* `hop_limit`: Hop limiting value for matched packets. Values must match '/^\d+$/'. Requires the `hop_limiting` feature.
-* `icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Requires the `icmp_match` feature.
+* `icmp`: When matching ICMP packets, this indicates the type of ICMP packet to match. A value of 'any' is not supported. To match any type of ICMP packet, the parameter should be omitted or undefined. Passing in an array of values is not supported. You can either create separate rules for each ICMP type, or alternatively look at the firewall_multi module (https://forge.puppetlabs.com/alexharvey/firewall_multi). Requires the `icmp_match` feature.
* `iniface`: Input interface to filter on. Values must match '/^!?\s?[a-zA-Z0-9\-\._\+\:]+$/'. Requires the `interface_match` feature. Supports interface alias (eth0:0) and negation.
* `provider`: The specific backend to use for this firewall resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform. Available providers are ip6tables and iptables. See the [Providers](#providers) section above for details about these providers.
-* `queue_bypass`: When using a `jump` value of 'NFQUEUE' this boolean will allow packets to bypass `queue_num`. This is useful when the process in userspace may not be listening on `queue_num` all the time.
+* `queue_bypass`: When using a `jump` value of 'NFQUEUE' this boolean will allow packets to bypass `queue_num`. This is useful when the process in userspace may not be listening on `queue_num` all the time.
* `queue_num`: When using a `jump` value of 'NFQUEUE' this parameter specifies the queue number to send packets to.
A value of "any" is not supported. To achieve this behaviour the
parameter should simply be omitted or undefined.
+ An array of values is also not supported. To match against multiple ICMP
+ types, please use separate rules for each ICMP type.
EOS
validate do |value|
"Value 'any' is not valid. This behaviour should be achieved " \
"by omitting or undefining the ICMP parameter."
end
+ if value.kind_of?(Array)
+ raise ArgumentError,
+ "Argument must not be an array of values. To match multiple " \
+ "ICMP types, please use separate rules for each ICMP type."
+ end
end
munge do |value|
self.fail("cannot work out icmp type")
end
value
+
end
end
it 'should fail if icmp type is "any"' do
expect(lambda { @resource[:icmp] = 'any' }).to raise_error(Puppet::Error)
end
+ it 'should fail if icmp type is an array' do
+ expect(lambda { @resource[:icmp] = ['0', '8'] }).to raise_error(Puppet::Error)
+ end
it 'should fail if icmp type cannot be mapped to a numeric' do
expect(lambda { @resource[:icmp] = 'foo' }).to raise_error(Puppet::Error)
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff