From 3f592aa7137ec9d3b9b2a4f57a97fcf60295eef5 Mon Sep 17 00:00:00 2001
From: Aron Parsons <parsonsa@bit-sys.com>
Date: Fri, 26 Sep 2014 16:58:05 -0400
Subject: [PATCH] add physdev support

rebased from https://github.com/puppetlabs/puppetlabs-firewall/pull/82
---
 lib/puppet/provider/firewall/ip6tables.rb |  1 +
 lib/puppet/provider/firewall/iptables.rb  |  1 +
 lib/puppet/type/firewall.rb               | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/lib/puppet/provider/firewall/ip6tables.rb b/lib/puppet/provider/firewall/ip6tables.rb
index ce4b5b4..9139045 100644
--- a/lib/puppet/provider/firewall/ip6tables.rb
+++ b/lib/puppet/provider/firewall/ip6tables.rb
@@ -119,6 +119,7 @@ Puppet::Type.type(:firewall).provide :ip6tables, :parent => :iptables, :source =
     :toports          => "--to-ports",
     :tosource         => "--to-source",
     :uid              => "-m owner --uid-owner",
+    :bridge           => "-m physdev",
   }
 
   # These are known booleans that do not take a value, but we want to munge
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index c842907..56c869a 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -105,6 +105,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :tosource         => "--to-source",
     :to               => "--to",
     :uid              => "-m owner --uid-owner",
+    :bridge           => "-m physdev",
   }
 
   # These are known booleans that do not take a value, but we want to munge
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 79a94a9..67060c3 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1033,6 +1033,19 @@ Puppet::Type.newtype(:firewall) do
     newvalues(/^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i)
   end
 
+  newproperty(:bridge, :required_features => :iptables) do
+    desc <<-EOS
+      Match if the packet is being bridged.
+    EOS
+    munge do |value|
+      if ! value.to_s.start_with?("--")
+        "--" + value.to_s
+      else
+        value
+      end
+    end
+  end
+
   autorequire(:firewallchain) do
     reqs = []
     protocol = nil
@@ -1191,5 +1204,11 @@ Puppet::Type.newtype(:firewall) do
       self.fail "Parameter 'stat_probability' requires 'stat_mode' to be set to 'random'"
     end
 
+    if value(:bridged)
+      unless value(:chain).to_s =~ /FORWARD/
+        self.fail "Parameter isbridged only applies to the FORWARD chain"
+      end
+    end
+
   end
 end
-- 
2.45.2