MODULES-1612 - sync src_type and dst_type

Add addrtype feature to ip6tables provider, which allows src_type and
dst_type to be used.

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index afc5171d17e4d921b09158b66f6be7ef0e65c085..af4347fad71df735b93b90e0aae99a2112a51f2d 100644 (file)
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -21,6 +21,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   has_feature :ishasmorefrags
   has_feature :islastfrag
   has_feature :isfirstfrag
+  has_feature :address_type
   has_feature :iprange
 
   optional_commands({
@@ -57,6 +58,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :destination      => "-d",
     :dport            => ["-m multiport --dports", "--dport"],
     :dst_range        => '-m iprange --dst-range',
+    :dst_type         => "-m addrtype --dst-type",
     :gid              => "-m owner --gid-owner",
     :hop_limit        => "-m hl --hl-eq",
     :icmp             => "-m icmp6 --icmpv6-type",
@@ -85,6 +87,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :source           => "-s",
     :sport            => ["-m multiport --sports", "--sport"],
     :src_range        => '-m iprange --src-range',
+    :src_type         => "-m addrtype --src-type",
     :stat_every       => '--every',
     :stat_mode        => "-m statistic --mode",
     :stat_packet      => '--packet',
@@ -138,8 +141,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   # not provided with current parser [georg.koester])
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
-    :tcp_flags, :gid, :uid, :sport, :dport,
-    :port, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
+    :tcp_flags, :gid, :uid, :sport, :dport, :port, :dst_type, :src_type,
+    :pkttype, :name, :state, :ctstate, :icmp, :hop_limit, :limit, :burst,
     :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :rsource, :rdest,
     :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject,
     :connlimit_above, :connlimit_mask, :connmark]

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 5842b91ae89a27313c00cf3dbf56995cd9e5c658..cf44087c410531a4e3661c651fd5042504c3e86c 100644 (file)
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -1123,11 +1123,11 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           pp = <<-EOS
           class { '::firewall': }
           firewall { '601 - test':
-            proto  => tcp,
-            port   => '601',
-            action => accept,
+            proto     => tcp,
+            port      => '601',
+            action    => accept,
             src_range => '2001:db8::1-2001:db8::ff',
-            provider => 'ip6tables',
+            provider  => 'ip6tables',
           }
           EOS
 
@@ -1150,9 +1150,10 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           pp = <<-EOS
           class { '::firewall': }
           firewall { '601 - test':
-            proto  => tcp,
-            port   => '601',
-            action => accept,
+            proto     => tcp,
+            port      => '601',
+            action    => accept,
+            provider  => 'ip6tables',
             src_range => '2001::db8::1-2001:db8::ff',
           }
           EOS
@@ -1163,7 +1164,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         end
 
         it 'should not contain the rule' do
-          shell('iptables-save') do |r|
+          shell('ip6tables-save') do |r|
             expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --src-range 2001::db8::1-2001:db8::ff -m multiport --ports 601 -m comment --comment "601 - test" -j ACCEPT/)
           end
         end
@@ -1176,11 +1177,11 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           pp = <<-EOS
           class { '::firewall': }
           firewall { '602 - test':
-            proto  => tcp,
-            port   => '602',
-            action => accept,
+            proto     => tcp,
+            port      => '602',
+            action    => accept,
             dst_range => '2001:db8::1-2001:db8::ff',
-            provider => 'ip6tables',
+            provider  => 'ip6tables',
           }
           EOS
 
@@ -1203,9 +1204,10 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           pp = <<-EOS
           class { '::firewall': }
           firewall { '602 - test':
-            proto  => tcp,
-            port   => '602',
-            action => accept,
+            proto     => tcp,
+            port      => '602',
+            action    => accept,
+            provider  => 'ip6tables',
             dst_range => '2001::db8::1-2001:db8::ff',
           }
           EOS
@@ -1216,13 +1218,69 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         end
 
         it 'should not contain the rule' do
-          shell('iptables-save') do |r|
+          shell('ip6tables-save') do |r|
             expect(r.stdout).to_not match(/-A INPUT -p tcp -m iprange --dst-range 2001::db8::1-2001:db8::ff -m multiport --ports 602 -m comment --comment "602 - test" -j ACCEPT/)
           end
         end
       end
     end
 
+    # ip6tables on el5 and el6 doesn't support addrtype
+    if default['platform'] !~ /el-[5-6]/
+      ['dst_type', 'src_type'].each do |type|
+        describe "#{type}" do
+          context 'MULTICAST' do
+            it 'applies' do
+              pp = <<-EOS
+            class { '::firewall': }
+            firewall { '603 - test':
+              proto    => tcp,
+              action   => accept,
+              #{type}  => 'MULTICAST',
+              provider => 'ip6tables',
+            }
+              EOS
+
+              apply_manifest(pp, :catch_failures => true)
+              unless fact('selinux') == 'true'
+                apply_manifest(pp, :catch_changes => true)
+              end
+            end
+
+            it 'should contain the rule' do
+              shell('ip6tables-save') do |r|
+                expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype\s.*\sMULTICAST -m comment --comment "603 - test" -j ACCEPT/)
+              end
+            end
+          end
+
+          context 'BROKEN' do
+            it 'fails' do
+              pp = <<-EOS
+            class { '::firewall': }
+            firewall { '603 - test':
+              proto    => tcp,
+              action   => accept,
+              #{type}  => 'BROKEN',
+              provider => 'ip6tables',
+            }
+              EOS
+
+              apply_manifest(pp, :expect_failures => true) do |r|
+                expect(r.stderr).to match(/Invalid value "BROKEN"./)
+              end
+            end
+
+            it 'should not contain the rule' do
+              shell('ip6tables-save') do |r|
+                expect(r.stdout).to_not match(/-A INPUT -p tcp -m addrtype\s.*\sBROKEN -m comment --comment "603 - test" -j ACCEPT/)
+              end
+            end
+          end
+        end
+      end
+    end
+
   end
 
   describe 'limit' do
@@ -1842,7 +1900,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "569 - test" -j NETMAP --to 192.168.1.1/)
         end
       end
-    end    
+    end
   end
 
 end