diff --git a/README.md b/README.md index c3ec4b35..7f6a7c91 100644 --- a/README.md +++ b/README.md @@ -127,6 +127,7 @@ firewalld::zones: * `target`: Specify the target of the zone. * `interfaces`: An array of interfaces for this zone * `sources`: An array of sources for the zone +* `protocols`: An array of protocols for the zone * `icmp_blocks`: An array of ICMP blocks for the zone * `masquerade`: If set to `true` or `false` specifies whether or not to add masquerading to the zone diff --git a/REFERENCE.md b/REFERENCE.md index 231e7aad..88ef2bc9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1255,6 +1255,10 @@ Valid values: `true`, `false` Can be set to true or false, specifies whether to add or remove masquerading from the zone +##### `protocols` + +Specify the protocols for the zone + ##### `purge_ports` Valid values: `false`, `true` diff --git a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb index f8973210..a4fffe3e 100644 --- a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb +++ b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb @@ -21,6 +21,7 @@ def create self.target = (@resource[:target]) if @resource[:target] self.sources = (@resource[:sources]) if @resource[:sources] + self.protocols = (@resource[:protocols]) if @resource[:protocols] self.interfaces = @resource[:interfaces] self.icmp_blocks = (@resource[:icmp_blocks]) if @resource[:icmp_blocks] self.icmp_block_inversion = (@resource[:icmp_block_inversion]) if @resource[:icmp_block_inversion] @@ -82,6 +83,23 @@ def sources=(new_sources) end end + def protocols + execute_firewall_cmd(['--list-protocols']).chomp.split.sort || [] + end + + def protocols=(new_protocols) + new_protocols ||= [] + cur_protocols = protocols + (new_protocols - cur_protocols).each do |p| + debug("Adding protocol '#{p}' to zone #{@resource[:name]}") + execute_firewall_cmd(['--add-protocol', p]) + end + (cur_protocols - new_protocols).each do |p| + debug("Removing protocol '#{p}' from zone #{@resource[:name]}") + execute_firewall_cmd(['--remove-protocol', p]) + end + end + def masquerade if execute_firewall_cmd(['--query-masquerade'], @resource[:name], true, false).chomp == 'yes' :true diff --git a/lib/puppet/type/firewalld_zone.rb b/lib/puppet/type/firewalld_zone.rb index 50e1b6e3..cc0d9b4c 100644 --- a/lib/puppet/type/firewalld_zone.rb +++ b/lib/puppet/type/firewalld_zone.rb @@ -114,6 +114,26 @@ def should_to_s(value = []) end end + newproperty(:protocols, array_matching: :all) do + desc 'Specify the protocols for the zone' + + def insync?(is) + case should + when String then should.lines.sort == is.sort + when Array then should.sort == is.sort + else raise Puppet::Error, 'parameter protocols must be a string or array of strings!' + end + end + + def is_to_s(value = []) + "[#{value.join(', ')}]" + end + + def should_to_s(value = []) + "[#{value.join(', ')}]" + end + end + newproperty(:icmp_blocks, array_matching: :all) do desc "Specify the icmp-blocks for the zone. Can be a single string specifying one icmp type, or an array of strings specifying multiple icmp types. Any blocks not specified here will be removed diff --git a/spec/unit/puppet/provider/firewalld_zone_spec.rb b/spec/unit/puppet/provider/firewalld_zone_spec.rb index 6fa7850f..17eff55d 100644 --- a/spec/unit/puppet/provider/firewalld_zone_spec.rb +++ b/spec/unit/puppet/provider/firewalld_zone_spec.rb @@ -29,6 +29,7 @@ resource.expects(:[]).with(:name).returns('white').at_least_once resource.expects(:[]).with(:target).returns(nil).at_least_once resource.expects(:[]).with(:sources).returns(nil).at_least_once + resource.expects(:[]).with(:protocols).returns(nil).at_least_once resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once @@ -49,6 +50,7 @@ resource.expects(:[]).with(:name).returns('white').at_least_once resource.expects(:[]).with(:target).returns(nil).at_least_once resource.expects(:[]).with(:sources).returns(nil).at_least_once + resource.expects(:[]).with(:protocols).returns(nil).at_least_once resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once resource.expects(:[]).with(:icmp_block_inversion).returns(false).at_least_once diff --git a/spec/unit/puppet/type/firewalld_zone_spec.rb b/spec/unit/puppet/type/firewalld_zone_spec.rb index 12aaf078..75158b2f 100644 --- a/spec/unit/puppet/type/firewalld_zone_spec.rb +++ b/spec/unit/puppet/type/firewalld_zone_spec.rb @@ -68,7 +68,7 @@ end end - %i[target icmp_blocks icmp_block_inversion sources purge_rich_rules purge_services purge_ports].each do |param| + %i[target icmp_blocks icmp_block_inversion sources protocols purge_rich_rules purge_services purge_ports].each do |param| it "has a #{param} parameter" do expect(described_class.attrtype(param)).to eq(:property) end @@ -143,6 +143,7 @@ interfaces: ['eth0'], icmp_blocks: %w[redirect router-advertisment], icmp_block_inversion: true, + protocols: %w[icmp igmp], sources: ['192.168.2.2', '10.72.1.100'] ) end @@ -186,6 +187,10 @@ provider.expects(:execute_firewall_cmd).with(['--add-source', '192.168.2.2']) provider.expects(:execute_firewall_cmd).with(['--add-source', '10.72.1.100']) + provider.expects(:protocols).returns([]) + provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'icmp']) + provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'igmp']) + provider.expects(:interfaces).returns([]) provider.expects(:execute_firewall_cmd).with(['--add-interface', 'eth0']) provider.create @@ -240,6 +245,18 @@ expect(provider.get_icmp_types).to eq(%w[echo-reply echo-request]) end + it 'gets protocols' do + provider.expects(:execute_firewall_cmd).with(['--list-protocols']).returns('val val') + expect(provider.protocols).to eq(%w[val val]) + end + + it 'sets protocols' do + provider.expects(:protocols).returns(['valx']) + provider.expects(:execute_firewall_cmd).with(['--add-protocol', 'valy']) + provider.expects(:execute_firewall_cmd).with(['--remove-protocol', 'valx']) + provider.protocols = ['valy'] + end + it 'gets icmp_blocks' do provider.expects(:execute_firewall_cmd).with(['--list-icmp-blocks'], 'restricted').returns('redirect router-advertisement') expect(provider.icmp_blocks).to eq(%w[redirect router-advertisement])