diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index af4347fad..6b5d8f963 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -71,6 +71,7 @@ def self.iptables_save(*args) :log_level => "--log-level", :log_prefix => "--log-prefix", :name => "-m comment --comment", + :mac_source => ["-m mac --mac-source", "--mac-source"], :outiface => "-o", :pkttype => "-m pkttype --pkt-type", :port => '-m multiport --ports', @@ -141,10 +142,10 @@ def self.iptables_save(*args) # not provided with current parser [georg.koester]) @resource_list = [:table, :source, :destination, :iniface, :outiface, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range, - :tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type, - :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, - :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, - :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, - :connlimit_above, :connlimit_mask, :connmark] + :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type, + :src_type, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, + :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, + :rdest, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, + :reject, :connlimit_above, :connlimit_mask, :connmark] end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 36782b2bc..cf9200284 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1225,6 +1225,31 @@ class { '::firewall': } end end + describe 'mac_source' do + context '0A:1B:3C:4D:5E:6F' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '604 - test': + ensure => present, + source => '2001:db8::1/128', + mac_source => '0A:1B:3C:4D:5E:6F', + chain => 'INPUT', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -s 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "604 - test"/) + end + end + end + end + # ip6tables only support addrtype on a limited set of platforms if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/ ['dst_type', 'src_type'].each do |type|