From 046fd18e59219ddc6ed15558c47ce16232f06691 Mon Sep 17 00:00:00 2001
From: Morgan Haskel <morgan@puppetlabs.com>
Date: Fri, 2 Jan 2015 16:12:50 -0500
Subject: [PATCH] MODULES-1612 - Sync ipsec_dir and ipsec_policy

---
 README.markdown                           |   2 +-
 lib/puppet/provider/firewall/ip6tables.rb |  13 ++-
 spec/acceptance/firewall_spec.rb          | 116 ++++++++++++++++++++++
 3 files changed, 126 insertions(+), 5 deletions(-)

diff --git a/README.markdown b/README.markdown
index 265d6ef..b30b1fd 100644
--- a/README.markdown
+++ b/README.markdown
@@ -339,7 +339,7 @@ This type enables you to manage firewall rules within Puppet.
 
  * `ip6tables`: Ip6tables type provider
     * Required binaries: `ip6tables-save`, `ip6tables`.
-    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
+    * Supported features: `connection_limiting`, `dnat`, `hop_limiting`, `icmp_match`, `interface_match`, `ipsec_dir`, `ipsec_policy`, `iptables`, `isfirstfrag`, `ishasmorefrags`, `islastfrag`, `log_level`, `log_prefix`, `mark`, `owner`, `pkttype`, `rate_limiting`, `recent_limiting`, `reject_type`, `snat`, `socket`, `state_match`, `tcp_flags`.
 
 * `iptables`: Iptables type provider
     * Required binaries: `iptables-save`, `iptables`.
diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index 77156ec..442d527 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -24,6 +24,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   has_feature :socket
   has_feature :address_type
   has_feature :iprange
+  has_feature :ipsec_dir
+  has_feature :ipsec_policy
 
   optional_commands({
     :ip6tables      => 'ip6tables',
@@ -64,6 +66,8 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :hop_limit        => "-m hl --hl-eq",
     :icmp             => "-m icmp6 --icmpv6-type",
     :iniface          => "-i",
+    :ipsec_dir        => "-m policy --dir",
+    :ipsec_policy     => "--pol",
     :isfirstfrag      => "-m frag --fragid 0 --fragfirst",
     :ishasmorefrags   => "-m frag --fragid 0 --fragmore",
     :islastfrag       => "-m frag --fragid 0 --fraglast",
@@ -154,9 +158,10 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
   @resource_list = [:table, :source, :destination, :iniface, :outiface,
     :proto, :ishasmorefrags, :islastfrag, :isfirstfrag, :src_range, :dst_range,
     :tcp_flags, :gid, :uid, :mac_source, :sport, :dport, :port, :dst_type,
-    :src_type, :socket, :pkttype, :name, :state, :ctstate, :icmp, :hop_limit,
-    :limit, :burst, :recent, :rseconds, :reap, :rhitcount, :rttl, :rname,
-    :rsource, :rdest, :jump, :todest, :tosource, :toports, :log_level,
-    :log_prefix, :reject, :connlimit_above, :connlimit_mask, :connmark]
+    :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy, :state,
+    :ctstate, :icmp, :hop_limit, :limit, :burst, :recent, :rseconds, :reap,
+    :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
+    :toports, :log_level, :log_prefix, :reject, :connlimit_above,
+    :connlimit_mask, :connmark]
 
 end
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 9023d8c..d03ec59 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -1305,6 +1305,122 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
       end
     end
 
+    describe 'ipsec_policy' do
+      context 'ipsec' do
+        it 'applies' do
+          pp = <<-EOS
+          class { '::firewall': }
+          firewall { '607 - test':
+            ensure       => 'present',
+            action       => 'reject',
+            chain        => 'OUTPUT',
+            destination  => '2001:db8::1/128',
+            ipsec_dir    => 'out',
+            ipsec_policy => 'ipsec',
+            proto        => 'all',
+            reject       => 'icmp6-adm-prohibited',
+            table        => 'filter',
+            provider     => 'ip6tables',
+          }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save') do |r|
+            expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "607 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/)
+          end
+        end
+      end
+
+      context 'none' do
+        it 'applies' do
+          pp = <<-EOS
+          class { '::firewall': }
+          firewall { '608 - test':
+            ensure       => 'present',
+            action       => 'reject',
+            chain        => 'OUTPUT',
+            destination  => '2001:db8::1/128',
+            ipsec_dir    => 'out',
+            ipsec_policy => 'none',
+            proto        => 'all',
+            reject       => 'icmp6-adm-prohibited',
+            table        => 'filter',
+            provider     => 'ip6tables',
+          }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save') do |r|
+            expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "608 - test" -m policy --dir out --pol none -j REJECT --reject-with icmp6-adm-prohibited/)
+          end
+        end
+      end
+    end
+
+    describe 'ipsec_dir' do
+      context 'out' do
+        it 'applies' do
+          pp = <<-EOS
+          class { '::firewall': }
+          firewall { '609 - test':
+            ensure       => 'present',
+            action       => 'reject',
+            chain        => 'OUTPUT',
+            destination  => '2001:db8::1/128',
+            ipsec_dir    => 'out',
+            ipsec_policy => 'ipsec',
+            proto        => 'all',
+            reject       => 'icmp6-adm-prohibited',
+            table        => 'filter',
+            provider     => 'ip6tables',
+          }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save') do |r|
+            expect(r.stdout).to match(/-A OUTPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "609 - test" -m policy --dir out --pol ipsec -j REJECT --reject-with icmp6-adm-prohibited/)
+          end
+        end
+      end
+
+      context 'in' do
+        it 'applies' do
+          pp = <<-EOS
+          class { '::firewall': }
+          firewall { '610 - test':
+            ensure       => 'present',
+            action       => 'reject',
+            chain        => 'INPUT',
+            destination  => '2001:db8::1/128',
+            ipsec_dir    => 'in',
+            ipsec_policy => 'none',
+            proto        => 'all',
+            reject       => 'icmp6-adm-prohibited',
+            table        => 'filter',
+            provider     => 'ip6tables',
+          }
+          EOS
+
+          apply_manifest(pp, :catch_failures => true)
+        end
+
+        it 'should contain the rule' do
+          shell('ip6tables-save') do |r|
+            expect(r.stdout).to match(/-A INPUT -d 2001:db8::1\/(128|ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) -m comment --comment "610 - test" -m policy --dir in --pol none -j REJECT --reject-with icmp6-adm-prohibited/)
+          end
+        end
+      end
+    end
+
     # ip6tables only support addrtype on a limited set of platforms
     if default['platform'] =~ /el-7/ or default['platform'] =~ /debian-7/ or default['platform'] =~ /ubuntu-1404/
       ['dst_type', 'src_type'].each do |type|
-- 
2.45.2