diff options
| author | Thore Bödecker <me@foxxx0.de> | 2020-06-22 15:53:06 +0200 | 
|---|---|---|
| committer | Thore Bödecker <me@foxxx0.de> | 2020-06-22 16:17:13 +0200 | 
| commit | e048afaec245b19ed8a94a8e2e893c9c9b4e47e6 (patch) | |
| tree | c3801f67583f08c9730ff60e9fb5cc6bffe0f613 /manifests/rule.pp | |
| parent | 8d967c7b915fec97846b1d6b567489646b3096a3 (diff) | |
| download | puppet-ferm-e048afaec245b19ed8a94a8e2e893c9c9b4e47e6.tar.gz puppet-ferm-e048afaec245b19ed8a94a8e2e893c9c9b4e47e6.tar.bz2 | |
implement multiport support for dport/sport
Diffstat (limited to 'manifests/rule.pp')
| -rw-r--r-- | manifests/rule.pp | 36 | 
1 files changed, 24 insertions, 12 deletions
| diff --git a/manifests/rule.pp b/manifests/rule.pp index 1acbfd1..458bef6 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -5,7 +5,7 @@  #     chain  => 'INPUT',  #     action => 'SSH',  #     proto  => 'tcp', -#     dport  => '22', +#     dport  => 22,  #   }  #  # @example Create a rule in the 'SSH' chain to allow connections from localhost @@ -13,7 +13,7 @@  #     chain  => 'SSH',  #     action => 'ACCEPT',  #     proto  => 'tcp', -#     dport  => '22', +#     dport  => 22,  #     saddr  => '127.0.0.1',  #   }  # @@ -43,8 +43,8 @@  # @param policy Configure what we want to do with the packet (drop/accept/reject, can also be a target chain name) [DEPRECATED]  #   Default value: undef  #   Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE|REDIRECT|String[1]) -# @param dport The destination port, can be a range as string or a single port number as integer -# @param sport The source port, can be a range as string or a single port number as integer +# @param dport The destination port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher) +# @param sport The source port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher)  # @param saddr The source address we want to match  # @param daddr The destination address we want to match  # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) @@ -59,8 +59,8 @@ define ferm::rule (    String $comment = $name,    Optional[Ferm::Actions] $action = undef,    Optional[Ferm::Policies] $policy = undef, -  Optional[Variant[Stdlib::Port,String[1]]] $dport = undef, -  Optional[Variant[Stdlib::Port,String[1]]] $sport = undef, +  Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $dport = undef, +  Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $sport = undef,    Optional[Variant[Array, String[1]]] $saddr = undef,    Optional[Variant[Array, String[1]]] $daddr = undef,    Optional[String[1]] $proto_options = undef, @@ -95,14 +95,26 @@ define ferm::rule (      String => "proto ${proto}",    } -  $dport_real = $dport ? { -    undef   => '', -    default => "dport ${dport}", +  # ferm supports implicit multiport using the "dports" shortcut +  if $dport =~ Array { +    $dports = join($dport, ' ') +    $dport_real = "dports (${dports})" +  } elsif $dport =~ Integer { +    $dport_real = "dport ${dport}" +  } else { +    $dport_real = ''    } -  $sport_real = $sport ? { -    undef   => '', -    default => "sport ${sport}", + +  # ferm supports implicit multiport using the "sports" shortcut +  if $sport =~ Array { +    $sports = join($sport, ' ') +    $sport_real = "sports (${sports})" +  } elsif $sport =~ Integer { +    $sport_real = "sport ${sport}" +  } else { +    $sport_real = ''    } +    if $saddr =~ Array {      assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| {        fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." ) | 
