From 80407848ea2fe1d46a723ccdf29a535685a7dcff Mon Sep 17 00:00:00 2001
From: Jonathan Boyett <jonathan@failingservers.com>
Date: Wed, 9 Nov 2011 15:17:41 -0800
Subject: [PATCH] (#10690) Create new port property

This new property will allow you to specify ports that match both destination
and source.

This works the same as dport and sport parameters, so it provides array
support and hyphen separated ranges of ports as well.
---
 examples/iptables/test.pp                 |  6 ++++++
 lib/puppet/provider/firewall/iptables.rb  | 13 ++++++------
 lib/puppet/type/firewall.rb               | 26 +++++++++++++++++++++++
 spec/fixtures/iptables/conversion_hash.rb |  8 +++++++
 4 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/examples/iptables/test.pp b/examples/iptables/test.pp
index bb8921f..4f05987 100644
--- a/examples/iptables/test.pp
+++ b/examples/iptables/test.pp
@@ -87,6 +87,12 @@ firewall { '055 INPUT allow DNS':
   sport => 'domain'
 }
 
+firewall { '056 INPUT allow web in and out':
+  action => accept,
+  proto  => 'tcp',
+  port  => 80
+}
+
 firewall { '999 FORWARD drop':
   action => drop,
   chain => 'FORWARD',
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index f2518e8..7ce469a 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -34,6 +34,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :log_prefix => "--log-prefix",
     :name => "-m comment --comment",
     :outiface => "-o",
+    :port => '-m multiport --ports',
     :proto => "-p",
     :reject => "--reject-with",
     :source => "-s",
@@ -45,9 +46,9 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
     :tosource => "--to-source",
   }
 
-  @resource_list = [:table, :source, :destination, :iniface, :outiface, 
-    :proto, :sport, :dport, :name, :state, :icmp, :limit, :burst, :jump, 
-    :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
+  @resource_list = [:table, :source, :destination, :iniface, :outiface,
+    :proto, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst,
+    :jump, :todest, :tosource, :toports, :log_level, :log_prefix, :reject]
 
   def insert
     debug 'Inserting rule %s' % resource[:name]
@@ -117,14 +118,14 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
     keys.zip(values.scan(/"[^"]*"|\S+/).reverse) { |f, v| hash[f] = v.gsub(/"/, '') }
     
-    [:dport, :sport, :state].each do |prop|
+    [:dport, :sport, :port, :state].each do |prop|
       hash[prop] = hash[prop].split(',') if ! hash[prop].nil?
     end
 
     # Our type prefers hyphens over colons for ranges so ...
     # Iterate across all ports replacing colons with hyphens so that ranges match
     # the types expectations.
-    [:dport, :sport].each do |prop|
+    [:dport, :sport, :port].each do |prop|
       next unless hash[prop]
       hash[prop] = hash[prop].collect do |elem|
         elem.gsub(/:/,'-')
@@ -223,7 +224,7 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
 
       # For sport and dport, convert hyphens to colons since the type
       # expects hyphens for ranges of ports.
-      if [:sport, :dport].include?(res) then
+      if [:sport, :dport, :port].include?(res) then
         resource_value = resource_value.collect do |elem|
           elem.gsub(/-/, ':')
         end
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 0889268..8fcb1f6 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -151,6 +151,32 @@ Puppet::Type.newtype(:firewall) do
     end
   end
 
+  newproperty(:port, :array_matching => :all) do
+    desc <<-EOS
+      The destination or source port to match for this filter (if the protocol
+      supports ports). Will accept a single element or an array.
+
+      For some firewall providers you can pass a range of ports in the format:
+
+          <start_number>-<ending_number>
+
+      For example:
+
+          1-1024
+
+      This would cover ports 1 to 1024.
+    EOS
+
+    munge do |value|
+      @resource.string_to_port(value)
+    end
+
+    def should_to_s(value)
+      value = [value] unless value.is_a?(Array)
+      value.join(',')
+    end
+  end
+
   newproperty(:proto) do
     desc <<-EOS
       The specific protocol to match for this rule. By default this is 
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index e2807b3..6390fef 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -191,4 +191,12 @@ HASH_TO_ARGS = {
     },
     :args => ['-t', :filter, '-s', '192.168.0.1', '-p', :tcp, '-m', 'comment', '--comment', '000 allow from 192.168.0.1, please'],
   },
+  'port_property' => {
+    :params => {
+      :name => '001 port property',
+      :table => 'filter',
+      :port => '80',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'multiport', '--ports', '80', '-m', 'comment', '--comment', '001 port property'],
+  },
 }
-- 
2.45.2