Add support for single --sport and --dport parsing

Previously if someone already had a rule with a single --sport or --dport we
would fail the parse. This now accepts parsing in the single variant, while
still supporting the multiport variant.

Signed-off-by: Ken Barber <ken@bob.sh>

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 024359170bb4b3cee6784d709ed63aa0da0f0eb6..512c8f1e36cd1258467d2a3cda610e0527638498 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -39,7 +39,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
   @resource_map = {
     :burst => "--limit-burst",
     :destination => "-d",
-    :dport => "-m multiport --dports",
+    :dport => ["-m multiport --dports", "-m (udp|tcp) --dport"],
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
@@ -55,7 +55,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :set_mark => mark_flag,
     :socket => "-m socket",
     :source => "-s",
-    :sport => "-m multiport --sports",
+    :sport => ["-m multiport --sports", "-m (udp|tcp) --sport"],
     :state => "-m state --state",
     :table => "-t",
     :tcp_flags => "-m tcp --tcp-flags",
@@ -153,8 +153,12 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     # Here we iterate across our values to generate an array of keys
     @resource_list.reverse.each do |k|
-      if values.slice!(/\s#{@resource_map[k]}/)
-        keys << k
+      resource_map_key = @resource_map[k]
+      resource_map_key.each do |opt|
+        if values.slice!(/\s#{opt}/)
+          keys << k
+          break
+        end
       end
     end
 
@@ -301,7 +305,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         next
       end
 
-      args << resource_map[res].split(' ')
+      args << resource_map[res].first.split(' ')
 
       # For sport and dport, convert hyphens to colons since the type
       # expects hyphens for ranges of ports.

diff --git a/lib/puppet/util/ipcidr.rb b/lib/puppet/util/ipcidr.rb
index 674bf18fda7e673e40e2796336efcfa5f0bce47b..87e8d5e37209a7f992e0688d3c4561e640c2cd18 100644 (file)
--- a/lib/puppet/util/ipcidr.rb
+++ b/lib/puppet/util/ipcidr.rb
@@ -4,6 +4,17 @@ require 'ipaddr'
 module Puppet
   module Util
     class IPCidr < IPAddr
+      def initialize(ipaddr)
+        begin
+          super(ipaddr)
+        rescue ArgumentError => e
+          if e.message =~ /invalid address/
+            raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}"
+          else
+            raise e
+          end
+        end
+      end
 
       def netmask
         _to_string(@mask_addr)

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 294e4a12f1c01943763d3476defdb46ce05881ff..e12e482869e06cae5fae02bb4861127646b9525b 100644 (file)
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -298,6 +298,50 @@ ARGS_TO_HASH = {
       :socket => true,
     },
   },
+  'single_tcp_sport' => {
+    :line => '-A OUTPUT -s 10.94.100.46/32 -p tcp -m tcp --sport 20443 -j ACCEPT',
+    :table => 'mangle',
+    :params => {
+      :action => 'accept',
+      :chain => 'OUTPUT',
+      :source => "10.94.100.46/32",
+      :proto => "tcp",
+      :sport => ["20443"],
+    },
+  },
+  'single_udp_sport' => {
+    :line => '-A OUTPUT -s 10.94.100.46/32 -p udp -m udp --sport 20443 -j ACCEPT',
+    :table => 'mangle',
+    :params => {
+      :action => 'accept',
+      :chain => 'OUTPUT',
+      :source => "10.94.100.46/32",
+      :proto => "udp",
+      :sport => ["20443"],
+    },
+  },
+  'single_tcp_dport' => {
+    :line => '-A OUTPUT -s 10.94.100.46/32 -p tcp -m tcp --dport 20443 -j ACCEPT',
+    :table => 'mangle',
+    :params => {
+      :action => 'accept',
+      :chain => 'OUTPUT',
+      :source => "10.94.100.46/32",
+      :proto => "tcp",
+      :dport => ["20443"],
+    },
+  },
+  'single_udp_dport' => {
+    :line => '-A OUTPUT -s 10.94.100.46/32 -p udp -m udp --dport 20443 -j ACCEPT',
+    :table => 'mangle',
+    :params => {
+      :action => 'accept',
+      :chain => 'OUTPUT',
+      :source => "10.94.100.46/32",
+      :proto => "udp",
+      :dport => ["20443"],
+    },
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.