confine :kernel => :linux
+ ip6tables_version = Facter.fact('iptables_version').value
+ if (ip6tables_version and Puppet::Util::Package.versioncmp(ip6tables_version, '1.4.1') < 0)
+ mark_flag = '--set-mark'
+ else
+ mark_flag = '--set-xmark'
+ end
+
+
def initialize(*args)
if Facter.fact('ip6tables_version').value.match /1\.3\.\d/
raise ArgumentError, 'The ip6tables provider is not supported on version 1.3 of iptables'
:rseconds => "--seconds",
:rsource => "--rsource",
:rttl => "--rttl",
+ :set_mark => mark_flag,
:socket => "-m socket",
:source => "-s",
:sport => ["-m multiport --sports", "--sport"],
:src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
:ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
- :toports, :log_level, :log_prefix, :reject, :connlimit_above,
+ :toports, :log_level, :log_prefix, :reject, :set_mark, :connlimit_above,
:connlimit_mask, :connmark]
end
end
end
+ describe 'set_mark' do
+ context '0x3e8/0xffffffff' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '611 - test':
+ ensure => present,
+ chain => 'OUTPUT',
+ proto => tcp,
+ port => '611',
+ jump => 'MARK',
+ table => 'mangle',
+ set_mark => '0x3e8/0xffffffff',
+ provider => 'ip6tables',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('ip6tables-save -t mangle') do |r|
+ expect(r.stdout).to match(/-A OUTPUT -p tcp -m multiport --ports 611 -m comment --comment "611 - test" -j MARK --set-xmark 0x3e8\/0xffffffff/)
+ end
+ end
+ end
+ end
+
# ip6tables only support addrtype on a limited set of platforms
if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
['dst_type', 'src_type'].each do |type|
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff