From 8f3c647ea0e8d4fcf40ec70f3c261b9bd69e8182 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Thu, 15 Mar 2018 14:42:35 +0100
Subject: [PATCH] firewall/rule: add 'table' support

... so we can create masquerade/nat rules.

Change-Id: Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
---
 manifests/firewall/rule.pp                              | 8 +++++++-
 releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml | 5 +++++
 spec/classes/tripleo_firewall_spec.rb                   | 7 +++++++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml

diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index f1ea0c9d0..b2ceefd8b 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -43,6 +43,10 @@
 #  (optional) The chain to jump to.
 #  If present, overrides action
 #
+# [*table*]
+#  (optional) The table where the rule is created.
+#  Defaults to undef
+#
 # [*state*]
 #  (optional) Array of states associated to the rule..
 #  Defaults to ['NEW']
@@ -80,6 +84,7 @@ define tripleo::firewall::rule (
   $destination = undef,
   $extras      = {},
   $jump        = undef,
+  $table       = undef,
 ) {
 
   if $port == 'all' {
@@ -109,6 +114,7 @@ define tripleo::firewall::rule (
     'chain'       => $chain,
     'destination' => $destination,
     'jump'        => $jump_real,
+    'table'       => $table,
   }
   if $proto == 'icmp' {
     $ipv6 = {
@@ -140,7 +146,7 @@ define tripleo::firewall::rule (
   # If we don't do this sanity check, a user could create some TCP/UDP
   # rules without port, and the result would be an iptables rule that allow any
   # traffic on the host.
-  if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
+  if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
     fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
   }
   if $source or $destination {
diff --git a/releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml b/releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
new file mode 100644
index 000000000..e6f47fd1b
--- /dev/null
+++ b/releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add support for specifying a table name when creating IPtables rules
+    with the firewall class.
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 203c28479..2bf89fe9e 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -109,6 +109,7 @@ describe 'tripleo::firewall' do
             '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
             '305 add gre rule'             => {'proto' => 'gre'},
             '306 add custom cidr 2'        => {'port' => 'all', 'destination' => '::1/24'},
+            '307 add custom nat rule'      => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
           }
         )
       end
@@ -156,6 +157,12 @@ describe 'tripleo::firewall' do
           :action      => 'accept',
           :provider    => 'ip6tables',
         )
+        is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
+          :destination => '192.168.0.0/24',
+          :source      => '192.168.0.0/24',
+          :jump        => 'RETURN',
+          :table       => 'nat',
+        )
       end
     end