From 7bc85e290fd3cc4b7e9d1e8fb2972e658bd1b201 Mon Sep 17 00:00:00 2001
From: Jeff '2 bits' Bachtel <jbachtel@bericotechnologies.com>
Date: Wed, 5 Mar 2014 12:32:02 -0500
Subject: [PATCH 1/5] Add support for mac address source rules

This is necessary to parse rules generated on OpenStack Havana + Neutron + OpenVSwitch
---
 lib/puppet/provider/firewall/iptables.rb  | 5 +++--
 spec/fixtures/iptables/conversion_hash.rb | 9 +++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 698e731..ba98227 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -50,7 +50,7 @@
     :destination => "-d",
     :dst_type => "-m addrtype --dst-type",
     :dst_range => "-m iprange --dst-range",
-    :dport => ["-m multiport --dports", "--dport"],
+    :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
@@ -58,6 +58,7 @@
     :limit => "-m limit --limit",
     :log_level => "--log-level",
     :log_prefix => "--log-prefix",
+    :mac_addr => ["-m mac --mac-source", "--mac-source"],
     :name => "-m comment --comment",
     :outiface => "-o",
     :port => '-m multiport --ports',
@@ -137,7 +138,7 @@
   # This order can be determined by going through iptables source code or just tweaking and trying manually
   @resource_list = [
     :table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
-    :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
+    :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_addr, :sport, :dport, :port,
     :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
     :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
     :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 042e8bb..7ce1470 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -6,6 +6,15 @@
 # This hash is for testing a line conversion to a hash of parameters
 # which will be used to create a resource.
 ARGS_TO_HASH = {
+  'mac_source_1' => {
+    :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
+    :table => 'filter',
+    :params => {
+      :chain => 'neutron-openvswi-FORWARD',
+      :source => '1.2.3.4/32',
+      :mac_addr => 'FA:16:00:00:00:00',
+    },
+  },
   'dport_and_sport' => {
     :line => '-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT',
     :table => 'filter',
-- 
1.9.1


From 555a37e5b4bf44db9ccc827cf893d049c5974795 Mon Sep 17 00:00:00 2001
From: Jeff '2 bits' Bachtel <jbachtel@bericotechnologies.com>
Date: Wed, 5 Mar 2014 12:35:46 -0500
Subject: [PATCH 2/5] Fix bad rebase

---
 lib/puppet/provider/firewall/iptables.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index ba98227..f67cb21 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -50,7 +50,7 @@
     :destination => "-d",
     :dst_type => "-m addrtype --dst-type",
     :dst_range => "-m iprange --dst-range",
-    :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
+    :dport => ["-m multiport --dports", "--dport"],
     :gid => "-m owner --gid-owner",
     :icmp => "-m icmp --icmp-type",
     :iniface => "-i",
-- 
1.9.1


From 313b4dd0fe61ee5dddab1e45cf42365fac5ae736 Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Fri, 21 Mar 2014 15:12:02 +0100
Subject: [PATCH 3/5] Missing type definition

---
 lib/puppet/type/firewall.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 4701e27..d959d3c 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -857,6 +857,13 @@ def should_to_s(value)
       Read-only property for caching the rule line.
     EOS
   end
+  
+  newproperty(:mac_addr) do
+    desc <<-EOS
+      MAC Address
+    EOS
+    newvalues(/^([0-9a-f]{2}[:]){6}$/i)
+  end
 
   autorequire(:firewallchain) do
     reqs = []
-- 
1.9.1


From 9afd0fdadf99980e6454043bf8e0e452c242736e Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Fri, 21 Mar 2014 16:53:52 +0100
Subject: [PATCH 4/5] Fix failing test

---
 spec/fixtures/iptables/conversion_hash.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 7ce1470..d50b1e8 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -7,7 +7,7 @@
 # which will be used to create a resource.
 ARGS_TO_HASH = {
   'mac_source_1' => {
-    :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
+    :line => '-A neutron-openvswi-FORWARD -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
     :table => 'filter',
     :params => {
       :chain => 'neutron-openvswi-FORWARD',
-- 
1.9.1


From 33be12484e6eb3a0c257a5b7dcb2e070fa3f1331 Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Wed, 23 Apr 2014 12:22:33 +0200
Subject: [PATCH 5/5] Acceptance testing + fix parameter match

---
 lib/puppet/type/firewall.rb      |  2 +-
 spec/acceptance/firewall_spec.rb | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d959d3c..1512fd6 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -862,7 +862,7 @@ def should_to_s(value)
     desc <<-EOS
       MAC Address
     EOS
-    newvalues(/^([0-9a-f]{2}[:]){6}$/i)
+    newvalues(/^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i)
   end
 
   autorequire(:firewallchain) do
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 486ce56..89da439 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -1607,6 +1607,30 @@ class { '::firewall': }
     end
   end
 
+  describe 'mac_addr' do
+    context '0A:1B:3C:4D:5E:6F' do
+      it 'applies' do
+        pp = <<-EOS
+          class { '::firewall': }
+          firewall { '610 - test':
+            ensure => present,
+            source => '10.1.5.28/32',
+            mac_addr => '0A:1B:3C:4D:5E:6F',
+            chain => 'INPUT',
+          }
+        EOS
+
+        apply_manifest(pp, :catch_failures => true)
+      end
+
+      it 'should contain the rule' do
+        shell('iptables-save') do |r|
+          expect(r.stdout).to match(/-A INPUT -s 10.1.5.28\/(32|255\.255\.255\.255) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/)
+        end
+      end
+    end
+  end
+
   describe 'reset' do
     it 'deletes all rules' do
       shell('ip6tables --flush')
-- 
1.9.1