diff --git a/manifests/masquerade_networks.pp b/manifests/masquerade_networks.pp index 671cecc4d..c1acae549 100644 --- a/manifests/masquerade_networks.pp +++ b/manifests/masquerade_networks.pp @@ -26,16 +26,20 @@ class tripleo::masquerade_networks ( ){ if $masquerade_networks { $masquerade_networks.each |$source, $destinations| { + $destinations.each |$destination| { + create_resources('tripleo::firewall::rule', { + "137 routed_network return src ${source} dest ${destination}" => { + 'table' => 'nat', + 'source' => $source, + 'destination' => $destination, + 'jump' => 'RETURN', + 'chain' => 'POSTROUTING', + 'proto' => 'all', + 'state' => ['ESTABLISHED', 'NEW', 'RELATED'], + }, + }) + } create_resources('tripleo::firewall::rule', { - "137 routed_network return ${source}" => { - 'table' => 'nat', - 'source' => $source, - 'destination' => $destinations, - 'jump' => 'RETURN', - 'chain' => 'POSTROUTING', - 'proto' => 'all', - 'state' => ['ESTABLISHED', 'NEW', 'RELATED'], - }, "138 routed_network masquerade ${source}" => { 'table' => 'nat', 'source' => $source, @@ -51,7 +55,7 @@ class tripleo::masquerade_networks ( 'state' => ['ESTABLISHED', 'NEW', 'RELATED'], }, "140 routed_network forward destinations ${source}" => { - 'destination' => $destinations, + 'destination' => $source, 'chain' => 'FORWARD', 'proto' => 'all', 'state' => ['ESTABLISHED', 'NEW', 'RELATED'], diff --git a/releasenotes/notes/fix-masquerade-networks-c9ab4affb17627e1.yaml b/releasenotes/notes/fix-masquerade-networks-c9ab4affb17627e1.yaml new file mode 100644 index 000000000..36ed33641 --- /dev/null +++ b/releasenotes/notes/fix-masquerade-networks-c9ab4affb17627e1.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Masquerading and forwarding rules are now correctly created when using + routed networks. + (See `bug: 1797455 `_.) \ No newline at end of file diff --git a/spec/classes/tripleo_masquerade_networks_spec.rb b/spec/classes/tripleo_masquerade_networks_spec.rb index 9eedabc30..d50db6dce 100644 --- a/spec/classes/tripleo_masquerade_networks_spec.rb +++ b/spec/classes/tripleo_masquerade_networks_spec.rb @@ -34,10 +34,19 @@ describe 'tripleo::masquerade_networks' do end it 'configure RETURN rule' do - is_expected.to contain_firewall('137 routed_network return 192.168.24.0/24 ipv4').with( + is_expected.to contain_firewall('137 routed_network return src 192.168.24.0/24 dest 192.168.24.0/24 ipv4').with( :table => 'nat', :source => '192.168.24.0/24', - :destination => ['192.168.24.0/24', '192.168.25.0/24'], + :destination => '192.168.24.0/24', + :jump => 'RETURN', + :chain => 'POSTROUTING', + :proto => 'all', + :state => ['ESTABLISHED', 'NEW', 'RELATED'], + ) + is_expected.to contain_firewall('137 routed_network return src 192.168.24.0/24 dest 192.168.25.0/24 ipv4').with( + :table => 'nat', + :source => '192.168.24.0/24', + :destination => '192.168.25.0/24', :jump => 'RETURN', :chain => 'POSTROUTING', :proto => 'all', @@ -64,7 +73,7 @@ describe 'tripleo::masquerade_networks' do :state => ['ESTABLISHED', 'NEW', 'RELATED'], ) is_expected.to contain_firewall('140 routed_network forward destinations 192.168.24.0/24 ipv4').with( - :destination => ['192.168.24.0/24', '192.168.25.0/24'], + :destination => '192.168.24.0/24', :chain => 'FORWARD', :proto => 'all', :state => ['ESTABLISHED', 'NEW', 'RELATED'],