From: Kjetil Torgrim Homme <kjetil.homme@redpill-linpro.com>
Date: Wed, 1 Dec 2021 20:53:26 +0000 (+0100)
Subject: fix service port number lookup to use protocol
X-Git-Tag: v4.0.0~12^2~1
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=1f5f6523cdb1bc0b133237ce49403e42c6ab60cb;p=puppet-modules%2Fpuppetlabs-firewall.git

fix service port number lookup to use protocol

The existing code passes `:proto`, which `string_to_port` casts to a
string, gets "proto", compares that to the possibilities "udp" or "tcp",
and when neither, falls back to using "tcp".

This patch passes the actual proto value to the function, in case there is
a UDP specific service in your /etc/services (uncommon, but it happens).
It looks like Puppet will evaluate the properties in declared order,
so I had to move `newproperty(:proto)` up so `@resource[:proto]` was
available in the code for `sport`, `dport` and `port`.
---

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 6509c1c..d19c3d4 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -382,6 +382,17 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:proto) do
+    desc <<-PUPPETCODE
+      The specific protocol to match for this rule.
+    PUPPETCODE
+
+    newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
+      [proto, "! #{proto}".to_sym]
+    }.flatten)
+    defaultto 'tcp'
+  end
+
   newproperty(:sport, array_matching: :all) do
     desc <<-PUPPETCODE
       The source port to match for this filter (if the protocol supports
@@ -399,7 +410,7 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -429,7 +440,7 @@ Puppet::Type.newtype(:firewall) do
     PUPPETCODE
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -465,7 +476,7 @@ Puppet::Type.newtype(:firewall) do
     end
 
     munge do |value|
-      @resource.string_to_port(value, :proto)
+      @resource.string_to_port(value, @resource[:proto])
     end
 
     def to_s?(value)
@@ -568,17 +579,6 @@ Puppet::Type.newtype(:firewall) do
               }.flatten)
   end
 
-  newproperty(:proto) do
-    desc <<-PUPPETCODE
-      The specific protocol to match for this rule.
-    PUPPETCODE
-
-    newvalues(*[:ip, :tcp, :udp, :icmp, :"ipv6-icmp", :esp, :ah, :vrrp, :carp, :igmp, :ipencap, :ipv4, :ipv6, :ospf, :gre, :cbt, :sctp, :pim, :all].map { |proto|
-      [proto, "! #{proto}".to_sym]
-    }.flatten)
-    defaultto 'tcp'
-  end
-
   # tcp-specific
   newproperty(:mss) do
     desc <<-PUPPETCODE