From: Eimhin Laverty Date: Wed, 3 Apr 2019 11:21:34 +0000 (+0100) Subject: (MODULES-8842) Fix ipvs not idempotent X-Git-Tag: 1.15.3~2^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=8374a26cf5b1e7440d23e78226a26919524f26d1;p=puppet-modules%2Fpuppetlabs-firewall.git (MODULES-8842) Fix ipvs not idempotent --- diff --git a/README.markdown b/README.markdown index fdabdc9..5112462 100644 --- a/README.markdown +++ b/README.markdown @@ -524,6 +524,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `bpf`: The ability to use Berkeley Paket Filter rules. +* `ipvs`: The ability to match IP Virtual Server packets. + #### Parameters * `action`: This is the action to perform on a match. Valid values for this action are: @@ -639,6 +641,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `ipset`: Matches IP sets. Value must be 'ipset_name (src|dst|src,dst)' and can be negated by putting ! in front. Requires ipset kernel module. Will accept a single element or an array. +* `ipvs`: Matches packets belonging to an IP Virtual server connection. + * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature. * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`. diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 754d64a..61d7f1b 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -304,7 +304,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone, :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst, :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size, - :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :name + :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :name ] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 2ffa925..0d4b926 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -1750,6 +1750,7 @@ Puppet::Type.newtype(:firewall) do desc <<-PUPPETCODE Indicates that the current packet belongs to an IPVS connection. PUPPETCODE + newvalues(:true, :false) end autorequire(:firewallchain) do diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index ddad46b..80a8c0c 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -351,8 +351,9 @@ describe 'firewall attribute testing, happy path' do } firewall { '1002 - set ipvs': proto => 'tcp', - dport => '4321', - chain => 'OUTPUT', + action => accept, + chain => 'INPUT', + ipvs => true, } PUPPETCODE apply_manifest(pp, catch_failures: true) @@ -507,5 +508,8 @@ describe 'firewall attribute testing, happy path' do it 'jump is set' do expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST}) end + it 'ipvs is set' do + expect(result.stdout).to match(%r{-A INPUT -p tcp -m ipvs --ipvs -m comment --comment "1002 - set ipvs" -j ACCEPT}) + end end end