From 24d9ada08430f7fdb7dda7c68c9473e7282eca3a Mon Sep 17 00:00:00 2001 From: Eimhin Laverty Date: Mon, 25 Mar 2019 09:41:55 +0000 Subject: [PATCH] (MODULES-8615) Fix rules with ipvs not parsing --- lib/puppet/provider/firewall/iptables.rb | 3 +++ lib/puppet/type/firewall.rb | 7 +++++++ spec/acceptance/firewall_attributes_happy_path_spec.rb | 6 +++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb index 2d0e8d7..754d64a 100644 --- a/lib/puppet/provider/firewall/iptables.rb +++ b/lib/puppet/provider/firewall/iptables.rb @@ -42,6 +42,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa has_feature :string_matching has_feature :queue_num has_feature :queue_bypass + has_feature :ipvs optional_commands(iptables: 'iptables', iptables_save: 'iptables-save') @@ -168,6 +169,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa hashlimit_htable_expire: '--hashlimit-htable-expire', hashlimit_htable_gcinterval: '--hashlimit-htable-gcinterval', bytecode: '-m bpf --bytecode', + ipvs: '-m ipvs --ipvs', } # These are known booleans that do not take a value, but we want to munge @@ -190,6 +192,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa :kernel_timezone, :clusterip_new, :queue_bypass, + :ipvs, ] # Properties that use "-m " (with the potential to have multiple diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index b9feff4..2ffa925 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -69,6 +69,7 @@ Puppet::Type.newtype(:firewall) do feature :queue_bypass, 'If nothing is listening on queue_num, allow packets to bypass the queue' feature :hashlimit, 'Hashlimit features' feature :bpf, 'Berkeley Paket Filter feature' + feature :ipvs, 'Packet belongs to an IP Virtual Server connection' # provider specific features feature :iptables, 'The provider provides iptables features.' @@ -1745,6 +1746,12 @@ Puppet::Type.newtype(:firewall) do PUPPETCODE end + newproperty(:ipvs, required_features: :ipvs) do + desc <<-PUPPETCODE + Indicates that the current packet belongs to an IPVS connection. + PUPPETCODE + end + autorequire(:firewallchain) do reqs = [] protocol = nil diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb index e6947d1..ddad46b 100644 --- a/spec/acceptance/firewall_attributes_happy_path_spec.rb +++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb @@ -18,7 +18,6 @@ describe 'firewall attribute testing, happy path' do log_level => '3', log_prefix => 'IPTABLES dropped invalid: ', } - firewall { '501 - connlimit': proto => tcp, dport => '2222', @@ -350,6 +349,11 @@ describe 'firewall attribute testing, happy path' do chain => 'OUTPUT', table => 'mangle', } + firewall { '1002 - set ipvs': + proto => 'tcp', + dport => '4321', + chain => 'OUTPUT', + } PUPPETCODE apply_manifest(pp, catch_failures: true) apply_manifest(pp, catch_changes: do_catch_changes) -- 2.45.2