desc <<-PUPPETCODE
Match the Netfilter mark value associated with the packet. Accepts either of:
mark/mask or mark. These will be converted to hex if they are not already.
+
+ match_mark => '0x02'
+
+ You can also negate a value by putting ! in front. For example:
+
+ match_mark => '! 0x02'
PUPPETCODE
munge do |value|
- mark_regex = %r{\A((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i
+ mark_regex = %r{\A(!\s)?((?:0x)?[0-9A-F]+)(/)?((?:0x)?[0-9A-F]+)?\z}i
match = value.to_s.match(mark_regex)
if match.nil?
raise ArgumentError, 'Match MARK value must be integer or hex between 0 and 0xffffffff'
end
- mark = @resource.to_hex32(match[1])
+ mark = @resource.to_hex32(match[2])
# Values that can't be converted to hex.
# Or contain a trailing slash with no mask.
- if mark.nil? || (mark && match[2] && match[3].nil?)
+ if mark.nil? || (mark && match[3] && match[4].nil?)
raise ArgumentError, 'Match MARK value must be integer or hex between 0 and 0xffffffff'
end
# There should not be a mask on match_mark
- unless match[3].nil?
+ unless match[4].nil?
raise ArgumentError, 'iptables does not support masks on MARK match rules'
end
- value = mark
- value
+ match[1] ? "! #{mark}" : mark
end
end
expect(r.stdout).to match(%r{-A INPUT -m mark --mark 0x1 -m comment --comment "503 match_mark - test" -j REJECT --reject-with icmp-port-unreachable})
end
end
+
+ context 'when ! 0x1' do
+ pp1 = <<-PUPPETCODE
+ class { '::firewall': }
+ firewall { '504 match_mark - negate test':
+ proto => 'all',
+ match_mark => '! 0x1',
+ action => reject,
+ }
+ PUPPETCODE
+ it 'applies' do
+ apply_manifest(pp1, catch_failures: true)
+ end
+
+ it 'contains the rule' do
+ run_shell('iptables-save') do |r|
+ expect(r.stdout).to match(%r{-A INPUT -m mark --mark ! 0x1 -m comment --comment "504 match_mark - negate test" -j REJECT --reject-with icmp-port-unreachable})
+ end
+ end
end
end
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff