allow using an array for $proto

This enables defining ferm::rule with multiple protocols at once,
because using 'all' for $proto does not allow using $dport/$sport.

diff --git a/REFERENCE.md b/REFERENCE.md
index 19ffae060ebb9ccd50ddebf2ea121741f4dcdd11..d9adadbe7d6db54516cd5338925b0c2294b2b91d 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -412,7 +412,7 @@ Alias of `Enum['ACCEPT', 'DROP']`
 
 a list of allowed protocolls to match
 
-Alias of `Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']`
+Alias of `Variant[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'], Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']]]`
 
 ### Ferm::Tables
 

diff --git a/manifests/rule.pp b/manifests/rule.pp
index 4f2c985899b22dd1e1514b8bcdefd0135af98bea..a9736012dce80f3d3d74c2f73587e3b3fb41d7a2 100644 (file)
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -73,8 +73,10 @@ define ferm::rule (
     Ferm::Chain <| chain == $action_temp and table == $table |> -> Ferm::Rule[$name]
   }
 
-
-  $proto_real = "proto ${proto}"
+  $proto_real = $proto ? {
+    Array  => "proto (${join($proto, ' ')})",
+    String => "proto ${proto}",
+  }
 
   $dport_real = $dport ? {
     undef   => '',

diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index ef20e17c4063cb023ad54421a21dbd9d35be6eac..33ce169d8e27154f77630e267d360c8ab39945b1 100644 (file)
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -114,6 +114,25 @@ describe 'ferm::rule', type: :define do
         it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
       end
 
+      context 'without a specific interface using array for proto' do
+        let(:title) { 'filter-consul' }
+        let :params do
+          {
+            chain: 'INPUT',
+            action: 'ACCEPT',
+            proto: %w[tcp udp],
+            dport: '(8301 8302)',
+            saddr: '127.0.0.1'
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) dport (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
+        it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
+        it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
+      end
+
       context 'with jumping to custom chains' do
         # create custom chain
         let(:pre_condition) do

diff --git a/types/protocols.pp b/types/protocols.pp
index ee3ac2bf5988bcbc61461f27e21aa0b09efc6a66..cdd76b2561dacc6e209c7f9d646f2a99e14bb820 100644 (file)
--- a/types/protocols.pp
+++ b/types/protocols.pp
@@ -1,2 +1,5 @@
 # @summary a list of allowed protocolls to match
-type Ferm::Protocols = Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']
+type Ferm::Protocols = Variant[
+  Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all'],
+  Array[Enum['icmp', 'tcp', 'udp', 'udplite', 'icmpv6', 'esp', 'ah', 'sctp', 'mh', 'all']],
+]