Skip to content

Commit

Permalink
MODULES-1612 - sync src_type and dst_type
Browse files Browse the repository at this point in the history 
Add addrtype feature to ip6tables provider, which allows src_type and
dst_type to be used.
  • Loading branch information
Morgan Haskel committed Dec 30, 2014
1 parent 5efdee6 commit 6b2371b
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 19 deletions.
7 changes: 5 additions & 2 deletions lib/puppet/provider/firewall/ip6tables.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
has_feature :ishasmorefrags
has_feature :islastfrag
has_feature :isfirstfrag
has_feature :address_type
has_feature :iprange

optional_commands({
Expand Down Expand Up @@ -57,6 +58,7 @@ def self.iptables_save(*args)
:destination => "-d",
:dport => ["-m multiport --dports", "--dport"],
:dst_range => '-m iprange --dst-range',
:dst_type => "-m addrtype --dst-type",
:gid => "-m owner --gid-owner",
:hop_limit => "-m hl --hl-eq",
:icmp => "-m icmp6 --icmpv6-type",
Expand Down Expand Up @@ -85,6 +87,7 @@ def self.iptables_save(*args)
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
:src_range => '-m iprange --src-range',
:src_type => "-m addrtype --src-type",
:stat_every => '--every',
:stat_mode => "-m statistic --mode",
:stat_packet => '--packet',
Expand Down Expand Up @@ -138,8 +141,8 @@ def self.iptables_save(*args)
# not provided with current parser [georg.koester])
@resource_list = [:table, :source, :destination, :iniface, :outiface,
:proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
:tcp_flags, :gid, :uid, :sport, :dport,
:port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
:tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type,
:pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
:recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
:jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject,
:connlimit_above, :connlimit_mask, :connmark]
Expand Down
92 changes: 75 additions & 17 deletions spec/acceptance/firewall_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1123,11 +1123,11 @@ class { '::firewall': }
pp = <<-EOS
class { '::firewall': }
firewall { '601 - test':
proto => tcp,
port => '601',
action => accept,
proto => tcp,
port => '601',
action => accept,
src_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
provider => 'ip6tables',
}
EOS

Expand All @@ -1150,9 +1150,10 @@ class { '::firewall': }
pp = <<-EOS
class { '::firewall': }
firewall { '601 - test':
proto => tcp,
port => '601',
action => accept,
proto => tcp,
port => '601',
action => accept,
provider => 'ip6tables',
src_range => '2001::db8::1-2001:db8::ff',
}
EOS
Expand All @@ -1163,7 +1164,7 @@ class { '::firewall': }
end

it 'should not contain the rule' do
shell('iptables-save') do |r|
shell('ip6tables-save') do |r|
expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT/)
end
end
Expand All @@ -1176,11 +1177,11 @@ class { '::firewall': }
pp = <<-EOS
class { '::firewall': }
firewall { '602 - test':
proto => tcp,
port => '602',
action => accept,
proto => tcp,
port => '602',
action => accept,
dst_range => '2001:db8::1-2001:db8::ff',
provider => 'ip6tables',
provider => 'ip6tables',
}
EOS

Expand All @@ -1203,9 +1204,10 @@ class { '::firewall': }
pp = <<-EOS
class { '::firewall': }
firewall { '602 - test':
proto => tcp,
port => '602',
action => accept,
proto => tcp,
port => '602',
action => accept,
provider => 'ip6tables',
dst_range => '2001::db8::1-2001:db8::ff',
}
EOS
Expand All @@ -1216,13 +1218,69 @@ class { '::firewall': }
end

it 'should not contain the rule' do
shell('iptables-save') do |r|
shell('ip6tables-save') do |r|
expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT/)
end
end
end
end

# ip6tables on el5 and el6 doesn't support addrtype
if default['platform'] !~ /el-[5-6]/
['dst_type', 'src_type'].each do |type|
describe "#{type}" do
context 'MULTICAST' do
it 'applies' do
pp = <<-EOS
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
action => accept,
#{type} => 'MULTICAST',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :catch_failures => true)
unless fact('selinux') == 'true'
apply_manifest(pp, :catch_changes => true)
end
end

it 'should contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT/)
end
end
end

context 'BROKEN' do
it 'fails' do
pp = <<-EOS
class { '::firewall': }
firewall { '603 - test':
proto => tcp,
action => accept,
#{type} => 'BROKEN',
provider => 'ip6tables',
}
EOS

apply_manifest(pp, :expect_failures => true) do |r|
expect(r.stderr).to match(/Invalid value "BROKEN"./)
end
end

it 'should not contain the rule' do
shell('ip6tables-save') do |r|
expect(r.stdout).to_not match(/-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT/)
end
end
end
end
end
end

end

describe 'limit' do
Expand Down Expand Up @@ -1842,7 +1900,7 @@ class { '::firewall': }
expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j NETMAP --to 192.168.1.1/)
end
end
end
end
end

end

0 comments on commit 6b2371b

Please sign in to comment.