openstack/puppet-tripleo
Code Issues Proposed changes

firewall/rule: add 'table' support

Browse Source 
... so we can create masquerade/nat rules.

Change-Id: Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
This commit is contained in:
Emilien Macchi
2018-03-15 14:42:35 +01:00
parent c3739495e1
commit 8f3c647ea0
3 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
manifests/firewall/rule.pp
View File

@@ -43,6 +43,10 @@
# (optional) The chain to jump to. # (optional) The chain to jump to.
# If present, overrides action # If present, overrides action
# #
# [*table*]
# (optional) The table where the rule is created.
# Defaults to undef
#
# [*state*] # [*state*]
# (optional) Array of states associated to the rule.. # (optional) Array of states associated to the rule..
# Defaults to ['NEW'] # Defaults to ['NEW']
@@ -80,6 +84,7 @@ define tripleo::firewall::rule (
$destination = undef, $destination = undef,
$extras = {}, $extras = {},
$jump = undef, $jump = undef,
$table = undef,
) { ) {
if $port == 'all' { if $port == 'all' {
@@ -109,6 +114,7 @@ define tripleo::firewall::rule (
'chain' => $chain, 'chain' => $chain,
'destination' => $destination, 'destination' => $destination,
'jump' => $jump_real, 'jump' => $jump_real,
'table' => $table,
} }
if $proto == 'icmp' { if $proto == 'icmp' {
$ipv6 = { $ipv6 = {
@@ -140,7 +146,7 @@ define tripleo::firewall::rule (
# If we don't do this sanity check, a user could create some TCP/UDP # If we don't do this sanity check, a user could create some TCP/UDP
# rules without port, and the result would be an iptables rule that allow any # rules without port, and the result would be an iptables rule that allow any
# traffic on the host. # traffic on the host.
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) { if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.") fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
} }
if $source or $destination { if $source or $destination {

5
releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
features:
- |
Add support for specifying a table name when creating IPtables rules
with the firewall class.

7
spec/classes/tripleo_firewall_spec.rb
View File

@@ -109,6 +109,7 @@ describe 'tripleo::firewall' do
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}, '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
'305 add gre rule' => {'proto' => 'gre'}, '305 add gre rule' => {'proto' => 'gre'},
'306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'}, '306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
'307 add custom nat rule' => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
} }
) )
end end
@@ -156,6 +157,12 @@ describe 'tripleo::firewall' do
:action => 'accept', :action => 'accept',
:provider => 'ip6tables', :provider => 'ip6tables',
) )
is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
:destination => '192.168.0.0/24',
:source => '192.168.0.0/24',
:jump => 'RETURN',
:table => 'nat',
)
end end
end end