From: Ken Barber Date: Fri, 22 Feb 2013 16:55:37 +0000 (+0000) Subject: Add support for single --sport and --dport parsing X-Git-Tag: 0.1.0~8^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=3e13bf3;p=puppet-modules%2Fpuppetlabs-firewall.git Add support for single --sport and --dport parsing Previously if someone already had a rule with a single --sport or --dport we would fail the parse. This now accepts parsing in the single variant, while still supporting the multiport variant. Signed-off-by: Ken Barber --- diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 0243591..512c8f1 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -39,7 +39,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir @resource_map = { :burst => "--limit-burst", :destination => "-d", - :dport => "-m multiport --dports", + :dport => ["-m multiport --dports", "-m (udp|tcp) --dport"], :gid => "-m owner --gid-owner", :icmp => "-m icmp --icmp-type", :iniface => "-i", @@ -55,7 +55,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :set_mark => mark_flag, :socket => "-m socket", :source => "-s", - :sport => "-m multiport --sports", + :sport => ["-m multiport --sports", "-m (udp|tcp) --sport"], :state => "-m state --state", :table => "-t", :tcp_flags => "-m tcp --tcp-flags", @@ -153,8 +153,12 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # Here we iterate across our values to generate an array of keys @resource_list.reverse.each do |k| - if values.slice!(/\s#{@resource_map[k]}/) - keys << k + resource_map_key = @resource_map[k] + resource_map_key.each do |opt| + if values.slice!(/\s#{opt}/) + keys << k + break + end end end @@ -301,7 +305,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir next end - args << resource_map[res].split(' ') + args << resource_map[res].first.split(' ') # For sport and dport, convert hyphens to colons since the type # expects hyphens for ranges of ports. diff --git a/lib/puppet/util/ipcidr.rb b/lib/puppet/util/ipcidr.rb index 674bf18..87e8d5e 100644 --- a/lib/puppet/util/ipcidr.rb +++ b/lib/puppet/util/ipcidr.rb @@ -4,6 +4,17 @@ require 'ipaddr' module Puppet module Util class IPCidr < IPAddr + def initialize(ipaddr) + begin + super(ipaddr) + rescue ArgumentError => e + if e.message =~ /invalid address/ + raise ArgumentError, "Invalid address from IPAddr.new: #{ipaddr}" + else + raise e + end + end + end def netmask _to_string(@mask_addr) diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index 294e4a1..e12e482 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -298,6 +298,50 @@ ARGS_TO_HASH = { :socket => true, }, }, + 'single_tcp_sport' => { + :line => '-A OUTPUT -s 10.94.100.46/32 -p tcp -m tcp --sport 20443 -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'OUTPUT', + :source => "10.94.100.46/32", + :proto => "tcp", + :sport => ["20443"], + }, + }, + 'single_udp_sport' => { + :line => '-A OUTPUT -s 10.94.100.46/32 -p udp -m udp --sport 20443 -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'OUTPUT', + :source => "10.94.100.46/32", + :proto => "udp", + :sport => ["20443"], + }, + }, + 'single_tcp_dport' => { + :line => '-A OUTPUT -s 10.94.100.46/32 -p tcp -m tcp --dport 20443 -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'OUTPUT', + :source => "10.94.100.46/32", + :proto => "tcp", + :dport => ["20443"], + }, + }, + 'single_udp_dport' => { + :line => '-A OUTPUT -s 10.94.100.46/32 -p udp -m udp --dport 20443 -j ACCEPT', + :table => 'mangle', + :params => { + :action => 'accept', + :chain => 'OUTPUT', + :source => "10.94.100.46/32", + :proto => "udp", + :dport => ["20443"], + }, + }, } # This hash is for testing converting a hash to an argument line.