diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/firewall/rule.pp | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 816e6fe..688144e 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -45,7 +45,7 @@ # # [*source*] # (optional) The source IP address associated to the rule. -# Defaults to '0.0.0.0/0' +# Defaults to undef # # [*iniface*] # (optional) The network interface associated to the rule. @@ -70,7 +70,7 @@ define tripleo::firewall::rule ( $proto = 'tcp', $action = 'accept', $state = ['NEW'], - $source = '0.0.0.0/0', + $source = undef, $iniface = undef, $chain = 'INPUT', $destination = undef, @@ -96,6 +96,16 @@ define tripleo::firewall::rule ( 'chain' => $chain, 'destination' => $destination, } + if $proto == 'icmp' { + $ipv6 = { + 'provider' => 'ip6tables', + 'proto' => 'ipv6-icmp', + } + } else { + $ipv6 = { + 'provider' => 'ip6tables', + } + } if $proto != 'gre' { $state_rule = { 'state' => $state @@ -105,8 +115,10 @@ define tripleo::firewall::rule ( } - $rule = merge($basic, $state_rule, $extras) - validate_hash($rule) + $ipv4_rule = merge($basic, $state_rule, $extras) + $ipv6_rule = merge($basic, $state_rule, $ipv6, $extras) + validate_hash($ipv4_rule) + validate_hash($ipv6_rule) # This conditional will ensure that TCP and UDP firewall rules have # a port specified in the configuration when using INPUT or OUTPUT chains. @@ -117,6 +129,16 @@ define tripleo::firewall::rule ( if ($proto in ['tcp', 'udp']) and (! ($port or $dport or $sport) and ($chain != 'FORWARD')) { fail("${title} firewall rule cannot be created. TCP or UDP rules for INPUT or OUTPUT need port or sport or dport.") } - create_resources('firewall', { "${title}" => $rule }) + if $source or $destination { + if ('.' in $destination or '.' in $source) { + create_resources('firewall', { "${title} ipv4" => $ipv4_rule }) + } + if (':' in $destination or ':' in $source) { + create_resources('firewall', { "${title} ipv6" => $ipv6_rule }) + } + } else { + create_resources('firewall', { "${title} ipv4" => $ipv4_rule }) + create_resources('firewall', { "${title} ipv6" => $ipv6_rule }) + } } |