Merge pull request #464 from mhaskel/MODULES-1612

MODULES-1612 - sync set_mark
xbezdick · Jan 7, 2015 · 741687e · 741687e
2 parents 4b1c215 + d49c7b1
commit 741687e
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 1 deletion.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -34,6 +34,14 @@
 
   confine :kernel => :linux
 
+  ip6tables_version = Facter.fact('iptables_version').value
+  if (ip6tables_version and Puppet::Util::Package.versioncmp(ip6tables_version, '1.4.1') < 0)
+    mark_flag = '--set-mark'
+  else
+    mark_flag = '--set-xmark'
+  end
+
+
   def initialize(*args)
     if Facter.fact('ip6tables_version').value.match /1\.3\.\d/
       raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables'
@@ -90,6 +98,7 @@ def self.iptables_save(*args)
     :rseconds         => "--seconds",
     :rsource          => "--rsource",
     :rttl             => "--rttl",
+    :set_mark         => mark_flag,
     :socket           => "-m socket",
     :source           => "-s",
     :sport            => ["-m multiport --sports", "--sport"],
@@ -161,7 +170,7 @@ def self.iptables_save(*args)
     :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
     :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
-    :toports, :log_level, :log_prefix, :reject, :connlimit_above,
+    :toports, :log_level, :log_prefix, :reject, :set_mark, :connlimit_above,
     :connlimit_mask, :connmark]
 
 end
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
@@ -1421,6 +1421,34 @@ class { '::firewall': }
       end
     end
 
+    describe 'set_mark' do
+      context '0x3e8/0xffffffff' do
+        it 'applies' do
+          pp = <<-EOS
+            class { '::firewall': }
+            firewall { '611 - test':
+              ensure => present,
+              chain => 'OUTPUT',
+              proto => tcp,
+              port   => '611',
+              jump => 'MARK',
+              table => 'mangle',
+              set_mark => '0x3e8/0xffffffff',
+              provider => 'ip6tables',
+            }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save -t mangle') do |r|
+            expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 611 -m comment --comment "611 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/)
+          end
+        end
+      end
+    end
+
     # ip6tables only support addrtype on a limited set of platforms
     if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
       ['dst_type', 'src_type'].each do |type|