1 files changed, 45 insertions, 6 deletions

diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 6801dc4..688144e 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -45,7 +45,7 @@
 #
 # [*source*]
 #  (optional) The source IP address associated to the rule.
-#  Defaults to '0.0.0.0/0'
+#  Defaults to undef
 #
 # [*iniface*]
 #  (optional) The network interface associated to the rule.
@@ -70,15 +70,23 @@ define tripleo::firewall::rule (
   $proto       = 'tcp',
   $action      = 'accept',
   $state       = ['NEW'],
-  $source      = '0.0.0.0/0',
+  $source      = undef,
   $iniface     = undef,
   $chain       = 'INPUT',
   $destination = undef,
   $extras      = {},
 ) {
 
+  if $port == 'all' {
+    warning("All ${proto} traffic will be open on this host.")
+    # undef so the IPtables rule won't have any port specified.
+    $port_real = undef
+  } else {
+    $port_real = $port
+  }
+
   $basic = {
-    'port'        => $port,
+    'port'        => $port_real,
     'dport'       => $dport,
     'sport'       => $sport,
     'proto'       => $proto,
@@ -88,6 +96,16 @@ define tripleo::firewall::rule (
     'chain'       => $chain,
     'destination' => $destination,
   }
+  if $proto == 'icmp' {
+    $ipv6 = {
+      'provider' => 'ip6tables',
+      'proto'    => 'ipv6-icmp',
+    }
+  } else {
+    $ipv6 = {
+      'provider' => 'ip6tables',
+    }
+  }
   if $proto != 'gre' {
     $state_rule = {
       'state' => $state
@@ -97,9 +115,30 @@ define tripleo::firewall::rule (
   }
 
 
-  $rule = merge($basic, $state_rule, $extras)
-  validate_hash($rule)
+  $ipv4_rule = merge($basic, $state_rule, $extras)
+  $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras)
+  validate_hash($ipv4_rule)
+  validate_hash($ipv6_rule)
 
-  create_resources('firewall', { "${title}" => $rule })
+  # This conditional will ensure that TCP and UDP firewall rules have
+  # a port specified in the configuration when using INPUT or OUTPUT chains.
+  # If not, the Puppet catalog will fail.
+  # If we don't do this sanity check, a user could create some TCP/UDP
+  # rules without port, and the result would be an iptables rule that allow any
+  # traffic on the host.
+  if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) {
+    fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.")
+  }
+  if $source or $destination {
+    if ('.' in $destination or '.' in $source) {
+      create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+    }
+    if (':' in $destination or ':' in $source) {
+      create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+    }
+  } else {
+    create_resources('firewall', { "${title} ipv4" => $ipv4_rule })
+    create_resources('firewall', { "${title} ipv6" => $ipv6_rule })
+  }
 
 }