From c0c850d598980790e57f183275bc8395ec8d495c Mon Sep 17 00:00:00 2001 From: Gabriele Cerami Date: Fri, 3 Mar 2017 14:24:48 +0100 Subject: firewall: generally accept "jump" param and use tripleo:firewall for log rule Tentative fix for bug #1669763, trying to use the same class for every rule we want to add to the chain. Change-Id: I4ba451c1b258391c8f1cfb4d73e38828c437b1c1 Closes-Bug: #1669763 --- manifests/firewall/post.pp | 2 +- manifests/firewall/rule.pp | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) (limited to 'manifests') diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp index b76db75..7b5f563 100644 --- a/manifests/firewall/post.pp +++ b/manifests/firewall/post.pp @@ -36,7 +36,7 @@ class tripleo::firewall::post( if $debug { warning('debug is enabled, the traffic is not blocked.') } else { - firewall { '998 log all': + tripleo::firewall::rule{ '998 log all': proto => 'all', jump => 'LOG', } diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp index 688144e..f1ea0c9 100644 --- a/manifests/firewall/rule.pp +++ b/manifests/firewall/rule.pp @@ -39,6 +39,10 @@ # (optional) The action policy associated to the rule. # Defaults to 'accept' # +# [*jump*] +# (optional) The chain to jump to. +# If present, overrides action +# # [*state*] # (optional) Array of states associated to the rule.. # Defaults to ['NEW'] @@ -75,6 +79,7 @@ define tripleo::firewall::rule ( $chain = 'INPUT', $destination = undef, $extras = {}, + $jump = undef, ) { if $port == 'all' { @@ -85,16 +90,25 @@ define tripleo::firewall::rule ( $port_real = $port } + if $jump != undef { + $jump_real = $jump + $action_real = undef + } else { + $jump_real = undef + $action_real = $action + } + $basic = { 'port' => $port_real, 'dport' => $dport, 'sport' => $sport, 'proto' => $proto, - 'action' => $action, + 'action' => $action_real, 'source' => $source, 'iniface' => $iniface, 'chain' => $chain, 'destination' => $destination, + 'jump' => $jump_real, } if $proto == 'icmp' { $ipv6 = { -- cgit 1.2.3-korg