Add 'ipversion' to firewall/rule.pp

Add the posibility to add 'ipversion' to the firewall rule manifest. Closes-Bug: #1845153 Change-Id: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13
2019-09-24 12:57:53 +02:00 · 2019-09-24 12:57:53 +02:00 · 7264c75c37
parent ebe6f1a300
commit 7264c75c37
3 changed files with 100 additions and 35 deletions
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@ -19,6 +19,11 @@
 #
 # === Parameters:
 #
+# [*ipversion*]
+#  (optional) The IP-version associated to the rule.
+#  If not set the rule will be created for both IPv4 and IPv6.
+#  Defaults to undef
+#
 # [*port*]
 #  (optional) The port associated to the rule.
 #  Defaults to undef
@ -78,6 +83,7 @@
 #  Defaults to {}
 #
 define tripleo::firewall::rule (
+  $ipversion   = undef,
  $port        = undef,
  $dport       = undef,
  $sport       = undef,
@ -94,6 +100,12 @@ define tripleo::firewall::rule (
  $tag         = 'tripleo-firewall-rule',
 ) {

+  if $ipversion == 'all' {
+    $ipversion_real = undef
+  } else {
+    $ipversion_real = $ipversion
+  }
+
  if $port == 'all' {
    warning("All ${proto} traffic will be open on this host.")
    # undef so the IPtables rule won't have any port specified.
@ -124,16 +136,28 @@ define tripleo::firewall::rule (
    'table'       => $table,
    'tag'         => $tag,
  }
-  if $proto == 'icmp' {
-    $ipv6 = {
-      'provider' => 'ip6tables',
-      'proto'    => 'ipv6-icmp',
+
+  if $ipversion_real != undef {
+    if $ipversion_real == 'ipv6' {
+      $ipv4 = undef
+      $ipv6 = {'provider' => 'ip6tables'}
+    }
+    if $ipversion_real == 'ipv4' {
+      $ipv4 = {'provider' => 'iptables'}
+      $ipv6 = undef
    }
  } else {
-    $ipv6 = {
-      'provider' => 'ip6tables',
+    $ipv4 = {'provider' => 'iptables'}
+    if $proto == 'icmp' {
+      $ipv6 = {
+        'provider' => 'ip6tables',
+        'proto'    => 'ipv6-icmp',
+      }
+    } else {
+      $ipv6 = {'provider' => 'ip6tables'}
    }
  }
+
  if $proto != 'gre' {
    $state_rule = {
      'state' => $state
@ -142,11 +166,14 @@ define tripleo::firewall::rule (
    $state_rule = {}
  }

-
-  $ipv4_rule = merge($basic, $state_rule, $extras)
-  $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
-  validate_legacy(Hash, 'validate_hash', $ipv4_rule)
-  validate_legacy(Hash, 'validate_hash', $ipv6_rule)
+  if $ipv4 != undef {
+    $ipv4_rule = merge($basic, $state_rule, $ipv4, $extras)
+    validate_legacy(Hash, 'validate_hash', $ipv4_rule)
+  }
+  if $ipv6 != undef {
+    $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
+    validate_legacy(Hash, 'validate_hash', $ipv6_rule)
+  }

  # This conditional will ensure that TCP and UDP firewall rules have
  # a port specified in the configuration when using INPUT or OUTPUT chains.
@ -165,8 +192,12 @@ define tripleo::firewall::rule (
      create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
    }
  } else {
-    create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
-    create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+    if $ipv4 != undef {
+      create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+    }
+    if $ipv6 != undef {
+      create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+    }
  }

 }
--- a/releasenotes/notes/firewall-rules-support-ipversion-c9e2adeca34b2fd0.yaml
+++ b/releasenotes/notes/firewall-rules-support-ipversion-c9e2adeca34b2fd0.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The ``ipversion`` parameter was added to tripleo::firewall:rule. Allowing
+    the user to provide the IP version (``ipv4`` or ``ipv6``) for firewall
+    rules. With the default (``undef``) the rule will be created in both
+    *iptables* and *ip6tables*.
+    Bug: `1845153 <https://bugs.launchpad.net/tripleo/+bug/1845153>`_.
+
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@ -97,45 +97,53 @@ describe 'tripleo::firewall' do
            '305 add gre rule'             => {'proto' => 'gre'},
            '306 add custom cidr 2'        => {'port' => 'all', 'destination' => '::1/24'},
            '307 add custom nat rule'      => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
+            '308 add custom INPUT v4'      => {'ipversion' => 'ipv4', 'port' => '67', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
+            '309 add custom INPUT v6'      => {'ipversion' => 'ipv6', 'port' => '546', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
          }
        )
      end
      it 'configure custom firewall rules' do
        is_expected.to contain_firewall('300 add custom application 1 ipv4').with(
-          :port   => '999',
-          :proto  => 'udp',
-          :action => 'accept',
-          :state  => ['NEW'],
+          :port     => '999',
+          :proto    => 'udp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'iptables',
        )
        is_expected.to contain_firewall('301 add custom application 2 ipv4').with(
-          :port   => '8081',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
+          :port     => '8081',
+          :proto    => 'tcp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'iptables',
        )
        is_expected.to contain_firewall('302 fwd custom cidr 1 ipv4').with(
-          :chain   => 'FORWARD',
-          :proto   => 'tcp',
+          :chain       => 'FORWARD',
+          :proto       => 'tcp',
          :destination => '192.0.2.0/24',
+          :provider    => 'iptables',
        )
        is_expected.to_not contain_firewall('302 fwd custom cidr 1 ipv6')
        is_expected.to contain_firewall('303 add custom application 3 ipv4').with(
-          :dport   => '8081',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
+          :dport    => '8081',
+          :proto    => 'tcp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'iptables',
        )
        is_expected.to contain_firewall('304 add custom application 4 ipv4').with(
-          :sport   => '1000',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
+          :sport    => '1000',
+          :proto    => 'tcp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'iptables',
        )
        is_expected.to contain_firewall('304 add custom application 4 ipv6').with(
-          :sport  => '1000',
-          :proto  => 'tcp',
-          :action => 'accept',
-          :state  => ['NEW'],
+          :sport    => '1000',
+          :proto    => 'tcp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'ip6tables',
        )
        is_expected.to contain_firewall('305 add gre rule ipv4').without(:state)
        is_expected.to contain_firewall('306 add custom cidr 2 ipv6').with(
@ -149,6 +157,23 @@ describe 'tripleo::firewall' do
          :source      => '192.168.0.0/24',
          :jump        => 'RETURN',
          :table       => 'nat',
+          :provider    => 'iptables',
+        )
+        is_expected.to contain_firewall('308 add custom INPUT v4 ipv4').with(
+          :chain    => 'INPUT',
+          :port     => '67',
+          :proto    => 'udp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'iptables',
+        )
+        is_expected.to contain_firewall('309 add custom INPUT v6 ipv6').with(
+          :chain    => 'INPUT',
+          :port     => '546',
+          :proto    => 'udp',
+          :action   => 'accept',
+          :state    => ['NEW'],
+          :provider => 'ip6tables',
        )
      end
    end