From: Jonathan Boyett <jonathan@failingservers.com>
Date: Thu, 10 Nov 2011 00:07:56 +0000 (-0800)
Subject: (#10693) Ensure -m limit is added for iptables when using 'limit' param
X-Git-Tag: v0.0.3~2^2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=9c870873f77ca1f7d02d76c23d1cb52533ae721a;p=puppet-modules%2Fpuppetlabs-firewall.git

(#10693) Ensure -m limit is added for iptables when using 'limit' param

Previously we had only been adding --limit to the iptables arguments
which meant the 'limit' parameter was not working at all. This patch
fixes that.
---

diff --git a/examples/iptables/test.pp b/examples/iptables/test.pp
index 4f05987..6dc91b8 100644
--- a/examples/iptables/test.pp
+++ b/examples/iptables/test.pp
@@ -93,6 +93,13 @@ firewall { '056 INPUT allow web in and out':
   port  => 80
 }
 
+firewall { '057 INPUT limit NTP':
+  action => accept,
+  proto  => 'tcp',
+  dport  => ntp,
+  limit  => '15/hour'
+}
+
 firewall { '999 FORWARD drop':
   action => drop,
   chain => 'FORWARD',
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 7ce469a..99848ea 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -29,7 +29,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
     :jump => "-j",
-    :limit => "--limit",
+    :limit => "-m limit --limit",
     :log_level => "--log-level",
     :log_prefix => "--log-prefix",
     :name => "-m comment --comment",
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 6390fef..3240010 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -100,6 +100,14 @@ ARGS_TO_HASH = {
       :source => '192.168.0.1',
     },
   },
+  'load_limit_module' => {
+    :line => '-A INPUT -m multiport --dports 123 -m comment --comment "057 INPUT limit NTP" -m limit --limit 15/hour',
+    :table => 'filter',
+    :params => {
+      :dport => ['123'],
+      :limit => '15/hour'
+    },
+  },
 }
 
 # This hash is for testing converting a hash to an argument line.
@@ -199,4 +207,13 @@ HASH_TO_ARGS = {
     },
     :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--ports', '80', '-m', 'comment', '--comment', '001 port property'],
   },
+  'load_limit_module' => {
+    :params => {
+      :name => '057 INPUT limit NTP',
+      :table => 'filter',
+      :dport => '123',
+      :limit => '15/hour'
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--dports', '123', '-m', 'comment', '--comment', '057 INPUT limit NTP', '-m', 'limit', '--limit', '15/hour'],
+  },
 }