Merge "Add firewall chain support"

2018-02-19 20:46:25 +00:00 · 2018-02-19 20:46:25 +00:00 · 9e2db5d045
parent d647037060 21101149f2
commit 9e2db5d045
3 changed files with 58 additions and 5 deletions
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@ -24,11 +24,19 @@
 #  (false means disabled, and true means enabled)
 #  Defaults to false
 #
+# [*firewall_chains*]
+#   (optional) Manage firewall chains
+#   Default to {}
+#
 # [*firewall_rules*]
 #   (optional) Allow to add custom firewall rules
 #   Should be an hash.
 #   Default to {}
 #
+# [*purge_firewall_chains*]
+#   (optional) Boolean, purge all firewalli rules in a given chain
+#   Defaults to false
+#
 # [*purge_firewall_rules*]
 #   (optional) Boolean, purge all firewall resources
 #   Defaults to false
@ -44,15 +52,23 @@
 #   Default to {}
 #
 class tripleo::firewall(
-  $manage_firewall      = false,
-  $firewall_rules       = {},
-  $purge_firewall_rules = false,
-  $firewall_pre_extras  = {},
-  $firewall_post_extras = {},
+  $manage_firewall       = false,
+  $firewall_chains       = {},
+  $firewall_rules        = {},
+  $purge_firewall_chains = false,
+  $purge_firewall_rules  = false,
+  $firewall_pre_extras   = {},
+  $firewall_post_extras  = {},
 ) {

  if $manage_firewall {

+    if $purge_firewall_chains {
+      resources { 'firewallchain':
+        purge => true
+      }
+    }
+
    # Only purges IPv4 rules
    if $purge_firewall_rules {
      resources { 'firewall':
@ -60,6 +76,17 @@ class tripleo::firewall(
      }
    }

+    # To manage the chains they must be named in specific ways
+    # https://github.com/puppetlabs/puppetlabs-firewall#type-firewallchain
+    # Example Hiera:
+    # tripleo::firewall::firewall_chains:
+    #   'FORWARD:filter:IPv4':
+    #     ensure: present
+    #     policy: accept
+    #     purge: false
+    #
+    create_resources('firewallchain', $firewall_chains)
+
    # anyone can add your own rules
    # example with Hiera:
    #
--- a/releasenotes/notes/firewall-chain-updates-f2b9d6ced9bde846.yaml
+++ b/releasenotes/notes/firewall-chain-updates-f2b9d6ced9bde846.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Add ability to update firewall chains with the tripleo::firewall class.
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@ -171,6 +171,28 @@ describe 'tripleo::firewall' do
      it_raises 'a Puppet::Error', /500 wrong tcp rule firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport./
    end

+    context 'with firewall chain' do
+      before :each do
+        params.merge!(
+          :manage_firewall => true,
+          :firewall_chains => {
+            'FORWARD:filter:IPv4' => {
+              'ensure' => 'present',
+              'policy' => 'accept',
+              'purge'  => false
+            }
+          })
+      end
+
+      it {
+        is_expected.to contain_firewallchain('FORWARD:filter:IPv4').with(
+          'ensure' => 'present',
+          'policy' => 'accept',
+          'purge'  => false)
+      }
+
+    end
+
  end

  on_supported_os.each do |os, facts|