masquerade: configure FORWARD rules

When enabling masquerading, we need to allow the traffic to go through so we need the FORWARD rules as well, for source and destination networks. Also support multiple destinations or sources for ipv4/ipv6 suffixed rules with a REGEX. Change-Id: I48aa95b96c762a72273b5b0b714a04da7ee69a40
2018-04-09 13:14:50 -07:00 · 2018-04-09 13:14:50 -07:00 · f50d381913
commit f50d381913
parent fba0dfc344
3 changed files with 30 additions and 3 deletions
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@ -150,10 +150,10 @@ define tripleo::firewall::rule (
    fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
  }
  if $source or $destination {
-    if ('.' in $destination or '.' in $source) {
+    if (/[.]/ in $destination or /[.]/ in $source) {
      create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
    }
-    if (':' in $destination or ':' in $source) {
+    if (/[:]/ in $destination or /[:]/ in $source) {
      create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
    }
  } else {
--- a/manifests/masquerade_networks.pp
+++ b/manifests/masquerade_networks.pp
@ -43,7 +43,19 @@ class tripleo::masquerade_networks (
          'chain'       => 'POSTROUTING',
          'proto'       => 'all',
          'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
-        }
+        },
+        "139 routed_network forward source ${source}" => {
+          'source'      => $source,
+          'chain'       => 'FORWARD',
+          'proto'       => 'all',
+          'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
+        },
+        "140 routed_network forward destinations ${source}" => {
+          'destination' => $destinations,
+          'chain'       => 'FORWARD',
+          'proto'       => 'all',
+          'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
+        },
      })
    }
  }
--- a/spec/classes/tripleo_masquerade_networks_spec.rb
+++ b/spec/classes/tripleo_masquerade_networks_spec.rb
@ -55,6 +55,21 @@ describe 'tripleo::masquerade_networks' do
          :state       => ['ESTABLISHED', 'NEW', 'RELATED'],
        )
      end
+
+      it 'configure FORWARD rules' do
+        is_expected.to contain_firewall('139 routed_network forward source 192.168.24.0/24 ipv4').with(
+          :source      => '192.168.24.0/24',
+          :chain       => 'FORWARD',
+          :proto       => 'all',
+          :state       => ['ESTABLISHED', 'NEW', 'RELATED'],
+        )
+        is_expected.to contain_firewall('140 routed_network forward destinations 192.168.24.0/24 ipv4').with(
+          :destination => ['192.168.24.0/24', '192.168.25.0/24'],
+          :chain       => 'FORWARD',
+          :proto       => 'all',
+          :state       => ['ESTABLISHED', 'NEW', 'RELATED'],
+        )
+      end
    end

  end