(MODULES-1592) Allow src_type and dst_type prefixed with '! ' to pass validation

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index e851b7015b19f524e801ba9ce98848eb4ba55d14..7f5942920b3131d8a6fe72e3eb663feb1241b575 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -322,8 +322,10 @@ Puppet::Type.newtype(:firewall) do
       * XRESOLVE - undocumented
     EOS
 
-    newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
-              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+    newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type|
+      [address_type, "! #{address_type}".to_sym]
+    end.flatten)
   end
 
   newproperty(:src_type, :required_features => :address_type) do
@@ -348,8 +350,10 @@ Puppet::Type.newtype(:firewall) do
       * XRESOLVE - undocumented
     EOS
 
-    newvalues(:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
-              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE)
+    newvalues(*[:UNSPEC, :UNICAST, :LOCAL, :BROADCAST, :ANYCAST, :MULTICAST,
+              :BLACKHOLE, :UNREACHABLE, :PROHIBIT, :THROW, :NAT, :XRESOLVE].collect do |address_type|
+      [address_type, "! #{address_type}".to_sym]
+    end.flatten)
   end
 
   newproperty(:proto) do

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 3509ef814f5bd25a713c35b359f6ce9c08176814..cc248324724e3af6d9748a400b25c205e8e977b1 100644 (file)
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -584,6 +584,30 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         end
       end
 
+      context '! MULTICAST' do
+        it 'applies' do
+          pp = <<-EOS
+            class { '::firewall': }
+            firewall { '563 - test inversion':
+              proto  => tcp,
+              action => accept,
+              #{type} => '! MULTICAST',
+            }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+          unless fact('selinux') == 'true'
+            apply_manifest(pp, :catch_changes => true)
+          end
+        end
+
+        it 'should contain the rule' do
+          shell('iptables-save') do |r|
+            expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "563 - test inversion" -j ACCEPT/)
+          end
+        end
+      end
+
       context 'BROKEN' do
         it 'fails' do
           pp = <<-EOS
@@ -1617,6 +1641,31 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             end
           end
 
+          context '! MULTICAST' do
+            it 'applies' do
+              pp = <<-EOS
+            class { '::firewall': }
+            firewall { '603 - test inversion':
+              proto    => tcp,
+              action   => accept,
+              #{type}  => '! MULTICAST',
+              provider => 'ip6tables',
+            }
+              EOS
+
+              apply_manifest(pp, :catch_failures => true)
+              unless fact('selinux') == 'true'
+                apply_manifest(pp, :catch_changes => true)
+              end
+            end
+
+            it 'should contain the rule' do
+              shell('ip6tables-save') do |r|
+                expect(r.stdout).to match(/-A INPUT -p tcp -m addrtype( !\s.*\sMULTICAST|\s.*\s! MULTICAST) -m comment --comment "603 - test inversion" -j ACCEPT/)
+              end
+            end
+          end
+
           context 'BROKEN' do
             it 'fails' do
               pp = <<-EOS