diff options
author | Gabriele Cerami <gcerami@redhat.com> | 2017-03-03 14:24:48 +0100 |
---|---|---|
committer | Alex Schultz <aschultz@redhat.com> | 2017-04-06 15:55:04 -0600 |
commit | c0c850d598980790e57f183275bc8395ec8d495c (patch) | |
tree | f0c812bcb2af11a9f2c3e3d1bcd43d13dc943277 /manifests | |
parent | bd89e21fe86d81b91ca4e963e8f47bcb7b92a208 (diff) |
firewall: generally accept "jump" param and use tripleo:firewall for log rule
Tentative fix for bug #1669763, trying to use the same class for every
rule we want to add to the chain.
Change-Id: I4ba451c1b258391c8f1cfb4d73e38828c437b1c1
Closes-Bug: #1669763
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/firewall/post.pp | 2 | ||||
-rw-r--r-- | manifests/firewall/rule.pp | 16 |
2 files changed, 16 insertions, 2 deletions
diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp index b76db75..7b5f563 100644 --- a/manifests/firewall/post.pp +++ b/manifests/firewall/post.pp @@ -36,7 +36,7 @@ class tripleo::firewall::post( if $debug { warning('debug is enabled, the traffic is not blocked.') } else { - firewall { '998 log all': + tripleo::firewall::rule{ '998 log all': proto => 'all', jump => 'LOG', } diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 688144e..f1ea0c9 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -39,6 +39,10 @@ # (optional) The action policy associated to the rule. # Defaults to 'accept' # +# [*jump*] +# (optional) The chain to jump to. +# If present, overrides action +# # [*state*] # (optional) Array of states associated to the rule.. # Defaults to ['NEW'] @@ -75,6 +79,7 @@ define tripleo::firewall::rule ( $chain = 'INPUT', $destination = undef, $extras = {}, + $jump = undef, ) { if $port == 'all' { @@ -85,16 +90,25 @@ define tripleo::firewall::rule ( $port_real = $port } + if $jump != undef { + $jump_real = $jump + $action_real = undef + } else { + $jump_real = undef + $action_real = $action + } + $basic = { 'port' => $port_real, 'dport' => $dport, 'sport' => $sport, 'proto' => $proto, - 'action' => $action, + 'action' => $action_real, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, + 'jump' => $jump_real, } if $proto == 'icmp' { $ipv6 = { |