From 7bc85e290fd3cc4b7e9d1e8fb2972e658bd1b201 Mon Sep 17 00:00:00 2001
From: Jeff '2 bits' Bachtel <jbachtel@bericotechnologies.com>
Date: Wed, 5 Mar 2014 12:32:02 -0500
Subject: [PATCH 1/5] Add support for mac address source rules
This is necessary to parse rules generated on OpenStack Havana + Neutron + OpenVSwitch
---
lib/puppet/provider/firewall/iptables.rb | 5 +++--
spec/fixtures/iptables/conversion_hash.rb | 9 +++++++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 698e731..ba98227 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -50,7 +50,7 @@
:destination => "-d",
:dst_type => "-m addrtype --dst-type",
:dst_range => "-m iprange --dst-range",
- :dport => ["-m multiport --dports", "--dport"],
+ :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
:gid => "-m owner --gid-owner",
:icmp => "-m icmp --icmp-type",
:iniface => "-i",
@@ -58,6 +58,7 @@
:limit => "-m limit --limit",
:log_level => "--log-level",
:log_prefix => "--log-prefix",
+ :mac_addr => ["-m mac --mac-source", "--mac-source"],
:name => "-m comment --comment",
:outiface => "-o",
:port => '-m multiport --ports',
@@ -137,7 +138,7 @@
# This order can be determined by going through iptables source code or just tweaking and trying manually
@resource_list = [
:table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
- :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
+ :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_addr, :sport, :dport, :port,
:dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
:state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
:rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 042e8bb..7ce1470 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -6,6 +6,15 @@
# This hash is for testing a line conversion to a hash of parameters
# which will be used to create a resource.
ARGS_TO_HASH = {
+ 'mac_source_1' => {
+ :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :chain => 'neutron-openvswi-FORWARD',
+ :source => '1.2.3.4/32',
+ :mac_addr => 'FA:16:00:00:00:00',
+ },
+ },
'dport_and_sport' => {
:line => '-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT',
:table => 'filter',
--
1.9.1
From 555a37e5b4bf44db9ccc827cf893d049c5974795 Mon Sep 17 00:00:00 2001
From: Jeff '2 bits' Bachtel <jbachtel@bericotechnologies.com>
Date: Wed, 5 Mar 2014 12:35:46 -0500
Subject: [PATCH 2/5] Fix bad rebase
---
lib/puppet/provider/firewall/iptables.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index ba98227..f67cb21 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -50,7 +50,7 @@
:destination => "-d",
:dst_type => "-m addrtype --dst-type",
:dst_range => "-m iprange --dst-range",
- :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
+ :dport => ["-m multiport --dports", "--dport"],
:gid => "-m owner --gid-owner",
:icmp => "-m icmp --icmp-type",
:iniface => "-i",
--
1.9.1
From 313b4dd0fe61ee5dddab1e45cf42365fac5ae736 Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Fri, 21 Mar 2014 15:12:02 +0100
Subject: [PATCH 3/5] Missing type definition
---
lib/puppet/type/firewall.rb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 4701e27..d959d3c 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -857,6 +857,13 @@ def should_to_s(value)
Read-only property for caching the rule line.
EOS
end
+
+ newproperty(:mac_addr) do
+ desc <<-EOS
+ MAC Address
+ EOS
+ newvalues(/^([0-9a-f]{2}[:]){6}$/i)
+ end
autorequire(:firewallchain) do
reqs = []
--
1.9.1
From 9afd0fdadf99980e6454043bf8e0e452c242736e Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Fri, 21 Mar 2014 16:53:52 +0100
Subject: [PATCH 4/5] Fix failing test
---
spec/fixtures/iptables/conversion_hash.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
index 7ce1470..d50b1e8 100644
--- a/spec/fixtures/iptables/conversion_hash.rb
+++ b/spec/fixtures/iptables/conversion_hash.rb
@@ -7,7 +7,7 @@
# which will be used to create a resource.
ARGS_TO_HASH = {
'mac_source_1' => {
- :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
+ :line => '-A neutron-openvswi-FORWARD -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
:table => 'filter',
:params => {
:chain => 'neutron-openvswi-FORWARD',
--
1.9.1
From 33be12484e6eb3a0c257a5b7dcb2e070fa3f1331 Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Wed, 23 Apr 2014 12:22:33 +0200
Subject: [PATCH 5/5] Acceptance testing + fix parameter match
---
lib/puppet/type/firewall.rb | 2 +-
spec/acceptance/firewall_spec.rb | 24 ++++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index d959d3c..1512fd6 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -862,7 +862,7 @@ def should_to_s(value)
desc <<-EOS
MAC Address
EOS
- newvalues(/^([0-9a-f]{2}[:]){6}$/i)
+ newvalues(/^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i)
end
autorequire(:firewallchain) do
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 486ce56..89da439 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -1607,6 +1607,30 @@ class { '::firewall': }
end
end
+ describe 'mac_addr' do
+ context '0A:1B:3C:4D:5E:6F' do
+ it 'applies' do
+ pp = <<-EOS
+ class { '::firewall': }
+ firewall { '610 - test':
+ ensure => present,
+ source => '10.1.5.28/32',
+ mac_addr => '0A:1B:3C:4D:5E:6F',
+ chain => 'INPUT',
+ }
+ EOS
+
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should contain the rule' do
+ shell('iptables-save') do |r|
+ expect(r.stdout).to match(/-A INPUT -s 10.1.5.28\/(32|255\.255\.255\.255) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/)
+ end
+ end
+ end
+ end
+
describe 'reset' do
it 'deletes all rules' do
shell('ip6tables --flush')
--
1.9.1