diff options
| author | Thore Bödecker <me@foxxx0.de> | 2020-07-02 15:22:29 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-02 15:22:29 +0200 |
| commit | a2b5e7161902b9d8f9b4f8edc03e4a178ec50404 (patch) | |
| tree | 0d7b70fc52d707a36c94360b72da2e2dd728d7fb /manifests/rule.pp | |
| parent | 840e99f57957059362b387ded299e8dddb6b475c (diff) | |
| parent | 1fc98345fae1cf48e1891b59e2faf4823246aa76 (diff) | |
| download | puppet-ferm-a2b5e7161902b9d8f9b4f8edc03e4a178ec50404.tar.gz puppet-ferm-a2b5e7161902b9d8f9b4f8edc03e4a178ec50404.tar.bz2 | |
Merge pull request #114 from foxxx0/fix-portrange-regression
implement proper sport/dport types, validate port ranges, fix some minor regressions
Diffstat (limited to 'manifests/rule.pp')
| -rw-r--r-- | manifests/rule.pp | 50 |
1 files changed, 42 insertions, 8 deletions
diff --git a/manifests/rule.pp b/manifests/rule.pp index 458bef6..f239402 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -59,8 +59,8 @@ define ferm::rule ( String $comment = $name, Optional[Ferm::Actions] $action = undef, Optional[Ferm::Policies] $policy = undef, - Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $dport = undef, - Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $sport = undef, + Optional[Ferm::Port] $dport = undef, + Optional[Ferm::Port] $sport = undef, Optional[Variant[Array, String[1]]] $saddr = undef, Optional[Variant[Array, String[1]]] $daddr = undef, Optional[String[1]] $proto_options = undef, @@ -95,26 +95,60 @@ define ferm::rule ( String => "proto ${proto}", } - # ferm supports implicit multiport using the "dports" shortcut + if $dport =~ Array { $dports = join($dport, ' ') - $dport_real = "dports (${dports})" + $dport_real = "mod multiport destination-ports (${dports})" } elsif $dport =~ Integer { $dport_real = "dport ${dport}" - } else { + } elsif String($dport) =~ /^\d*:\d+$/ { + $portrange = split($dport, /:/) + $lower = $portrange[0] ? { + '' => 0, + default => Integer($portrange[0]), + } + $upper = Integer($portrange[1]) + assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| { + fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.") + '' + } + if $lower > $upper { + fail("Lower port number of the port range is larger than upper. ${lower}:${upper}") + } + $dport_real = "dport ${lower}:${upper}" + } elsif String($dport) == '' { $dport_real = '' + } else { + fail("invalid destination-port: ${dport}") } - # ferm supports implicit multiport using the "sports" shortcut if $sport =~ Array { $sports = join($sport, ' ') - $sport_real = "sports (${sports})" + $sport_real = "mod multiport source-ports (${sports})" } elsif $sport =~ Integer { $sport_real = "sport ${sport}" - } else { + } elsif String($sport) =~ /^\d*:\d+$/ { + $portrange = split($sport, /:/) + $lower = $portrange[0] ? { + '' => 0, + default => Integer($portrange[0]), + } + $upper = Integer($portrange[1]) + assert_type(Tuple[Stdlib::Port, Stdlib::Port], [$lower, $upper]) |$expected, $actual| { + fail("The data type should be \'${expected}\', not \'${actual}\'. The data is [${lower}, ${upper}])}.") + '' + } + if $lower > $upper { + fail("Lower port number of the port range is larger than upper. ${lower}:${upper}") + } + $sport_real = "sport ${lower}:${upper}" + } elsif String($sport) == '' { $sport_real = '' + } else { + fail("invalid source-port: ${sport}") } + if $saddr =~ Array { assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| { fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." ) |