From 6b2371b2f1bc11a311ef648fff886a1e2302810f Mon Sep 17 00:00:00 2001 From: Morgan Haskel Date: Mon, 29 Dec 2014 16:15:25 -0800 Subject: [PATCH] MODULES-1612 - sync src_type and dst_type Add addrtype feature to ip6tables provider, which allows src_type and dst_type to be used. --- lib/puppet/provider/firewall/ip6tables.rb | 7 +- spec/acceptance/firewall_spec.rb | 92 ++++++++++++++++++----- 2 files changed, 80 insertions(+), 19 deletions(-) diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index afc5171d1..af4347fad 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -21,6 +21,7 @@ has_feature :ishasmorefrags has_feature :islastfrag has_feature :isfirstfrag + has_feature :address_type has_feature :iprange optional_commands({ @@ -57,6 +58,7 @@ def self.iptables_save(*args) :destination => "-d", :dport => ["-m multiport --dports", "--dport"], :dst_range => '-m iprange --dst-range', + :dst_type => "-m addrtype --dst-type", :gid => "-m owner --gid-owner", :hop_limit => "-m hl --hl-eq", :icmp => "-m icmp6 --icmpv6-type", @@ -85,6 +87,7 @@ def self.iptables_save(*args) :source => "-s", :sport => ["-m multiport --sports", "--sport"], :src_range => '-m iprange --src-range', + :src_type => "-m addrtype --src-type", :stat_every => '--every', :stat_mode => "-m statistic --mode", :stat_packet => '--packet', @@ -138,8 +141,8 @@ def self.iptables_save(*args) # not provided with current parser [georg.koester]) @resource_list = [:table, :source, :destination, :iniface, :outiface, :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range, - :tcp_flags, :gid, :uid, :sport, :dport, - :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, + :tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type, + :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :connlimit_above, :connlimit_mask, :connmark] diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 5842b91ae..cf44087c4 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1123,11 +1123,11 @@ class { '::firewall': } pp = <<-EOS class { '::firewall': } firewall { '601 - test': - proto => tcp, - port => '601', - action => accept, + proto => tcp, + port => '601', + action => accept, src_range => '2001:db8::1-2001:db8::ff', - provider => 'ip6tables', + provider => 'ip6tables', } EOS @@ -1150,9 +1150,10 @@ class { '::firewall': } pp = <<-EOS class { '::firewall': } firewall { '601 - test': - proto => tcp, - port => '601', - action => accept, + proto => tcp, + port => '601', + action => accept, + provider => 'ip6tables', src_range => '2001::db8::1-2001:db8::ff', } EOS @@ -1163,7 +1164,7 @@ class { '::firewall': } end it 'should not contain the rule' do - shell('iptables-save') do |r| + shell('ip6tables-save') do |r| expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT/) end end @@ -1176,11 +1177,11 @@ class { '::firewall': } pp = <<-EOS class { '::firewall': } firewall { '602 - test': - proto => tcp, - port => '602', - action => accept, + proto => tcp, + port => '602', + action => accept, dst_range => '2001:db8::1-2001:db8::ff', - provider => 'ip6tables', + provider => 'ip6tables', } EOS @@ -1203,9 +1204,10 @@ class { '::firewall': } pp = <<-EOS class { '::firewall': } firewall { '602 - test': - proto => tcp, - port => '602', - action => accept, + proto => tcp, + port => '602', + action => accept, + provider => 'ip6tables', dst_range => '2001::db8::1-2001:db8::ff', } EOS @@ -1216,13 +1218,69 @@ class { '::firewall': } end it 'should not contain the rule' do - shell('iptables-save') do |r| + shell('ip6tables-save') do |r| expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT/) end end end end + # ip6tables on el5 and el6 doesn't support addrtype + if default['platform'] !~ /el-[5-6]/ + ['dst_type', 'src_type'].each do |type| + describe "#{type}" do + context 'MULTICAST' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '603 - test': + proto => tcp, + action => accept, + #{type} => 'MULTICAST', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :catch_failures => true) + unless fact('selinux') == 'true' + apply_manifest(pp, :catch_changes => true) + end + end + + it 'should contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT/) + end + end + end + + context 'BROKEN' do + it 'fails' do + pp = <<-EOS + class { '::firewall': } + firewall { '603 - test': + proto => tcp, + action => accept, + #{type} => 'BROKEN', + provider => 'ip6tables', + } + EOS + + apply_manifest(pp, :expect_failures => true) do |r| + expect(r.stderr).to match(/Invalid value "BROKEN"./) + end + end + + it 'should not contain the rule' do + shell('ip6tables-save') do |r| + expect(r.stdout).to_not match(/-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT/) + end + end + end + end + end + end + end describe 'limit' do @@ -1842,7 +1900,7 @@ class { '::firewall': } expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j NETMAP --to 192.168.1.1/) end end - end + end end end