summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/firewall/rule.pp32
-rw-r--r--spec/classes/tripleo_firewall_spec.rb70
2 files changed, 84 insertions, 18 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 816e6fe..688144e 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -45,7 +45,7 @@
#
# [*source*]
# (optional) The source IP address associated to the rule.
-# Defaults to '0.0.0.0/0'
+# Defaults to undef
#
# [*iniface*]
# (optional) The network interface associated to the rule.
@@ -70,7 +70,7 @@ define tripleo::firewall::rule (
$proto = 'tcp',
$action = 'accept',
$state = ['NEW'],
- $source = '0.0.0.0/0',
+ $source = undef,
$iniface = undef,
$chain = 'INPUT',
$destination = undef,
@@ -96,6 +96,16 @@ define tripleo::firewall::rule (
'chain' => $chain,
'destination' => $destination,
}
+ if $proto == 'icmp' {
+ $ipv6 = {
+ 'provider' => 'ip6tables',
+ 'proto' => 'ipv6-icmp',
+ }
+ } else {
+ $ipv6 = {
+ 'provider' => 'ip6tables',
+ }
+ }
if $proto != 'gre' {
$state_rule = {
'state' => $state
@@ -105,8 +115,10 @@ define tripleo::firewall::rule (
}
- $rule = merge($basic, $state_rule, $extras)
- validate_hash($rule)
+ $ipv4_rule = merge($basic, $state_rule, $extras)
+ $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
+ validate_hash($ipv4_rule)
+ validate_hash($ipv6_rule)
# This conditional will ensure that TCP and UDP firewall rules have
# a port specified in the configuration when using INPUT or OUTPUT chains.
@@ -117,6 +129,16 @@ define tripleo::firewall::rule (
if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
}
- create_resources('firewall', { "${title}" => $rule })
+ if $source or $destination {
+ if ('.' in $destination or '.' in $source) {
+ create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+ }
+ if (':' in $destination or ':' in $source) {
+ create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+ }
+ } else {
+ create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+ create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+ }
}
diff --git a/spec/classes/tripleo_firewall_spec.rb b/spec/classes/tripleo_firewall_spec.rb
index 3a1a0a0..92b51e5 100644
--- a/spec/classes/tripleo_firewall_spec.rb
+++ b/spec/classes/tripleo_firewall_spec.rb
@@ -34,35 +34,65 @@ describe 'tripleo::firewall' do
end
it 'configure basic pre firewall rules' do
- is_expected.to contain_firewall('000 accept related established rules').with(
+ is_expected.to contain_firewall('000 accept related established rules ipv4').with(
:proto => 'all',
:state => ['RELATED', 'ESTABLISHED'],
:action => 'accept',
)
- is_expected.to contain_firewall('001 accept all icmp').with(
+ is_expected.to contain_firewall('000 accept related established rules ipv6').with(
+ :proto => 'all',
+ :state => ['RELATED', 'ESTABLISHED'],
+ :action => 'accept',
+ :provider => 'ip6tables',
+ )
+ is_expected.to contain_firewall('001 accept all icmp ipv4').with(
:proto => 'icmp',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('002 accept all to lo interface').with(
+ is_expected.to contain_firewall('001 accept all icmp ipv6').with(
+ :proto => 'ipv6-icmp',
+ :action => 'accept',
+ :state => ['NEW'],
+ :provider => 'ip6tables',
+ )
+ is_expected.to contain_firewall('002 accept all to lo interface ipv4').with(
:proto => 'all',
:iniface => 'lo',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('003 accept ssh').with(
+ is_expected.to contain_firewall('002 accept all to lo interface ipv6').with(
+ :proto => 'all',
+ :iniface => 'lo',
+ :action => 'accept',
+ :state => ['NEW'],
+ :provider => 'ip6tables',
+ )
+ is_expected.to contain_firewall('003 accept ssh ipv4').with(
:dport => '22',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
+ is_expected.to contain_firewall('003 accept ssh ipv6').with(
+ :dport => '22',
+ :proto => 'tcp',
+ :action => 'accept',
+ :state => ['NEW'],
+ :provider => 'ip6tables',
+ )
end
it 'configure basic post firewall rules' do
- is_expected.to contain_firewall('999 drop all').with(
+ is_expected.to contain_firewall('999 drop all ipv4').with(
:proto => 'all',
:action => 'drop',
- :source => '0.0.0.0/0',
+ )
+ is_expected.to contain_firewall('999 drop all ipv6').with(
+ :proto => 'all',
+ :action => 'drop',
+ :provider => 'ip6tables',
)
end
end
@@ -77,41 +107,55 @@ describe 'tripleo::firewall' do
'302 fwd custom cidr 1' => {'port' => 'all', 'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
'303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
'304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
- '305 add gre rule' => {'proto' => 'gre'}
+ '305 add gre rule' => {'proto' => 'gre'},
+ '306 add custom cidr 2' => {'port' => 'all', 'destination' => '::1/24'},
}
)
end
it 'configure custom firewall rules' do
- is_expected.to contain_firewall('300 add custom application 1').with(
+ is_expected.to contain_firewall('300 add custom application 1 ipv4').with(
:port => '999',
:proto => 'udp',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('301 add custom application 2').with(
+ is_expected.to contain_firewall('301 add custom application 2 ipv4').with(
:port => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('302 fwd custom cidr 1').with(
+ is_expected.to contain_firewall('302 fwd custom cidr 1 ipv4').with(
:chain => 'FORWARD',
:proto => 'tcp',
:destination => '192.0.2.0/24',
)
- is_expected.to contain_firewall('303 add custom application 3').with(
+ is_expected.to_not contain_firewall('302 fwd custom cidr 1 ipv6')
+ is_expected.to contain_firewall('303 add custom application 3 ipv4').with(
:dport => '8081',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('304 add custom application 4').with(
+ is_expected.to contain_firewall('304 add custom application 4 ipv4').with(
:sport => '1000',
:proto => 'tcp',
:action => 'accept',
:state => ['NEW'],
)
- is_expected.to contain_firewall('305 add gre rule').without(:state)
+ is_expected.to contain_firewall('304 add custom application 4 ipv6').with(
+ :sport => '1000',
+ :proto => 'tcp',
+ :action => 'accept',
+ :state => ['NEW'],
+ )
+ is_expected.to contain_firewall('305 add gre rule ipv4').without(:state)
+ is_expected.to contain_firewall('306 add custom cidr 2 ipv6').with(
+ :proto => 'tcp',
+ :destination => '::1/24',
+ :action => 'accept',
+ :provider => 'ip6tables',
+ )
end
end