Skip to content

Commit 00bba7e

Browse files
bastelfreakbastelfreak
authored
Merge pull request #265 from duritong/fix-264
(#264) - ensure non-duplicate rule names for multiple icmp types
2 parents 4a9bb1f + 326f483 commit 00bba7e

File tree

2 files changed

+93
-2
lines changed

2 files changed

+93
-2
lines changed

manifests/rules/out/icmp.pp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,8 @@
1111
) {
1212
if $v4_types {
1313
$v4_types.each | String $icmp_type | {
14-
nftables::rule { 'default_out-accept_icmpv4':
14+
# make sure we get a unique rulename per icmp_type
15+
nftables::rule { "default_out-accept_icmpv4_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
1516
content => "ip protocol icmp icmp type ${icmp_type} accept",
1617
order => $order,
1718
}
@@ -25,7 +26,8 @@
2526

2627
if $v6_types {
2728
$v6_types.each | String $icmp_type | {
28-
nftables::rule { 'default_out-accept_icmpv6':
29+
# make sure we get a unique rulename per icmp_type
30+
nftables::rule { "default_out-accept_icmpv6_${regsubst(split($icmp_type, ' ')[0], '-', '_', 'G')}":
2931
content => "ip6 nexthdr ipv6-icmp icmpv6 type ${icmp_type} accept",
3032
order => $order,
3133
}

spec/classes/rules/out/icmp_spec.rb

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
# frozen_string_literal: true
2+
3+
require 'spec_helper'
4+
5+
describe 'nftables::rules::out::icmp' do
6+
on_supported_os.each do |os, os_facts|
7+
context "on #{os}" do
8+
let(:facts) { os_facts }
9+
10+
context 'default options' do
11+
it { is_expected.to compile.with_all_deps }
12+
13+
it { is_expected.to contain_nftables__rule('default_out-accept_icmp').with_content('meta l4proto { icmp, icmpv6} accept').with_order('10') }
14+
it { is_expected.not_to contain_nftables__rule('default_out-accept_icmpv4') }
15+
it { is_expected.not_to contain_nftables__rule('default_out-accept_icmpv6') }
16+
end
17+
18+
context 'with custom ICMP types (v4 only)' do
19+
let(:params) do
20+
{
21+
v4_types: ['echo-request limit rate 4/second', 'echo-reply'],
22+
}
23+
end
24+
25+
it { is_expected.to compile }
26+
27+
it {
28+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv4_echo_request').with(
29+
content: 'ip protocol icmp icmp type echo-request limit rate 4/second accept',
30+
order: '10'
31+
)
32+
}
33+
34+
it {
35+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv4_echo_reply').with(
36+
content: 'ip protocol icmp icmp type echo-reply accept',
37+
order: '10'
38+
)
39+
}
40+
41+
it {
42+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv6').with(
43+
content: 'meta l4proto icmpv6 accept',
44+
order: '10'
45+
)
46+
}
47+
end
48+
49+
context 'with custom ICMP types (both v4 and v6)' do
50+
let(:params) do
51+
{
52+
v4_types: ['echo-request limit rate 4/second', 'echo-reply'],
53+
v6_types: %w[echo-reply nd-router-advert],
54+
}
55+
end
56+
57+
it { is_expected.to compile }
58+
59+
it {
60+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv4_echo_request').with(
61+
content: 'ip protocol icmp icmp type echo-request limit rate 4/second accept',
62+
order: '10'
63+
)
64+
}
65+
66+
it {
67+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv4_echo_reply').with(
68+
content: 'ip protocol icmp icmp type echo-reply accept',
69+
order: '10'
70+
)
71+
}
72+
73+
it {
74+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv6_echo_reply').with(
75+
content: 'ip6 nexthdr ipv6-icmp icmpv6 type echo-reply accept',
76+
order: '10'
77+
)
78+
}
79+
80+
it {
81+
expect(subject).to contain_nftables__rule('default_out-accept_icmpv6_nd_router_advert').with(
82+
content: 'ip6 nexthdr ipv6-icmp icmpv6 type nd-router-advert accept',
83+
order: '10'
84+
)
85+
}
86+
end
87+
end
88+
end
89+
end

0 commit comments

Comments
 (0)