]> review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commitdiff
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 2d870c4)
Add security table for iptables.
authormatt.cover <matt.cover@highwinds.com>
Fri, 30 Oct 2015 18:32:45 +0000 (11:32 -0700)
committermatt.cover <matt.cover@highwinds.com>
Fri, 30 Oct 2015 18:32:45 +0000 (11:32 -0700)
lib/puppet/provider/firewallchain/iptables_chain.rb patch | blob | history
lib/puppet/type/firewallchain.rb patch | blob | history
spec/unit/puppet/provider/iptables_chain_spec.rb patch | blob | history
spec/unit/puppet/type/firewallchain_spec.rb patch | blob | history

diff --git a/lib/puppet/provider/firewallchain/iptables_chain.rb b/lib/puppet/provider/firewallchain/iptables_chain.rb
index df166f645be36482e245a8695bf2c0fd736f2672..ec10ecc7e0f5cd460f9c47c09998ad8c2010d3f7 100644 (file)
--- a/lib/puppet/provider/firewallchain/iptables_chain.rb
+++ b/lib/puppet/provider/firewallchain/iptables_chain.rb
@@ -38,7 +38,7 @@ Puppet::Type.type(:firewallchain).provide :iptables_chain do
     }
   }
   InternalChains = /^(PREROUTING|POSTROUTING|BROUTING|INPUT|FORWARD|OUTPUT)$/
-  Tables = 'nat|mangle|filter|raw|rawpost|broute'
+  Tables = 'nat|mangle|filter|raw|rawpost|broute|security'
   Nameformat = /^(.+):(#{Tables}):(IP(v[46])?|ethernet)$/
 
   def create
diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb
index cb2c61412b3c8e31feff97ea6c0114005604db23..9bdc20f403ec662ac872b78734d7067b44f0211b 100644 (file)
--- a/lib/puppet/type/firewallchain.rb
+++ b/lib/puppet/type/firewallchain.rb
@@ -41,7 +41,7 @@ Puppet::Type.newtype(:firewallchain) do
 
     validate do |value|
       if value !~ Nameformat then
-        raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'"
+        raise ArgumentError, "Inbuilt chains must be in the form {chain}:{table}:{protocol} where {table} is one of FILTER, NAT, MANGLE, RAW, RAWPOST, BROUTE, SECURITY or empty (alias for filter), chain can be anything without colons or one of PREROUTING, POSTROUTING, BROUTING, INPUT, FORWARD, OUTPUT for the inbuilt chains, and {protocol} being IPv4, IPv6, ethernet (ethernet bridging) got '#{value}' table:'#{$1}' chain:'#{$2}' protocol:'#{$3}'"
       else
         chain = $1
         table = $2
@@ -73,6 +73,10 @@ Puppet::Type.newtype(:firewallchain) do
           if chain =~ /^PREROUTING|POSTROUTING|INPUT|FORWARD|OUTPUT$/
             raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'broute\''
           end
+        when 'security'
+          if chain =~ /^(PREROUTING|POSTROUTING|BROUTING)$/
+            raise ArgumentError, "INPUT, OUTPUT and FORWARD are the only inbuilt chains that can be used in table 'security'"
+          end
         end
         if chain == 'BROUTING' && ( protocol != 'ethernet' || table!='broute')
           raise ArgumentError,'BROUTING is the only inbuilt chain allowed on on table \'BROUTE\' with protocol \'ethernet\' i.e. \'broute:BROUTING:enternet\''
diff --git a/spec/unit/puppet/provider/iptables_chain_spec.rb b/spec/unit/puppet/provider/iptables_chain_spec.rb
index e2c0fd3d3bf7de6e21b6c468c2afc029f176afce..d8eade23692b9e54fc216381e6c71297c46a3e05 100755 (executable)
--- a/spec/unit/puppet/provider/iptables_chain_spec.rb
+++ b/spec/unit/puppet/provider/iptables_chain_spec.rb
@@ -138,6 +138,9 @@ describe 'iptables chain resource parsing' do
      'NAT:mangle:IPv4',
      'NAT:mangle:IPv4',
      'NAT:mangle:IPv4',
+     'security:INPUT:IPv4',
+     'security:FORWARD:IPv4',
+     'security:OUTPUT:IPv4',
      ':$5()*&%\'"^$): :IPv4',
     ]
     allow(provider).to receive(:execute).with(['/sbin/iptables-save']).and_return('
@@ -184,6 +187,9 @@ COMMIT
       'mangle:OUTPUT:IPv6',
       'mangle:POSTROUTING:IPv6',
       'mangle:ff:IPv6',
+      'security:INPUT:IPv6',
+      'security:FORWARD:IPv6',
+      'security:OUTPUT:IPv6',
       ':INPUT:IPv6',
       ':FORWARD:IPv6',
       ':OUTPUT:IPv6',
diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb
index e627603982ee3878fbdfdd847a1fa6a9426b4784..0658d639a3bdbf76597cf6e5d423e156736830fd 100755 (executable)
--- a/spec/unit/puppet/type/firewallchain_spec.rb
+++ b/spec/unit/puppet/type/firewallchain_spec.rb
@@ -30,7 +30,8 @@ describe firewallchain do
      'mangle' => [ 'PREROUTING', 'POSTROUTING', 'INPUT', 'FORWARD', 'OUTPUT' ],
      'filter' => ['INPUT','OUTPUT','FORWARD'],
      'raw' => [ 'PREROUTING', 'OUTPUT'],
-     'broute' => ['BROUTING']
+     'broute' => ['BROUTING'],
+     'security' => ['INPUT','OUTPUT','FORWARD']
     }.each_pair do |table, allowedinternalchains|
       ['IPv4', 'IPv6', 'ethernet'].each do |protocol|
         [ 'test', '$5()*&%\'"^$09):' ].each do |chainname|