[openstack-puppet-modules/el6-icehouse] Added missing puppetlabs-firewall patch
Martin Mágr
mmagr at fedoraproject.org
Fri May 16 13:34:53 UTC 2014
commit 3242baec14a47ed871061233e67aadccd6e80ba2
Author: Martin Magr <mmagr at redhat.com>
Date: Fri May 16 15:30:21 2014 +0200
Added missing puppetlabs-firewall patch
openstack-puppet-modules.spec | 11 ++-
puppetlabs-firewall-pull-request-337.patch | 209 ++++++++++++++++++++++++++++
2 files changed, 219 insertions(+), 1 deletions(-)
---
diff --git a/openstack-puppet-modules.spec b/openstack-puppet-modules.spec
index 1ff5eeb..bf50eb4 100644
--- a/openstack-puppet-modules.spec
+++ b/openstack-puppet-modules.spec
@@ -40,7 +40,7 @@
Name: openstack-puppet-modules
Version: 2014.1
-Release: 11%{?dist}
+Release: 11.1%{?dist}
Summary: Puppet modules used to deploy OpenStack
License: ASL 2.0 and GPLv2 and GPLv3
@@ -93,6 +93,7 @@ Patch5: keystone.patch
Patch6: nova.patch
Patch7: 0001-Use-lioadm-as-iscsi-helper-on-RHEL-7.patch
Patch8: 0001-Quickfix-to-remove-duplication-with-ceilometer-agent.patch
+Patch9: puppetlabs-firewall-pull-request-337.patch
BuildArch: noarch
Requires: rubygem-json
@@ -167,6 +168,11 @@ cd %{_builddir}/%{name}-%{version}/puppet-cinder-%{cinder_commit}
cd %{_builddir}/%{name}-%{version}/puppet-keystone-%{keystone_commit}
%patch5 -p1
+# puppetlabs-firewall patches
+cd %{_builddir}/%{name}-%{version}/puppetlabs-firewall-%{firewall_commit}
+%patch9 -p1
+
+
find %{_builddir}/%{name}-%{version}/ -type f -name ".*" -exec rm {} +
find %{_builddir}/%{name}-%{version}/ -size 0 -exec rm {} +
find %{_builddir}/%{name}-%{version}/ \( -name "*.pl" -o -name "*.sh" \) -exec chmod +x {} +
@@ -225,6 +231,9 @@ rm -f %{buildroot}/%{_datadir}/openstack-puppet/modules/nova/files/nova-novncpro
%changelog
+* Fri May 16 2014 Martin Mágr <mmagr at redhat.com> - 2014.1-11.1
+- Added missing puppetlabs-firewall-pull-request-337.patch
+
* Wed May 14 2014 Martin Mágr <mmagr at redhat.com> - 2014.1-11
- Synchronized modules with current master branch of redhat-openstack/openstack-puppet-modules
diff --git a/puppetlabs-firewall-pull-request-337.patch b/puppetlabs-firewall-pull-request-337.patch
new file mode 100644
index 0000000..6668f7a
--- /dev/null
+++ b/puppetlabs-firewall-pull-request-337.patch
@@ -0,0 +1,209 @@
+From 7bc85e290fd3cc4b7e9d1e8fb2972e658bd1b201 Mon Sep 17 00:00:00 2001
+From: Jeff '2 bits' Bachtel <jbachtel at bericotechnologies.com>
+Date: Wed, 5 Mar 2014 12:32:02 -0500
+Subject: [PATCH 1/5] Add support for mac address source rules
+
+This is necessary to parse rules generated on OpenStack Havana + Neutron + OpenVSwitch
+---
+ lib/puppet/provider/firewall/iptables.rb | 5 +++--
+ spec/fixtures/iptables/conversion_hash.rb | 9 +++++++++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
+index 698e731..ba98227 100644
+--- a/lib/puppet/provider/firewall/iptables.rb
++++ b/lib/puppet/provider/firewall/iptables.rb
+@@ -50,7 +50,7 @@
+ :destination => "-d",
+ :dst_type => "-m addrtype --dst-type",
+ :dst_range => "-m iprange --dst-range",
+- :dport => ["-m multiport --dports", "--dport"],
