Add the parameter protocols to the firewalld_zone resource type

Rebased off of : #327
voxpupuli · Oct 30, 2023 · 0d484c7 · 0d484c7
1 parent e69f796
commit 0d484c7
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -127,6 +127,7 @@ firewalld::zones:
 * `target`: Specify the target of the zone.
 * `interfaces`: An array of interfaces for this zone
 * `sources`: An array of sources for the zone
+* `protocols`: An array of protocols for the zone
 * `icmp_blocks`: An array of ICMP blocks for the zone
 * `masquerade`: If set to `true` or `false` specifies whether or not
   to add masquerading to the zone

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -1255,6 +1255,10 @@ Valid values: `true`, `false`
 
 Can be set to true or false, specifies whether to add or remove masquerading from the zone
 
+##### `protocols`
+
+Specify the protocols for the zone
+
 ##### `purge_ports`
 
 Valid values: `false`, `true`

diff --git a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb
@@ -21,6 +21,7 @@ def create
 
     self.target = (@resource[:target]) if @resource[:target]
     self.sources = (@resource[:sources]) if @resource[:sources]
+    self.protocols = (@resource[:protocols]) if @resource[:protocols]
     self.interfaces = @resource[:interfaces]
     self.icmp_blocks = (@resource[:icmp_blocks]) if @resource[:icmp_blocks]
     self.icmp_block_inversion = (@resource[:icmp_block_inversion]) if @resource[:icmp_block_inversion]
@@ -82,6 +83,23 @@ def sources=(new_sources)
     end
   end
 
+  def protocols
+    execute_firewall_cmd(['--list-protocols']).chomp.split(' ').sort || []
+  end
+
+  def protocols=(new_protocols)
+    new_protocols ||= []
+    cur_protocols = protocols
+    (new_protocols - cur_protocols).each do |p|
+      debug("Adding protocol '#{p}' to zone #{@resource[:name]}")
+      execute_firewall_cmd(['--add-protocol', p])
+    end
+    (cur_protocols - new_protocols).each do |p|
+    debug("Removing protocol '#{p}' from zone #{@resource[:name]}")
+    execute_firewall_cmd(['--remove-protocol', p])
+    end
+  end
+
   def masquerade
     if execute_firewall_cmd(['--query-masquerade'], @resource[:name], true, false).chomp == 'yes'
       :true

diff --git a/lib/puppet/type/firewalld_zone.rb b/lib/puppet/type/firewalld_zone.rb
@@ -114,6 +114,26 @@ def should_to_s(value = [])
     end
   end
 
+  newproperty(:protocols, array_matching: :all) do
+    desc 'Specify the protocols for the zone'
+
+    def insync?(is)
+      case should
+      when String then should.lines.sort == is.sort
+      when Array then should.sort == is.sort
+      else raise Puppet::Error, 'parameter protocols must be a string or array of strings!'
+      end
+    end
+
+    def is_to_s(value = []) # rubocop:disable Style/PredicateName
+      '[' + value.join(', ') + ']'
+    end
+
+    def should_to_s(value = [])
+      '[' + value.join(', ') + ']'
+    end
+  end
+
   newproperty(:icmp_blocks, array_matching: :all) do
     desc "Specify the icmp-blocks for the zone. Can be a single string specifying one icmp type,
           or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed

diff --git a/spec/unit/puppet/provider/firewalld_zone_spec.rb b/spec/unit/puppet/provider/firewalld_zone_spec.rb
@@ -29,6 +29,7 @@
         resource.expects(:[]).with(:name).returns('white').at_least_once
         resource.expects(:[]).with(:target).returns(nil).at_least_once
         resource.expects(:[]).with(:sources).returns(nil).at_least_once
+        resource.expects(:[]).with(:protocols).returns(nil).at_least_once
         resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once
         resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once
         resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once
@@ -49,6 +50,7 @@
         resource.expects(:[]).with(:name).returns('white').at_least_once
         resource.expects(:[]).with(:target).returns(nil).at_least_once
         resource.expects(:[]).with(:sources).returns(nil).at_least_once
+        resource.expects(:[]).with(:protocols).returns(nil).at_least_once
         resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once
         resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once
         resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once

diff --git a/spec/unit/puppet/type/firewalld_zone_spec.rb b/spec/unit/puppet/type/firewalld_zone_spec.rb
@@ -68,7 +68,7 @@
           end
         end
 
-        %i[target icmp_blocks icmp_block_inversion sources purge_rich_rules purge_services purge_ports].each do |param|
+        %i[target icmp_blocks icmp_block_inversion sources protocols purge_rich_rules purge_services purge_ports].each do |param|
           it "has a #{param} parameter" do
             expect(described_class.attrtype(param)).to eq(:property)
           end
@@ -143,6 +143,7 @@
           interfaces: ['eth0'],
           icmp_blocks: %w[redirect router-advertisment],
           icmp_block_inversion: true,
+          protocols: ['icmp', 'igmp'],
           sources: ['192.168.2.2', '10.72.1.100']
         )
       end
@@ -186,6 +187,10 @@
         provider.expects(:execute_firewall_cmd).with(['--add-source', '192.168.2.2'])
         provider.expects(:execute_firewall_cmd).with(['--add-source', '10.72.1.100'])
 
+        provider.expects(:protocols).returns([])
+        provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'icmp'])
+        provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'igmp'])
+
         provider.expects(:interfaces).returns([])
         provider.expects(:execute_firewall_cmd).with(['--add-interface', 'eth0'])
         provider.create
@@ -240,6 +245,18 @@
         expect(provider.get_icmp_types).to eq(%w[echo-reply echo-request])
       end
 
+      it 'gets protocols' do
+        provider.expects(:execute_firewall_cmd).with(['--list-protocols']).returns('val val')
+        expect(provider.protocols).to eq(%w[val val])
+      end
+
+      it 'sets protocols' do
+        provider.expects(:protocols).returns(['valx'])
+        provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'valy'])
+        provider.expects(:execute_firewall_cmd).with(['--remove-protocol', 'valx'])
+        provider.protocols = ['valy']
+      end
+
       it 'gets icmp_blocks' do
         provider.expects(:execute_firewall_cmd).with(['--list-icmp-blocks'], 'restricted').returns('redirect router-advertisement')
         expect(provider.icmp_blocks).to eq(%w[redirect router-advertisement])