Do not configure state matching when using GRE
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
(cherry picked from commit 688a79c6c6
)
This commit is contained in:
parent
ceeb5b948b
commit
0626631cf0
|
@ -83,14 +83,21 @@ define tripleo::firewall::rule (
|
||||||
'sport' => $sport,
|
'sport' => $sport,
|
||||||
'proto' => $proto,
|
'proto' => $proto,
|
||||||
'action' => $action,
|
'action' => $action,
|
||||||
'state' => $state,
|
|
||||||
'source' => $source,
|
'source' => $source,
|
||||||
'iniface' => $iniface,
|
'iniface' => $iniface,
|
||||||
'chain' => $chain,
|
'chain' => $chain,
|
||||||
'destination' => $destination,
|
'destination' => $destination,
|
||||||
}
|
}
|
||||||
|
if $proto != 'gre' {
|
||||||
|
$state_rule = {
|
||||||
|
'state' => $state
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$state_rule = {}
|
||||||
|
}
|
||||||
|
|
||||||
$rule = merge($basic, $extras)
|
|
||||||
|
$rule = merge($basic, $state_rule, $extras)
|
||||||
validate_hash($rule)
|
validate_hash($rule)
|
||||||
|
|
||||||
create_resources('firewall', { "${title}" => $rule })
|
create_resources('firewall', { "${title}" => $rule })
|
||||||
|
|
|
@ -76,7 +76,8 @@ describe 'tripleo::firewall' do
|
||||||
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
'301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
||||||
'302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
|
'302 fwd custom cidr 1' => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
|
||||||
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
|
||||||
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}
|
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
|
||||||
|
'305 add gre rule' => {'proto' => 'gre'}
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
@ -109,6 +110,7 @@ describe 'tripleo::firewall' do
|
||||||
:action => 'accept',
|
:action => 'accept',
|
||||||
:state => ['NEW'],
|
:state => ['NEW'],
|
||||||
)
|
)
|
||||||
|
is_expected.to contain_firewall('305 add gre rule').without(:state)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue