aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThore Bödecker <me@foxxx0.de>2019-09-11 16:01:32 +0200
committerThore Bödecker <me@foxxx0.de>2019-09-11 16:01:32 +0200
commit3d868fb81532d717fd625638781e4663a834260c (patch)
tree397bcfd1f98200da896b8d032cbd4b9bcb1a3749
parent6d96e030be0db4a916dd6a9bd0b25570d359e634 (diff)
downloadpuppet-ferm-3d868fb81532d717fd625638781e4663a834260c.tar.gz
puppet-ferm-3d868fb81532d717fd625638781e4663a834260c.tar.bz2
allow using an array for $proto
This enables defining ferm::rule with multiple protocols at once, because using 'all' for $proto does not allow using $dport/$sport.
-rw-r--r--REFERENCE.md2
-rw-r--r--manifests/rule.pp6
-rw-r--r--spec/defines/rule_spec.rb19
-rw-r--r--types/protocols.pp5
4 files changed, 28 insertions, 4 deletions
diff --git a/REFERENCE.md b/REFERENCE.md
index 19ffae0..d9adadb 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -412,7 +412,7 @@ Alias of `Enum['ACCEPT', 'DROP']`
a list of allowed protocolls to match
-Alias of `Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']`
+Alias of `Variant[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'], Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']]]`
### Ferm::Tables
diff --git a/manifests/rule.pp b/manifests/rule.pp
index 4f2c985..a973601 100644
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -73,8 +73,10 @@ define ferm::rule (
Ferm::Chain <| chain == $action_temp and table == $table |> -> Ferm::Rule[$name]
}
-
- $proto_real = "proto ${proto}"
+ $proto_real = $proto ? {
+ Array => "proto (${join($proto, ' ')})",
+ String => "proto ${proto}",
+ }
$dport_real = $dport ? {
undef => '',
diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index ef20e17..33ce169 100644
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -114,6 +114,25 @@ describe 'ferm::rule', type: :define do
it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
end
+ context 'without a specific interface using array for proto' do
+ let(:title) { 'filter-consul' }
+ let :params do
+ {
+ chain: 'INPUT',
+ action: 'ACCEPT',
+ proto: %w[tcp udp],
+ dport: '(8301 8302)',
+ saddr: '127.0.0.1'
+ }
+ end
+
+ it { is_expected.to compile.with_all_deps }
+ it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) dport (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+ it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+ it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
+ it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
+ end
+
context 'with jumping to custom chains' do
# create custom chain
let(:pre_condition) do
diff --git a/types/protocols.pp b/types/protocols.pp
index ee3ac2b..cdd76b2 100644
--- a/types/protocols.pp
+++ b/types/protocols.pp
@@ -1,2 +1,5 @@
# @summary a list of allowed protocolls to match
-type Ferm::Protocols = Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']
+type Ferm::Protocols = Variant[
+ Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'],
+ Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']],
+]