firewall/rule: add 'table' support

... so we can create masquerade/nat rules. Change-Id: Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
2018-03-15 14:42:35 +01:00 · 2018-03-15 14:42:35 +01:00 · 8f3c647ea0
commit 8f3c647ea0
parent c3739495e1
3 changed files with 19 additions and 1 deletions
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@ -43,6 +43,10 @@
 #  (optional) The chain to jump to.
 #  If present, overrides action
 #
+# [*table*]
+#  (optional) The table where the rule is created.
+#  Defaults to undef
+#
 # [*state*]
 #  (optional) Array of states associated to the rule..
 #  Defaults to ['NEW']
@ -80,6 +84,7 @@ define tripleo::firewall::rule (
  $destination = undef,
  $extras      = {},
  $jump        = undef,
+  $table       = undef,
 ) {

  if $port == 'all' {
@ -109,6 +114,7 @@ define tripleo::firewall::rule (
    'chain'       => $chain,
    'destination' => $destination,
    'jump'        => $jump_real,
+    'table'       => $table,
  }
  if $proto == 'icmp' {
    $ipv6 = {
@ -140,7 +146,7 @@ define tripleo::firewall::rule (
  # If we don't do this sanity check, a user could create some TCP/UDP
  # rules without port, and the result would be an iptables rule that allow any
  # traffic on the host.
-  if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
+  if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
    fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
  }
  if $source or $destination {
--- a/releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
+++ b/releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support for specifying a table name when creating IPtables rules
+    with the firewall class.
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@ -109,6 +109,7 @@ describe 'tripleo::firewall' do
            '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
            '305 add gre rule'             => {'proto' => 'gre'},
            '306 add custom cidr 2'        => {'port' => 'all', 'destination' => '::1/24'},
+            '307 add custom nat rule'      => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
          }
        )
      end
@ -156,6 +157,12 @@ describe 'tripleo::firewall' do
          :action      => 'accept',
          :provider    => 'ip6tables',
        )
+        is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
+          :destination => '192.168.0.0/24',
+          :source      => '192.168.0.0/24',
+          :jump        => 'RETURN',
+          :table       => 'nat',
+        )
      end
    end