Merge pull request #469 from mhaskel/MODULES-1612

MODULES-1612 - sync mask
strider · Jan 14, 2015 · d1606aa · d1606aa
2 parents 6d7de07 + 54b81df
commit d1606aa
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 7 deletions.
diff --git a/README.markdown b/README.markdown
@@ -339,12 +339,12 @@ This type enables you to manage firewall rules within Puppet.
 
  * `ip6tables`: Ip6tables type provider
     * Required binaries: `ip6tables-save`, `ip6tables`.
-    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
 
 * `iptables`: Iptables type provider
     * Required binaries: `iptables-save`, `iptables`.
     * Default for `kernel` == `linux`.
-    * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.
+    * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `ipset`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `mask`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`.
 
 **Autorequires:**
 

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -26,6 +26,7 @@
   has_feature :iprange
   has_feature :ipsec_dir
   has_feature :ipsec_policy
+  has_feature :mask
   has_feature :ipset
 
   optional_commands({
@@ -85,6 +86,7 @@ def self.iptables_save(*args)
     :limit            => "-m limit --limit",
     :log_level        => "--log-level",
     :log_prefix       => "--log-prefix",
+    :mask             => "--mask",
     :name             => "-m comment --comment",
     :mac_source       => ["-m mac --mac-source", "--mac-source"],
     :outiface         => "-o",
@@ -171,7 +173,7 @@ def self.iptables_save(*args)
     :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type,
     :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
     :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :rsource, :rdest, :ipset, :jump, :todest,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest,
     :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark,
     :connlimit_above, :connlimit_mask, :connmark]
 

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
@@ -1449,7 +1449,7 @@ class { '::firewall': }
       end
     end
 
-    #ip6tables only supports ipset on a limited set of platforms
+    #ip6tables only supports ipset, addrtype, and mask on a limited set of platforms
     if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
       describe 'ipset' do
         it 'applies' do
@@ -1486,10 +1486,33 @@ class { '::firewall': }
           end
         end
       end
-    end
 
-    # ip6tables only support addrtype on a limited set of platforms
-    if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
+      describe 'mask' do
+        it 'applies' do
+          pp = <<-EOS
+            class { '::firewall': }
+            firewall { '613 - test':
+              recent => 'update',
+              rseconds => 60,
+              rsource => true,
+              rname => 'test',
+              action => 'drop',
+              chain => 'FORWARD',
+              mask => 'ffff::',
+              provider => 'ip6tables',
+            }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save') do |r|
+            expect(r.stdout).to match(/-A FORWARD -p tcp -m comment --comment "613 - test" -m recent --update --seconds 60 --name test --mask ffff:: --rsource -j DROP/)
+          end
+        end
+      end
+
       ['dst_type', 'src_type'].each do |type|
         describe "#{type}" do
           context 'MULTICAST' do