
 
@@ -85,6 +86,7 @@ def self.iptables_save(*args)
     :rseconds         => "--seconds",
     :rsource          => "--rsource",
     :rttl             => "--rttl",
+    :socket           => "-m socket",
     :source           => "-s",
     :sport            => ["-m multiport --sports", "--sport"],
     :src_range        => '-m iprange --src-range',
@@ -104,7 +106,16 @@ def self.iptables_save(*args)
 
   # These are known booleans that do not take a value, but we want to munge
   # to true if they exist.
-  @known_booleans = [:ishasmorefrags, :islastfrag, :isfirstfrag, :rsource, :rdest, :reap, :rttl]
+  @known_booleans = [
+    :ishasmorefrags,
+    :islastfrag,
+    :isfirstfrag,
+    :rsource,
+    :rdest,
+    :reap,
+    :rttl,
+    :socket
+  ]
 
   # Create property methods dynamically
   (@resource_map.keys << :chain << :table << :action).each do |property|
@@ -143,9 +154,9 @@ def self.iptables_save(*args)
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
     :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type,
-    :src_type, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit,
-    :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource,
-    :rdest, :jump, :todest, :tosource, :toports, :log_level, :log_prefix,
-    :reject, :connlimit_above, :connlimit_mask, :connmark]
+    :src_type, :socket, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit,
+    :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname,
+    :rsource, :rdest, :jump, :todest, :tosource, :toports, :log_level,
+    :log_prefix, :reject, :connlimit_above, :connlimit_mask, :connmark]
 
 end
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index cf9200284..703560f02 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -1250,6 +1250,61 @@ class { '::firewall': }
       end
     end
 
+    # ip6tables has limited `-m socket` support
+    if default['platform'] !~ /el-5/ and default['platform'] !~ /ubuntu-1004/ and default['platform'] !~ /debian-6/ and default['platform'] !~ /sles/
+      describe 'socket' do
+        context 'true' do
+          it 'applies' do
+            pp = <<-EOS
+          class { '::firewall': }
+          firewall { '605 - test':
+            ensure   => present,
+            proto    => tcp,
+            port     => '605',
+            action   => accept,
+            chain    => 'INPUT',
+            socket   => true,
+            provider => 'ip6tables',
+          }
+            EOS
+
+            apply_manifest(pp, :catch_failures => true)
+          end
+
+          it 'should contain the rule' do
+            shell('ip6tables-save') do |r|
+              expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 605 -m socket -m comment --comment "605 - test" -j ACCEPT/)
+            end
+          end
+        end
+
+        context 'false' do
+          it 'applies' do
+            pp = <<-EOS
+          class { '::firewall': }
+          firewall { '606 - test':
+            ensure   => present,
+            proto    => tcp,
+            port     => '606',
+            action   => accept,
+            chain    => 'INPUT',
+            socket   => false,
+            provider => 'ip6tables',
+          }
+            EOS
+
+            apply_manifest(pp, :catch_failures => true)
+          end
+
+          it 'should contain the rule' do
+            shell('ip6tables-save') do |r|
+              expect(r.stdout).to match(/-A INPUT -p tcp -m multiport --ports 606 -m comment --comment "606 - test" -j ACCEPT/)
+            end
+          end
+        end
+      end
+    end
+
     # ip6tables only support addrtype on a limited set of platforms
     if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
       ['dst_type', 'src_type'].each do |type|