Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge pull request #67 from dcarley/13201-autoreq_chain

(#13201) Firewall autorequire Firewallchains
  • Loading branch information...
commit b5b55ddf97da8f1d068b83466bcee04a9f3eb27a 2 parents 20f77b2 + 94db8f2
@kbarber kbarber authored
View
2  README.markdown
@@ -105,7 +105,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
firewall { '100 forward to MY_CHAIN':
chain => 'INPUT',
jump => 'MY_CHAIN',
- require => Firewallchain["MY_CHAIN:filter:IPv4"],
}
# The namevar here is in the format chain_name:table:protocol
firewallchain { 'MY_CHAIN:filter:IPv4':
@@ -116,7 +115,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
action => 'accept',
proto => 'tcp',
dport => 5000,
- require => Firewallchain["MY_CHAIN:filter:IPv4"],
}
You can make firewall rules persistent with the following iptables example:
View
22 lib/puppet/type/firewall.rb
@@ -15,6 +15,10 @@
@doc = <<-EOS
This type provides the capability to manage firewall rules within
puppet.
+
+ **Autorequires:** If Puppet is managing the iptables or ip6tables chains
+ specified in the `chain` or `jump` parameters, the firewall resource
+ will autorequire those firewallchain resources.
EOS
feature :rate_limiting, "Rate limiting features."
@@ -462,6 +466,24 @@ def should_to_s(value)
EOS
end
+ autorequire(:firewallchain) do
+ case value(:provider)
+ when :iptables
+ protocol = "IPv4"
+ when :ip6tables
+ protocol = "IPv6"
+ else
+ return
+ end
+
+ reqs = []
+ [value(:chain), value(:jump)].each do |chain|
+ reqs << "#{chain}:#{value(:table)}:#{protocol}" unless chain.nil?
+ end
+
+ reqs
+ end
+
validate do
debug("[validate]")
View
81 spec/unit/puppet/type/firewall_spec.rb
@@ -305,4 +305,85 @@
@resource[:set_mark].should == '0x3e8'
end
end
+
+ [:chain, :jump].each do |param|
+ describe param do
+ it 'should autorequire fwchain when table and provider are undefined' do
+ @resource[param] = 'FOO'
+ @resource[:table].should == :filter
+ @resource[:provider].should == :iptables
+
+ chain = Puppet::Type.type(:firewallchain).new(:name => 'FOO:filter:IPv4')
+ catalog = Puppet::Resource::Catalog.new
+ catalog.add_resource @resource
+ catalog.add_resource chain
+ rel = @resource.autorequire[0]
+ rel.source.ref.should == chain.ref
+ rel.target.ref.should == @resource.ref
+ end
+
+ it 'should autorequire fwchain when table is undefined and provider is ip6tables' do
+ @resource[param] = 'FOO'
+ @resource[:table].should == :filter
+ @resource[:provider] = :ip6tables
+
+ chain = Puppet::Type.type(:firewallchain).new(:name => 'FOO:filter:IPv6')
+ catalog = Puppet::Resource::Catalog.new
+ catalog.add_resource @resource
+ catalog.add_resource chain
+ rel = @resource.autorequire[0]
+ rel.source.ref.should == chain.ref
+ rel.target.ref.should == @resource.ref
+ end
+
+ it 'should autorequire fwchain when table is raw and provider is undefined' do
+ @resource[param] = 'FOO'
+ @resource[:table] = :raw
+ @resource[:provider].should == :iptables
+
+ chain = Puppet::Type.type(:firewallchain).new(:name => 'FOO:raw:IPv4')
+ catalog = Puppet::Resource::Catalog.new
+ catalog.add_resource @resource
+ catalog.add_resource chain
+ rel = @resource.autorequire[0]
+ rel.source.ref.should == chain.ref
+ rel.target.ref.should == @resource.ref
+ end
+
+ it 'should autorequire fwchain when table is raw and provider is ip6tables' do
+ @resource[param] = 'FOO'
+ @resource[:table] = :raw
+ @resource[:provider] = :ip6tables
+
+ chain = Puppet::Type.type(:firewallchain).new(:name => 'FOO:raw:IPv6')
+ catalog = Puppet::Resource::Catalog.new
+ catalog.add_resource @resource
+ catalog.add_resource chain
+ rel = @resource.autorequire[0]
+ rel.source.ref.should == chain.ref
+ rel.target.ref.should == @resource.ref
+ end
+ end
+ end
+
+ describe ":chain and :jump" do
+ it 'should autorequire independent fwchains' do
+ @resource[:chain] = 'FOO'
+ @resource[:jump] = 'BAR'
+ @resource[:table].should == :filter
+ @resource[:provider].should == :iptables
+
+ chain_foo = Puppet::Type.type(:firewallchain).new(:name => 'FOO:filter:IPv4')
+ chain_bar = Puppet::Type.type(:firewallchain).new(:name => 'BAR:filter:IPv4')
+ catalog = Puppet::Resource::Catalog.new
+ catalog.add_resource @resource
+ catalog.add_resource chain_foo
+ catalog.add_resource chain_bar
+ rel = @resource.autorequire
+ rel[0].source.ref.should == chain_foo.ref
+ rel[0].target.ref.should == @resource.ref
+ rel[1].source.ref.should == chain_bar.ref
+ rel[1].target.ref.should == @resource.ref
+ end
+ end
end
Please sign in to comment.
Something went wrong with that request. Please try again.