++ :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
+ :gid => "-m owner --gid-owner",
+ :icmp => "-m icmp --icmp-type",
+ :iniface => "-i",
+@@ -58,6 +58,7 @@
+ :limit => "-m limit --limit",
+ :log_level => "--log-level",
+ :log_prefix => "--log-prefix",
++ :mac_addr => ["-m mac --mac-source", "--mac-source"],
+ :name => "-m comment --comment",
+ :outiface => "-o",
+ :port => '-m multiport --ports',
+@@ -137,7 +138,7 @@
+ # This order can be determined by going through iptables source code or just tweaking and trying manually
+ @resource_list = [
+ :table, :source, :destination, :iniface, :outiface, :proto, :isfragment,
+- :src_range, :dst_range, :tcp_flags, :gid, :uid, :sport, :dport, :port,
++ :src_range, :dst_range, :tcp_flags, :gid, :uid, :mac_addr, :sport, :dport, :port,
+ :dst_type, :src_type, :socket, :pkttype, :name, :ipsec_dir, :ipsec_policy,
+ :state, :ctstate, :icmp, :limit, :burst, :recent, :rseconds, :reap,
+ :rhitcount, :rttl, :rname, :rsource, :rdest, :jump, :todest, :tosource,
+diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
+index 042e8bb..7ce1470 100644
+--- a/spec/fixtures/iptables/conversion_hash.rb
++++ b/spec/fixtures/iptables/conversion_hash.rb
+@@ -6,6 +6,15 @@
+ # This hash is for testing a line conversion to a hash of parameters
+ # which will be used to create a resource.
+ ARGS_TO_HASH = {
++ 'mac_source_1' => {
++ :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
++ :table => 'filter',
++ :params => {
++ :chain => 'neutron-openvswi-FORWARD',
++ :source => '1.2.3.4/32',
++ :mac_addr => 'FA:16:00:00:00:00',
++ },
++ },
+ 'dport_and_sport' => {
+ :line => '-A nova-compute-FORWARD -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT',
+ :table => 'filter',
+--
+1.9.1
+
+
+From 555a37e5b4bf44db9ccc827cf893d049c5974795 Mon Sep 17 00:00:00 2001
+From: Jeff '2 bits' Bachtel <jbachtel at bericotechnologies.com>
+Date: Wed, 5 Mar 2014 12:35:46 -0500
+Subject: [PATCH 2/5] Fix bad rebase
+
+---
+ lib/puppet/provider/firewall/iptables.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
+index ba98227..f67cb21 100644
+--- a/lib/puppet/provider/firewall/iptables.rb
++++ b/lib/puppet/provider/firewall/iptables.rb
+@@ -50,7 +50,7 @@
+ :destination => "-d",
+ :dst_type => "-m addrtype --dst-type",
+ :dst_range => "-m iprange --dst-range",
+- :dport => ["-m multiport --dports", "-m (udp|tcp) --dport", "--dport"],
++ :dport => ["-m multiport --dports", "--dport"],
+ :gid => "-m owner --gid-owner",
+ :icmp => "-m icmp --icmp-type",
+ :iniface => "-i",
+--
+1.9.1
+
+
+From 313b4dd0fe61ee5dddab1e45cf42365fac5ae736 Mon Sep 17 00:00:00 2001
+From: Damian Szeluga <dszeluga at mirantis.com>
+Date: Fri, 21 Mar 2014 15:12:02 +0100
+Subject: [PATCH 3/5] Missing type definition
+
+---
+ lib/puppet/type/firewall.rb | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
+index 4701e27..d959d3c 100644
+--- a/lib/puppet/type/firewall.rb
++++ b/lib/puppet/type/firewall.rb
+@@ -857,6 +857,13 @@ def should_to_s(value)
+ Read-only property for caching the rule line.
