firewall: generally accept "jump" param and use tripleo:firewall for log rule

Tentative fix for bug #1669763, trying to use the same class for every
rule we want to add to the chain.

Change-Id: I4ba451c1b258391c8f1cfb4d73e38828c437b1c1
Closes-Bug: #1669763

diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp
index b76db75..7b5f563 100644 (file)
--- a/manifests/firewall/post.pp
+++ b/manifests/firewall/post.pp
@@ -36,7 +36,7 @@ class tripleo::firewall::post(
   if $debug {
     warning('debug is enabled, the traffic is not blocked.')
   } else {
-    firewall { '998 log all':
+    tripleo::firewall::rule{ '998 log all':
       proto => 'all',
       jump  => 'LOG',
     }

diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index 688144e..f1ea0c9 100644 (file)
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -39,6 +39,10 @@
 #  (optional) The action policy associated to the rule.
 #  Defaults to 'accept'
 #
+# [*jump*]
+#  (optional) The chain to jump to.
+#  If present, overrides action
+#
 # [*state*]
 #  (optional) Array of states associated to the rule..
 #  Defaults to ['NEW']
@@ -75,6 +79,7 @@ define tripleo::firewall::rule (
   $chain       = 'INPUT',
   $destination = undef,
   $extras      = {},
+  $jump        = undef,
 ) {
 
   if $port == 'all' {
@@ -85,16 +90,25 @@ define tripleo::firewall::rule (
     $port_real = $port
   }
 
+  if $jump != undef {
+    $jump_real   = $jump
+    $action_real = undef
+  } else {
+    $jump_real   = undef
+    $action_real = $action
+  }
+
   $basic = {
     'port'        => $port_real,
     'dport'       => $dport,
     'sport'       => $sport,
     'proto'       => $proto,
-    'action'      => $action,
+    'action'      => $action_real,
     'source'      => $source,
     'iniface'     => $iniface,
     'chain'       => $chain,
     'destination' => $destination,
+    'jump'        => $jump_real,
   }
   if $proto == 'icmp' {
     $ipv6 = {