Merge "Add firewall chain support"
This commit is contained in:
commit
9e2db5d045
|
@ -24,11 +24,19 @@
|
|||
# (false means disabled, and true means enabled)
|
||||
# Defaults to false
|
||||
#
|
||||
# [*firewall_chains*]
|
||||
# (optional) Manage firewall chains
|
||||
# Default to {}
|
||||
#
|
||||
# [*firewall_rules*]
|
||||
# (optional) Allow to add custom firewall rules
|
||||
# Should be an hash.
|
||||
# Default to {}
|
||||
#
|
||||
# [*purge_firewall_chains*]
|
||||
# (optional) Boolean, purge all firewalli rules in a given chain
|
||||
# Defaults to false
|
||||
#
|
||||
# [*purge_firewall_rules*]
|
||||
# (optional) Boolean, purge all firewall resources
|
||||
# Defaults to false
|
||||
|
@ -44,15 +52,23 @@
|
|||
# Default to {}
|
||||
#
|
||||
class tripleo::firewall(
|
||||
$manage_firewall = false,
|
||||
$firewall_rules = {},
|
||||
$purge_firewall_rules = false,
|
||||
$firewall_pre_extras = {},
|
||||
$firewall_post_extras = {},
|
||||
$manage_firewall = false,
|
||||
$firewall_chains = {},
|
||||
$firewall_rules = {},
|
||||
$purge_firewall_chains = false,
|
||||
$purge_firewall_rules = false,
|
||||
$firewall_pre_extras = {},
|
||||
$firewall_post_extras = {},
|
||||
) {
|
||||
|
||||
if $manage_firewall {
|
||||
|
||||
if $purge_firewall_chains {
|
||||
resources { 'firewallchain':
|
||||
purge => true
|
||||
}
|
||||
}
|
||||
|
||||
# Only purges IPv4 rules
|
||||
if $purge_firewall_rules {
|
||||
resources { 'firewall':
|
||||
|
@ -60,6 +76,17 @@ class tripleo::firewall(
|
|||
}
|
||||
}
|
||||
|
||||
# To manage the chains they must be named in specific ways
|
||||
# https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
|
||||
# Example Hiera:
|
||||
# tripleo::firewall::firewall_chains:
|
||||
# 'FORWARD:filter:IPv4':
|
||||
# ensure: present
|
||||
# policy: accept
|
||||
# purge: false
|
||||
#
|
||||
create_resources('firewallchain', $firewall_chains)
|
||||
|
||||
# anyone can add your own rules
|
||||
# example with Hiera:
|
||||
#
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Add ability to update firewall chains with the tripleo::firewall class.
|
|
@ -171,6 +171,28 @@ describe 'tripleo::firewall' do
|
|||
it_raises 'a Puppet::Error', /500 wrong tcp rule firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport./
|
||||
end
|
||||
|
||||
context 'with firewall chain' do
|
||||
before :each do
|
||||
params.merge!(
|
||||
:manage_firewall => true,
|
||||
:firewall_chains => {
|
||||
'FORWARD:filter:IPv4' => {
|
||||
'ensure' => 'present',
|
||||
'policy' => 'accept',
|
||||
'purge' => false
|
||||
}
|
||||
})
|
||||
end
|
||||
|
||||
it {
|
||||
is_expected.to contain_firewallchain('FORWARD:filter:IPv4').with(
|
||||
'ensure' => 'present',
|
||||
'policy' => 'accept',
|
||||
'purge' => false)
|
||||
}
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
on_supported_os.each do |os, facts|
|
||||
|
|
Loading…
Reference in New Issue