diff options
author | Thore Bödecker <me@foxxx0.de> | 2020-06-22 15:53:06 +0200 |
---|---|---|
committer | Thore Bödecker <me@foxxx0.de> | 2020-06-22 16:17:13 +0200 |
commit | e048afaec245b19ed8a94a8e2e893c9c9b4e47e6 (patch) | |
tree | c3801f67583f08c9730ff60e9fb5cc6bffe0f613 /manifests | |
parent | 8d967c7b915fec97846b1d6b567489646b3096a3 (diff) | |
download | puppet-ferm-e048afaec245b19ed8a94a8e2e893c9c9b4e47e6.tar.gz puppet-ferm-e048afaec245b19ed8a94a8e2e893c9c9b4e47e6.tar.bz2 |
implement multiport support for dport/sport
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/rule.pp | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/manifests/rule.pp b/manifests/rule.pp index 1acbfd1..458bef6 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -5,7 +5,7 @@ # chain => 'INPUT', # action => 'SSH', # proto => 'tcp', -# dport => '22', +# dport => 22, # } # # @example Create a rule in the 'SSH' chain to allow connections from localhost @@ -13,7 +13,7 @@ # chain => 'SSH', # action => 'ACCEPT', # proto => 'tcp', -# dport => '22', +# dport => 22, # saddr => '127.0.0.1', # } # @@ -43,8 +43,8 @@ # @param policy Configure what we want to do with the packet (drop/accept/reject, can also be a target chain name) [DEPRECATED] # Default value: undef # Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE|REDIRECT|String[1]) -# @param dport The destination port, can be a range as string or a single port number as integer -# @param sport The source port, can be a range as string or a single port number as integer +# @param dport The destination port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher) +# @param sport The source port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher) # @param saddr The source address we want to match # @param daddr The destination address we want to match # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) @@ -59,8 +59,8 @@ define ferm::rule ( String $comment = $name, Optional[Ferm::Actions] $action = undef, Optional[Ferm::Policies] $policy = undef, - Optional[Variant[Stdlib::Port,String[1]]] $dport = undef, - Optional[Variant[Stdlib::Port,String[1]]] $sport = undef, + Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $dport = undef, + Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $sport = undef, Optional[Variant[Array, String[1]]] $saddr = undef, Optional[Variant[Array, String[1]]] $daddr = undef, Optional[String[1]] $proto_options = undef, @@ -95,14 +95,26 @@ define ferm::rule ( String => "proto ${proto}", } - $dport_real = $dport ? { - undef => '', - default => "dport ${dport}", + # ferm supports implicit multiport using the "dports" shortcut + if $dport =~ Array { + $dports = join($dport, ' ') + $dport_real = "dports (${dports})" + } elsif $dport =~ Integer { + $dport_real = "dport ${dport}" + } else { + $dport_real = '' } - $sport_real = $sport ? { - undef => '', - default => "sport ${sport}", + + # ferm supports implicit multiport using the "sports" shortcut + if $sport =~ Array { + $sports = join($sport, ' ') + $sport_real = "sports (${sports})" + } elsif $sport =~ Integer { + $sport_real = "sport ${sport}" + } else { + $sport_real = '' } + if $saddr =~ Array { assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| { fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." ) |