firewall: generally accept "jump" param and use tripleo:firewall for log rule

Tentative fix for bug #1669763, trying to use the same class for every rule we want to add to the chain. Change-Id: I4ba451c1b258391c8f1cfb4d73e38828c437b1c1 Closes-Bug: #1669763
2017-03-03 14:24:48 +01:00 · 2017-03-03 14:24:48 +01:00 · c0c850d598
commit c0c850d598
parent bd89e21fe8
2 changed files with 16 additions and 2 deletions
--- a/manifests/firewall/post.pp
+++ b/manifests/firewall/post.pp
@ -36,7 +36,7 @@ class tripleo::firewall::post(
  if $debug {
    warning('debug is enabled, the traffic is not blocked.')
  } else {
-    firewall { '998 log all':
+    tripleo::firewall::rule{ '998 log all':
      proto => 'all',
      jump  => 'LOG',
    }
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@ -39,6 +39,10 @@
 #  (optional) The action policy associated to the rule.
 #  Defaults to 'accept'
 #
+# [*jump*]
+#  (optional) The chain to jump to.
+#  If present, overrides action
+#
 # [*state*]
 #  (optional) Array of states associated to the rule..
 #  Defaults to ['NEW']
@ -75,6 +79,7 @@ define tripleo::firewall::rule (
  $chain       = 'INPUT',
  $destination = undef,
  $extras      = {},
+  $jump        = undef,
 ) {

  if $port == 'all' {
@ -85,16 +90,25 @@ define tripleo::firewall::rule (
    $port_real = $port
  }

+  if $jump != undef {
+    $jump_real   = $jump
+    $action_real = undef
+  } else {
+    $jump_real   = undef
+    $action_real = $action
+  }
+
  $basic = {
    'port'        => $port_real,
    'dport'       => $dport,
    'sport'       => $sport,
    'proto'       => $proto,
-    'action'      => $action,
+    'action'      => $action_real,
    'source'      => $source,
    'iniface'     => $iniface,
    'chain'       => $chain,
    'destination' => $destination,
+    'jump'        => $jump_real,
  }
  if $proto == 'icmp' {
    $ipv6 = {