From: Ashley Penney Date: Mon, 21 May 2012 18:28:16 +0000 (-0400) Subject: (#14949) Added pkttype property X-Git-Tag: 0.1.0~20^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=95db3e0aa975b0e73784fbdda1467b533a847eb2;p=puppet-modules%2Fpuppetlabs-firewall.git (#14949) Added pkttype property This adds the pkttype property so we can match multicast and broadcast packets. --- diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb index b97f7e7..0b64501 100644 --- a/lib/puppet/provider/firewall/ip6tables.rb +++ b/lib/puppet/provider/firewall/ip6tables.rb @@ -14,6 +14,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = has_feature :log_prefix has_feature :mark has_feature :tcp_flags + has_feature :pkttype commands :iptables => '/sbin/ip6tables' commands :iptables_save => '/sbin/ip6tables-save' @@ -42,6 +43,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = :toports => "--to-ports", :tosource => "--to-source", :uid => "-m owner --uid-owner", + :pkttype => "-m pkttype --pkt-type" } # This is the order of resources as they appear in iptables-save output, @@ -49,7 +51,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source = # changes between puppet runs, the changed rules will be re-applied again. # This order can be determined by going through iptables source code or just tweaking and trying manually @resource_list = [:table, :source, :destination, :iniface, :outiface, - :proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump, + :proto, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject] end diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index a3fb163..2d1f40a 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -19,6 +19,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :log_prefix has_feature :mark has_feature :tcp_flags + has_feature :pkttype commands :iptables => '/sbin/iptables' commands :iptables_save => '/sbin/iptables-save' @@ -51,6 +52,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :tosource => "--to-source", :uid => "-m owner --uid-owner", :set_mark => "--set-mark", + :pkttype => "-m pkttype --pkt-type" } # This is the order of resources as they appear in iptables-save output, @@ -58,7 +60,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir # changes between puppet runs, the changed rules will be re-applied again. # This order can be determined by going through iptables source code or just tweaking and trying manually @resource_list = [:table, :source, :destination, :iniface, :outiface, - :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, + :proto, :tcp_flags, :gid, :uid, :sport, :dport, :port, :pkttype, :name, :state, :icmp, :limit, :burst, :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject, :set_mark] def insert diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index f5f0bf0..47603bb 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -33,6 +33,7 @@ Puppet::Type.newtype(:firewall) do feature :log_prefix, "The ability to add prefixes to log messages" feature :mark, "Set the netfilter mark value associated with the packet" feature :tcp_flags, "The ability to match on particular TCP flag settings" + feature :pkttype, "Match a packet type" # provider specific features feature :iptables, "The provider provides iptables features." @@ -488,6 +489,14 @@ Puppet::Type.newtype(:firewall) do end end + newproperty(:pkttype, :required_features => :pkttype) do + desc <<-EOS + Sets the packet type to match. + EOS + + newvalues(:unicast, :broadcast, :multicast) + end + newparam(:line) do desc <<-EOS Read-only property for caching the rule line. diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb index b8e34ca..563e2a3 100644 --- a/spec/fixtures/iptables/conversion_hash.rb +++ b/spec/fixtures/iptables/conversion_hash.rb @@ -281,6 +281,14 @@ ARGS_TO_HASH = { :outiface => 'eth+', }, }, + 'pkttype multicast' => { + :line => '-A INPUT -m pkttype --pkt-type multicast -j ACCEPT', + :table => 'filter', + :params => { + :action => 'accept', + :pkttype => 'multicast', + }, + }, } # This hash is for testing converting a hash to an argument line. @@ -594,4 +602,15 @@ HASH_TO_ARGS = { }, :args => ["-t", :filter, "-o", "eth+", "-p", :tcp, "-m", "comment", "--comment", "060 outiface", "-j", "DROP"], }, + 'pkttype multicast' => { + :params => { + :name => '062 pkttype multicast', + :table => "filter", + :action => 'accept', + :chain => 'INPUT', + :iniface => 'eth0', + :pkttype => 'multicast', + }, + :args => ["-t", :filter, "-i", "eth0", "-p", :tcp, "-m", "pkttype", "--pkt-type", :multicast, "-m", "comment", "--comment", "062 pkttype multicast", "-j", "ACCEPT"], + }, } diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index 0cdb98a..dbf0dde 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -396,4 +396,17 @@ describe firewall do rel[1].target.ref.should == @resource.ref end end + + describe ':pkttype' do + [:multicast, :broadcast, :unicast].each do |pkttype| + it "should accept pkttype value #{pkttype}" do + @resource[:pkttype] = pkttype + @resource[:pkttype].should == pkttype + end + end + + it 'should fail when the pkttype value is not recognized' do + lambda { @resource[:pkttype] = 'not valid' }.should raise_error(Puppet::Error) + end + end end