From 772c1cbd1cd9afc382e5c79c6a404309eb0985a9 Mon Sep 17 00:00:00 2001
From: Johan Bloemberg <johan.bloemberg@avira.com>
Date: Thu, 11 Feb 2016 21:22:11 +0100
Subject: [PATCH] Add support for goto argument.

---
 lib/puppet/provider/firewall/iptables.rb   |  9 ++---
 lib/puppet/type/firewall.rb                | 38 ++++++++++++++++++++--
 spec/fixtures/iptables/conversion_hash.rb  |  9 +++++
 spec/unit/puppet/provider/iptables_spec.rb |  1 -
 4 files changed, 50 insertions(+), 7 deletions(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 1d7aec5..ac01613 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -73,6 +73,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :ipset                 => "-m set --match-set",
     :isfragment            => "-f",
     :jump                  => "-j",
+    :goto                  => "-g",
     :limit                 => "-m limit --limit",
     :log_level             => "--log-level",
     :log_prefix            => "--log-prefix",
@@ -155,7 +156,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :clusterip_new,
   ]
 
-  # Properties that use "-m <ipt module name>" (with the potential to have multiple 
+  # Properties that use "-m <ipt module name>" (with the potential to have multiple
   # arguments against the same IPT module) must be in this hash. The keys in this
   # hash are the IPT module names, with the values being an array of the respective
   # supported arguments for this IPT module.
@@ -255,7 +256,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :src_range, :dst_range, :tcp_flags, :uid, :gid, :mac_source, :sport, :dport, :port,
     :src_type, :dst_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
-    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :clusterip_new, :clusterip_hashmode,
+    :rhitcount, :rttl, :rname, :mask, :rsource, :rdest, :ipset, :jump, :goto, :clusterip_new, :clusterip_hashmode,
     :clusterip_clustermac, :clusterip_total_nodes, :clusterip_local_node, :clusterip_hash_init,
     :clamp_mss_to_pmtu, :gateway, :set_mss, :set_dscp, :set_dscp_class, :todest, :tosource, :toports, :to, :checksum_fill, :random, :log_prefix,
     :log_level, :log_uid, :reject, :set_mark, :match_mark, :mss, :connlimit_above, :connlimit_mask, :connmark, :time_start, :time_stop,
@@ -434,8 +435,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     [:dport, :sport, :port, :state, :ctstate].each do |prop|
       hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
     end
-  
-    ## clean up DSCP class to HEX mappings 
+
+    ## clean up DSCP class to HEX mappings
     valid_dscp_classes = {
       '0x0a' => 'af11',
       '0x0c' => 'af12',
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 213fedf..e68b2d6 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -374,7 +374,7 @@ Puppet::Type.newtype(:firewall) do
     end.flatten)
     defaultto "tcp"
   end
-  
+
   # tcp-specific
   newproperty(:mss) do
     desc <<-EOS
@@ -476,6 +476,40 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:goto, :required_features => :iptables) do
+    desc <<-EOS
+      The value for the iptables --goto parameter. Normal values are:
+
+      * QUEUE
+      * RETURN
+      * DNAT
+      * SNAT
+      * LOG
+      * MASQUERADE
+      * REDIRECT
+      * MARK
+
+      But any valid chain name is allowed.
+    EOS
+
+    validate do |value|
+      unless value =~ /^[a-zA-Z0-9\-_]+$/
+        raise ArgumentError, <<-EOS
+          Goto destination must consist of alphanumeric characters, an
+          underscore or a yphen.
+        EOS
+      end
+
+      if ["accept","reject","drop"].include?(value.downcase)
+        raise ArgumentError, <<-EOS
+          Goto destination should not be one of ACCEPT, REJECT or DROP. Use
+          the action property instead.
+        EOS
+      end
+
+    end
+  end
+
   # Interface specific matching properties
   newproperty(:iniface, :required_features => :interface_match) do
     desc <<-EOS
@@ -894,7 +928,7 @@ Puppet::Type.newtype(:firewall) do
       Set DSCP Markings.
     EOS
   end
-  
+
   newproperty(:set_dscp_class, :required_features => :iptables) do
     desc <<-EOS
       This sets the DSCP field according to a predefined DiffServ class.
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index bbdff8c..990da91 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -79,6 +79,15 @@ ARGS_TO_HASH = {
       :action => nil,
     },
   },
+  'jump_goto' => {
+    :line => '-A w--instance-cfmhvrgpmq6 -g w--default',
+    :table => 'filter',
+    :params => {
+      :goto => "w--default",
+      :action => nil,
+    },
+
+  },
   'source_destination_ipv4_no_cidr' => {
     :line => '-A INPUT -s 1.1.1.1 -d 2.2.2.2 -m comment --comment "000 source destination ipv4 no cidr"',
     :table => 'filter',
diff --git a/spec/unit/puppet/provider/iptables_spec.rb b/spec/unit/puppet/provider/iptables_spec.rb
index 0557071..0fe6119 100644
--- a/spec/unit/puppet/provider/iptables_spec.rb
+++ b/spec/unit/puppet/provider/iptables_spec.rb
@@ -431,4 +431,3 @@ describe 'ip6tables provider' do
     end
   end
 end
-
-- 
2.45.2