Merge pull request #451 from mhaskel/MODULES-1355

MODUELES-1355 - support dport/sport in ip6tables provider
xbezdick · Dec 29, 2014 · 9ac6fe0 · 9ac6fe0
2 parents ec1a2f0 + 0a3dc29
commit 9ac6fe0
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
@@ -54,7 +54,7 @@ def self.iptables_save(*args)
     :connmark         => "-m connmark --mark",
     :ctstate          => "-m conntrack --ctstate",
     :destination      => "-d",
-    :dport            => "-m multiport --dports",
+    :dport            => ["-m multiport --dports", "--dport"],
     :gid              => "-m owner --gid-owner",
     :hop_limit        => "-m hl --hl-eq",
     :icmp             => "-m icmp6 --icmpv6-type",
@@ -81,7 +81,7 @@ def self.iptables_save(*args)
     :rsource          => "--rsource",
     :rttl             => "--rttl",
     :source           => "-s",
-    :sport            => "-m multiport --sports",
+    :sport            => ["-m multiport --sports", "--sport"],
     :stat_every       => '--every',
     :stat_mode        => "-m statistic --mode",
     :stat_packet      => '--packet',

diff --git a/spec/acceptance/resource_cmd_spec.rb b/spec/acceptance/resource_cmd_spec.rb
@@ -126,4 +126,22 @@
       end
     end
   end
+
+  # version of iptables that ships with el5 doesn't work with the
+  # ip6tables provider
+  if default['platform'] !~ /el-5/
+    context 'dport/sport with ip6tables' do
+      before :all do
+        ip6tables_flush_all_tables
+        shell('ip6tables -A INPUT -d fe80::/64 -p udp -m udp --dport 546 --sport 547 -j ACCEPT')
+      end
+      it do
+        shell('puppet resource firewall \'000-foobar\' provider=ip6tables') do |r|
+          r.exit_code.should be_zero
+          # don't check stdout, testing preexisting rules, output is normal
+          r.stderr.should be_empty
+        end
+      end
+    end
+  end
 end
diff --git a/spec/fixtures/ip6tables/conversion_hash.rb b/spec/fixtures/ip6tables/conversion_hash.rb
@@ -24,6 +24,16 @@
       :destination => '2001:db8:4321::/48',
     },
   },
+  'udp_source_port_and_destination_port' => {
+    :line => '-A ufw6-before-input -s fe80::/10 -d fe80::/10 -p udp -m udp --sport 547 --dport 546 -j ACCEPT',
+    :table => 'filter',
+    :provider => 'ip6tables',
+    :params => {
+      :proto => 'udp',
+      :sport => ['547'],
+      :dport => ['546'],
+    },
+  }
 }
 
 # This hash is for testing converting a hash to an argument line.