+ EOS
+ end
++
++ newproperty(:mac_addr) do
++ desc <<-EOS
++ MAC Address
++ EOS
++ newvalues(/^([0-9a-f]{2}[:]){6}$/i)
++ end
+
+ autorequire(:firewallchain) do
+ reqs = []
+--
+1.9.1
+
+
+From 9afd0fdadf99980e6454043bf8e0e452c242736e Mon Sep 17 00:00:00 2001
+From: Damian Szeluga <dszeluga at mirantis.com>
+Date: Fri, 21 Mar 2014 16:53:52 +0100
+Subject: [PATCH 4/5] Fix failing test
+
+---
+ spec/fixtures/iptables/conversion_hash.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/spec/fixtures/iptables/conversion_hash.rb b/spec/fixtures/iptables/conversion_hash.rb
+index 7ce1470..d50b1e8 100644
+--- a/spec/fixtures/iptables/conversion_hash.rb
++++ b/spec/fixtures/iptables/conversion_hash.rb
+@@ -7,7 +7,7 @@
+ # which will be used to create a resource.
+ ARGS_TO_HASH = {
+ 'mac_source_1' => {
+- :line => '-A neutron-openvswi-FORWARD -b -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
++ :line => '-A neutron-openvswi-FORWARD -s 1.2.3.4/32 -m mac --mac-source FA:16:00:00:00:00 -j ACCEPT',
+ :table => 'filter',
+ :params => {
+ :chain => 'neutron-openvswi-FORWARD',
+--
+1.9.1
+
+
+From 33be12484e6eb3a0c257a5b7dcb2e070fa3f1331 Mon Sep 17 00:00:00 2001
+From: Damian Szeluga <dszeluga at mirantis.com>
+Date: Wed, 23 Apr 2014 12:22:33 +0200
+Subject: [PATCH 5/5] Acceptance testing + fix parameter match
+
+---
+ lib/puppet/type/firewall.rb | 2 +-
+ spec/acceptance/firewall_spec.rb | 24 ++++++++++++++++++++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
+index d959d3c..1512fd6 100644
+--- a/lib/puppet/type/firewall.rb
++++ b/lib/puppet/type/firewall.rb
+@@ -862,7 +862,7 @@ def should_to_s(value)
+ desc <<-EOS
+ MAC Address
+ EOS
+- newvalues(/^([0-9a-f]{2}[:]){6}$/i)
++ newvalues(/^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$/i)
+ end
+
+ autorequire(:firewallchain) do
+diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
+index 486ce56..89da439 100644
+--- a/spec/acceptance/firewall_spec.rb
++++ b/spec/acceptance/firewall_spec.rb
+@@ -1607,6 +1607,30 @@ class { '::firewall': }
+ end
+ end
+
++ describe 'mac_addr' do
++ context '0A:1B:3C:4D:5E:6F' do
++ it 'applies' do
++ pp = <<-EOS
++ class { '::firewall': }
++ firewall { '610 - test':
++ ensure => present,
++ source => '10.1.5.28/32',
++ mac_addr => '0A:1B:3C:4D:5E:6F',
++ chain => 'INPUT',
++ }
++ EOS
++
++ apply_manifest(pp, :catch_failures => true)
++ end
++
++ it 'should contain the rule' do
++ shell('iptables-save') do |r|
++ expect(r.stdout).to match(/-A INPUT -s 10.1.5.28\/(32|255\.255\.255\.255) -p tcp -m mac --mac-source 0A:1B:3C:4D:5E:6F -m comment --comment "610 - test"/)
++ end
++ end
++ end
++ end
++
+ describe 'reset' do
+ it 'deletes all rules' do
+ shell('ip6tables --flush')
+--
+1.9.1
+
More information about the scm-commits
mailing list