Add 'ipversion' to firewall/rule.pp
Add the posibility to add 'ipversion' to the firewall rule manifest. Closes-Bug: #1845153 Change-Id: Id872c55cfc6b958fef3ccda2d923f821a1fe6a13
This commit is contained in:
parent
ebe6f1a300
commit
7264c75c37
|
@ -19,6 +19,11 @@
|
|||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*ipversion*]
|
||||
# (optional) The IP-version associated to the rule.
|
||||
# If not set the rule will be created for both IPv4 and IPv6.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*port*]
|
||||
# (optional) The port associated to the rule.
|
||||
# Defaults to undef
|
||||
|
@ -78,6 +83,7 @@
|
|||
# Defaults to {}
|
||||
#
|
||||
define tripleo::firewall::rule (
|
||||
$ipversion = undef,
|
||||
$port = undef,
|
||||
$dport = undef,
|
||||
$sport = undef,
|
||||
|
@ -94,6 +100,12 @@ define tripleo::firewall::rule (
|
|||
$tag = 'tripleo-firewall-rule',
|
||||
) {
|
||||
|
||||
if $ipversion == 'all' {
|
||||
$ipversion_real = undef
|
||||
} else {
|
||||
$ipversion_real = $ipversion
|
||||
}
|
||||
|
||||
if $port == 'all' {
|
||||
warning("All ${proto} traffic will be open on this host.")
|
||||
# undef so the IPtables rule won't have any port specified.
|
||||
|
@ -124,16 +136,28 @@ define tripleo::firewall::rule (
|
|||
'table' => $table,
|
||||
'tag' => $tag,
|
||||
}
|
||||
if $proto == 'icmp' {
|
||||
$ipv6 = {
|
||||
'provider' => 'ip6tables',
|
||||
'proto' => 'ipv6-icmp',
|
||||
|
||||
if $ipversion_real != undef {
|
||||
if $ipversion_real == 'ipv6' {
|
||||
$ipv4 = undef
|
||||
$ipv6 = {'provider' => 'ip6tables'}
|
||||
}
|
||||
if $ipversion_real == 'ipv4' {
|
||||
$ipv4 = {'provider' => 'iptables'}
|
||||
$ipv6 = undef
|
||||
}
|
||||
} else {
|
||||
$ipv6 = {
|
||||
'provider' => 'ip6tables',
|
||||
$ipv4 = {'provider' => 'iptables'}
|
||||
if $proto == 'icmp' {
|
||||
$ipv6 = {
|
||||
'provider' => 'ip6tables',
|
||||
'proto' => 'ipv6-icmp',
|
||||
}
|
||||
} else {
|
||||
$ipv6 = {'provider' => 'ip6tables'}
|
||||
}
|
||||
}
|
||||
|
||||
if $proto != 'gre' {
|
||||
$state_rule = {
|
||||
'state' => $state
|
||||
|
@ -142,11 +166,14 @@ define tripleo::firewall::rule (
|
|||
$state_rule = {}
|
||||
}
|
||||
|
||||
|
||||
$ipv4_rule = merge($basic, $state_rule, $extras)
|
||||
$ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
|
||||
validate_legacy(Hash, 'validate_hash', $ipv4_rule)
|
||||
validate_legacy(Hash, 'validate_hash', $ipv6_rule)
|
||||
if $ipv4 != undef {
|
||||
$ipv4_rule = merge($basic, $state_rule, $ipv4, $extras)
|
||||
validate_legacy(Hash, 'validate_hash', $ipv4_rule)
|
||||
}
|
||||
if $ipv6 != undef {
|
||||
$ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
|
||||
validate_legacy(Hash, 'validate_hash', $ipv6_rule)
|
||||
}
|
||||
|
||||
# This conditional will ensure that TCP and UDP firewall rules have
|
||||
# a port specified in the configuration when using INPUT or OUTPUT chains.
|
||||
|
@ -165,8 +192,12 @@ define tripleo::firewall::rule (
|
|||
create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
|
||||
}
|
||||
} else {
|
||||
create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
|
||||
create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
|
||||
if $ipv4 != undef {
|
||||
create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
|
||||
}
|
||||
if $ipv6 != undef {
|
||||
create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
The ``ipversion`` parameter was added to tripleo::firewall:rule. Allowing
|
||||
the user to provide the IP version (``ipv4`` or ``ipv6``) for firewall
|
||||
rules. With the default (``undef``) the rule will be created in both
|
||||
*iptables* and *ip6tables*.
|
||||
Bug: `1845153 <https://bugs.launchpad.net/tripleo/+bug/1845153>`_.
|
||||
|
|
@ -97,45 +97,53 @@ describe 'tripleo::firewall' do
|
|||
'305 add gre rule' => {'proto' => 'gre'},
|
||||
'306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
|
||||
'307 add custom nat rule' => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
|
||||
'308 add custom INPUT v4' => {'ipversion' => 'ipv4', 'port' => '67', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
|
||||
'309 add custom INPUT v6' => {'ipversion' => 'ipv6', 'port' => '546', 'proto' => 'udp', 'chain' => 'INPUT', 'action' => 'accept'},
|
||||
}
|
||||
)
|
||||
end
|
||||
it 'configure custom firewall rules' do
|
||||
is_expected.to contain_firewall('300 add custom application 1 ipv4').with(
|
||||
:port => '999',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:port => '999',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('301 add custom application 2 ipv4').with(
|
||||
:port => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:port => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('302 fwd custom cidr 1 ipv4').with(
|
||||
:chain => 'FORWARD',
|
||||
:proto => 'tcp',
|
||||
:chain => 'FORWARD',
|
||||
:proto => 'tcp',
|
||||
:destination => '192.0.2.0/24',
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to_not contain_firewall('302 fwd custom cidr 1 ipv6')
|
||||
is_expected.to contain_firewall('303 add custom application 3 ipv4').with(
|
||||
:dport => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:dport => '8081',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('304 add custom application 4 ipv4').with(
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('304 add custom application 4 ipv6').with(
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:sport => '1000',
|
||||
:proto => 'tcp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('305 add gre rule ipv4').without(:state)
|
||||
is_expected.to contain_firewall('306 add custom cidr 2 ipv6').with(
|
||||
|
@ -149,6 +157,23 @@ describe 'tripleo::firewall' do
|
|||
:source => '192.168.0.0/24',
|
||||
:jump => 'RETURN',
|
||||
:table => 'nat',
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('308 add custom INPUT v4 ipv4').with(
|
||||
:chain => 'INPUT',
|
||||
:port => '67',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'iptables',
|
||||
)
|
||||
is_expected.to contain_firewall('309 add custom INPUT v6 ipv6').with(
|
||||
:chain => 'INPUT',
|
||||
:port => '546',
|
||||
:proto => 'udp',
|
||||
:action => 'accept',
|
||||
:state => ['NEW'],
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue