add support for interface specific rules

diff --git a/README.md b/README.md
index e05cba51c41fe9c668a646ea455b27fd77c5e2ef..324134fa31de30fffe46e4ebf254fb52d960933e 100644 (file)
--- a/README.md
+++ b/README.md
@@ -178,6 +178,10 @@ Same as above, just for the destination IP address
 
 Add or remove it from the ruleset
 
+#### `interface`
+
+If set, this rule only applies to this specific interface
+
 ### chain defined resource
 
 The module defines the three default chains for you, INPUT, FORWARD and OUTPUT.

diff --git a/manifests/chain.pp b/manifests/chain.pp
index 6a01607f4ff62405df09ae5cbfe9e8b184089438..0a0071a5f60f25a2f9f802b14317c147ac0dd043 100644 (file)
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -31,7 +31,7 @@ define ferm::chain (
     concat::fragment{"${chain}-footer":
       target  => "/etc/ferm.d/chains/${chain}.conf",
       content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
-      order   => '99',
+      order   => 'zzzzzzzzzzzzzzzzzzzzz',
     }
   }
 }

diff --git a/manifests/rule.pp b/manifests/rule.pp
index c87ef7f6637ca052779ac7c630db68ce4804699d..b8ae29a8cde92630730876ca88d826ae3eac80b1 100644 (file)
--- a/manifests/rule.pp
+++ b/manifests/rule.pp
@@ -8,6 +8,7 @@
 # @param saddr The source address we want to match
 # @param daddr The destination address we want to match
 # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types)
+# @param interface an Optional interface where this rule should be applied
 # @param ensure Set the rule to present or absent
 define ferm::rule (
   Ferm::Chains $chain,
@@ -19,6 +20,7 @@ define ferm::rule (
   Optional[String[1]] $saddr = undef,
   Optional[String[1]] $daddr = undef,
   Optional[String[1]] $proto_options = undef,
+  Optional[String[1]] $interface = undef,
   Enum['absent','present'] $ensure = 'present',
 ){
   $proto_real = "proto ${proto}"
@@ -47,9 +49,33 @@ define ferm::rule (
 
   $rule = squeeze("${comment_real} ${proto_real} ${proto_options_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ')
   if $ensure == 'present' {
-    concat::fragment{"${chain}-${name}":
-      target  => "/etc/ferm.d/chains/${chain}.conf",
-      content => "${rule}\n",
+    if $interface {
+      unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) {
+        concat::fragment{"${chain}-${interface}-aaa":
+          target  => "/etc/ferm.d/chains/${chain}.conf",
+          content => "interface ${interface} {\n",
+          order   => $interface,
+        }
+      }
+
+      concat::fragment{"${chain}-${interface}-${name}":
+        target  => "/etc/ferm.d/chains/${chain}.conf",
+        content => "  ${rule}\n",
+        order   => $interface,
+      }
+
+      unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) {
+        concat::fragment{"${chain}-${interface}-zzz":
+          target  => "/etc/ferm.d/chains/${chain}.conf",
+          content => "}\n",
+          order   => $interface,
+        }
+      }
+    } else {
+      concat::fragment{"${chain}-${name}":
+        target  => "/etc/ferm.d/chains/${chain}.conf",
+        content => "${rule}\n",
+      }
     }
   }
 }

diff --git a/spec/defines/rule_spec.rb b/spec/defines/rule_spec.rb
index 04739709654ca992c5e3664aa0cff1a394132f15..bd4ed731d66770227557d870f5d777e7dc56730a 100644 (file)
--- a/spec/defines/rule_spec.rb
+++ b/spec/defines/rule_spec.rb
@@ -6,21 +6,39 @@ describe 'ferm::rule', type: :define do
       let :facts do
         facts
       end
-      let(:title) { 'filter-ssh' }
-      let :params do
-        {
-          chain: 'INPUT',
-          policy: 'ACCEPT',
-          proto: 'tcp',
-          dport: '22',
-          saddr: '127.0.0.1'
-        }
-      end
 
-      context 'default params create simple rule' do
+      context 'without a specific interface' do
+        let(:title) { 'filter-ssh' }
+        let :params do
+          {
+            chain: 'INPUT',
+            policy: 'ACCEPT',
+            proto: 'tcp',
+            dport: '22',
+            saddr: '127.0.0.1'
+          }
+        end
+
         it { is_expected.to compile.with_all_deps }
         it { is_expected.to contain_concat__fragment('INPUT-filter-ssh').with_content("mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") }
-        it { is_expected.to contain_concat__fragment('INPUT-filter-ssh') }
+      end
+      context 'with a specific interface' do
+        let(:title) { 'filter-ssh' }
+        let :params do
+          {
+            chain: 'INPUT',
+            policy: 'ACCEPT',
+            proto: 'tcp',
+            dport: '22',
+            saddr: '127.0.0.1',
+            interface: 'eth0'
+          }
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-filter-ssh').with_content("  mod comment comment 'filter-ssh' proto tcp dport 22 saddr @ipfilter(127.0.0.1) ACCEPT;\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-aaa').with_content("interface eth0 {\n") }
+        it { is_expected.to contain_concat__fragment('INPUT-eth0-zzz').with_content("}\n") }
       end
     end
   end