firewall/rule: add 'table' support
... so we can create masquerade/nat rules. Change-Id: Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
This commit is contained in:
parent
c3739495e1
commit
8f3c647ea0
@ -43,6 +43,10 @@
|
||||
# (optional) The chain to jump to.
|
||||
# If present, overrides action
|
||||
#
|
||||
# [*table*]
|
||||
# (optional) The table where the rule is created.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*state*]
|
||||
# (optional) Array of states associated to the rule..
|
||||
# Defaults to ['NEW']
|
||||
@ -80,6 +84,7 @@ define tripleo::firewall::rule (
|
||||
$destination = undef,
|
||||
$extras = {},
|
||||
$jump = undef,
|
||||
$table = undef,
|
||||
) {
|
||||
|
||||
if $port == 'all' {
|
||||
@ -109,6 +114,7 @@ define tripleo::firewall::rule (
|
||||
'chain' => $chain,
|
||||
'destination' => $destination,
|
||||
'jump' => $jump_real,
|
||||
'table' => $table,
|
||||
}
|
||||
if $proto == 'icmp' {
|
||||
$ipv6 = {
|
||||
@ -140,7 +146,7 @@ define tripleo::firewall::rule (
|
||||
# If we don't do this sanity check, a user could create some TCP/UDP
|
||||
# rules without port, and the result would be an iptables rule that allow any
|
||||
# traffic on the host.
|
||||
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
|
||||
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD') and ($table != 'nat')) {
|
||||
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
|
||||
}
|
||||
if $source or $destination {
|
||||
|
5
releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
Normal file
5
releasenotes/notes/firewall_table-f58ec47de40ec62d.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Add support for specifying a table name when creating IPtables rules
|
||||
with the firewall class.
|
@ -109,6 +109,7 @@ describe 'tripleo::firewall' do
|
||||
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
|
||||
'305 add gre rule' => {'proto' => 'gre'},
|
||||
'306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
|
||||
'307 add custom nat rule' => {'table' => 'nat', 'source' => '192.168.0.0/24', 'destination' => '192.168.0.0/24', 'jump' => 'RETURN'},
|
||||
}
|
||||
)
|
||||
end
|
||||
@ -156,6 +157,12 @@ describe 'tripleo::firewall' do
|
||||
:action => 'accept',
|
||||
:provider => 'ip6tables',
|
||||
)
|
||||
is_expected.to contain_firewall('307 add custom nat rule ipv4').with(
|
||||
:destination => '192.168.0.0/24',
|
||||
:source => '192.168.0.0/24',
|
||||
:jump => 'RETURN',
|
||||
:table => 'nat',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user