From: nemski Date: Mon, 20 Oct 2014 07:58:34 +0000 (+1100) Subject: Add netmap feature and acceptance tests X-Git-Tag: 1.4.0~30^2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=f45fa3baad886d21d8409c94612022a47b6fc07f;p=puppet-modules%2Fpuppetlabs-firewall.git Add netmap feature and acceptance tests --- diff --git a/README.markdown b/README.markdown index 9ed83b5..9d58722 100644 --- a/README.markdown +++ b/README.markdown @@ -344,7 +344,7 @@ This type enables you to manage firewall rules within Puppet. * `iptables`: Iptables type provider * Required binaries: `iptables-save`, `iptables`. * Default for `kernel` == `linux`. - * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`. + * Supported features: `address_type`, `connection_limiting`, `dnat`, `icmp_match`, `interface_match`, `iprange`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfragment`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`, `netmap`. **Autorequires:** @@ -408,6 +408,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov * `tcp_flags`: The ability to match on particular TCP flag settings. +* `netmap`: The ability to map entire subnets via source or destination nat rules. + #### Parameters * `action`: This is the action to perform on a match. Valid values for this action are: @@ -628,6 +630,8 @@ firewall { '101 blacklist strange traffic': * `tosource`: When using `jump => 'SNAT'`, you can specify the new source address using this parameter. Requires the `snat` feature. +* `to`: When using `jump => 'NETMAP'`, you can specify a source or destination subnet to nat to. Requires the `netmap` feature`. + * `uid`: UID or Username owner matching rule. Accepts a string argument only, as iptables does not accept multiple uid in a single statement. Requires the `owner` feature. ###Type: firewallchain diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 300d525..233d960 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -12,6 +12,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir has_feature :recent_limiting has_feature :snat has_feature :dnat + has_feature :netmap has_feature :interface_match has_feature :icmp_match has_feature :owner @@ -102,6 +103,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :todest => "--to-destination", :toports => "--to-ports", :tosource => "--to-source", + :to => "--to", :uid => "-m owner --uid-owner", } @@ -156,7 +158,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :todest, - :tosource, :toports, :random, :log_prefix, :log_level, :reject, :set_mark, + :tosource, :toports, :to, :random, :log_prefix, :log_level, :reject, :set_mark, :connlimit_above, :connlimit_mask, :connmark ] diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index f5c7174..85c6464 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -34,6 +34,7 @@ Puppet::Type.newtype(:firewall) do feature :recent_limiting, "The netfilter recent module" feature :snat, "Source NATing" feature :dnat, "Destination NATing" + feature :netmap, "NET MAPping" feature :interface_match, "Interface matching" feature :icmp_match, "Matching ICMP types" feature :owner, "Matching owners" @@ -469,6 +470,12 @@ Puppet::Type.newtype(:firewall) do EOS end + newproperty(:to, :required_features => :netmap) do + desc <<-EOS + For NETMAP this will replace the destination IP + EOS + end + newproperty(:random, :required_features => :dnat) do desc <<-EOS When using a jump value of "MASQUERADE", "DNAT", "REDIRECT", or "SNAT" diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index 010a302..ac172b0 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -1681,4 +1681,54 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end + describe 'to' do + context 'Destination netmap 192.168.1.1' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '569 - test': + proto => tcp, + table => 'nat', + chain => 'PREROUTING', + jump => 'NETMAP', + source => '200.200.200.200', + to => '192.168.1.1', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save -t nat') do |r| + expect(r.stdout).to match(/-A PREROUTING -s 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/) + end + end + end + + context 'Source netmap 192.168.1.1' do + it 'applies' do + pp = <<-EOS + class { '::firewall': } + firewall { '569 - test': + proto => tcp, + table => 'nat', + chain => 'POSTROUTING', + jump => 'NETMAP', + destination => '200.200.200.200', + to => '192.168.1.1', + } + EOS + + apply_manifest(pp, :catch_failures => true) + end + + it 'should contain the rule' do + shell('iptables-save -t nat') do |r| + expect(r.stdout).to match(/-A POSTROUTING -d 200.200.200.200(\/32)? -p tcp -m comment --comment "611 - test" -j NETMAP --to 192.168.1.1/) + end + end + end + end + end diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb index 3df6a89..19c1219 100755 --- a/spec/unit/puppet/type/firewall_spec.rb +++ b/spec/unit/puppet/type/firewall_spec.rb @@ -219,7 +219,7 @@ describe firewall do end end - [:tosource, :todest].each do |addr| + [:tosource, :todest, :to].each do |addr| describe addr do it "should accept #{addr} value as a string" do @resource[addr] = '127.0.0.1'