From 4197b5767f4722878be828a3017a992d8814df10 Mon Sep 17 00:00:00 2001
From: Matthias Hensler <matthias@wspse.de>
Date: Fri, 21 Aug 2020 13:41:42 +0200
Subject: [PATCH] enable eb-family for all relevant firewalld-types

see https://github.com/voxpupuli/puppet-firewalld/issues/298
---
 README.md                                     |  6 ++---
 REFERENCE.md                                  | 16 ++++++------
 lib/puppet/type/firewalld_direct_chain.rb     |  4 +--
 .../type/firewalld_direct_passthrough.rb      |  4 +--
 lib/puppet/type/firewalld_direct_rule.rb      |  4 +--
 lib/puppet/type/firewalld_rich_rule.rb        |  4 +--
 .../puppet/type/firewalld_direct_rule_spec.rb | 26 +++++++++++++++++++
 7 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 1c2e2716..c3ec4b35 100644
--- a/README.md
+++ b/README.md
@@ -636,7 +636,7 @@ firewalld::direct_chains:
 #### Parameters (Firewalld Direct Chains)
 
 * `name`: name of the chain, eg `LOG_DROPS`  (namevar)
-* `inet_protocol`: ipv4 or ipv6, defaults to ipv4 (namevar)
+* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4 (namevar)
 * `table`: The table (eg: filter) to apply the chain (namevar)
 
 ### Firewalld Direct Rules
@@ -674,7 +674,7 @@ firewalld::direct_rules:
 
 * `name`: Resource name in Puppet
 * `ensure`: present or absent
-* `inet_protocol`: ipv4 or ipv6, defaults to ipv4
+* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4
 * `table`: Table (eg: filter) which to apply the rule
 * `chain`: Chain (eg: OUTPUT) which to apply the rule
 * `priority`: The priority number of the rule (e.g: 0, 1, 2, ... 99)
@@ -709,7 +709,7 @@ firewalld::direct_passthroughs:
 
 * `name`: Resource name in Puppet
 * `ensure`: present or absent
-* `inet_protocol`: ipv4 or ipv6, defaults to ipv4
+* `inet_protocol`: ipv4, ipv6 or eb, defaults to ipv4
 * `args`: Name of the passthroughhrough to add (e.g:
   -A OUTPUT -j OUTPUT_filter)
 
diff --git a/REFERENCE.md b/REFERENCE.md
index 6f7176d0..b7c735d7 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -490,11 +490,11 @@ The following parameters are available in the `firewalld_direct_chain` type.
 
 ##### <a name="-firewalld_direct_chain--inet_protocol"></a>`inet_protocol`
 
-Valid values: `ipv4`, `ipv6`
+Valid values: `ipv4`, `ipv6`, `eb`
 
 namevar
 
-Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)
+Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
 
 Default value: `ipv4`
 
@@ -559,9 +559,9 @@ Name of the passthroughhrough to add (e.g: -A OUTPUT -j OUTPUT_filter)
 
 ##### <a name="-firewalld_direct_passthrough--inet_protocol"></a>`inet_protocol`
 
-Valid values: `ipv4`, `ipv6`
+Valid values: `ipv4`, `ipv6`, `eb`
 
-Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)
+Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
 
 Default value: `ipv4`
 
@@ -669,9 +669,9 @@ Name of the chain type to add (e.g: INPUT, OUTPUT, FORWARD)
 
 ##### <a name="-firewalld_direct_rule--inet_protocol"></a>`inet_protocol`
 
-Valid values: `ipv4`, `ipv6`
+Valid values: `ipv4`, `ipv6`, `eb`
 
-Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)
+Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)
 
 Default value: `ipv4`
 
@@ -1043,9 +1043,9 @@ Specify destination address, this can be a string of the IP address or a hash co
 
 ##### <a name="-firewalld_rich_rule--family"></a>`family`
 
-Valid values: `ipv4`, `ipv6`
+Valid values: `ipv4`, `ipv6`, `eb`
 
-IP family, one of ipv4 or ipv6, defauts to ipv4
+IP family, one of ipv4, ipv6 or eb, defauts to ipv4
 
 Default value: `ipv4`
 
diff --git a/lib/puppet/type/firewalld_direct_chain.rb b/lib/puppet/type/firewalld_direct_chain.rb
index aa3c715d..81b962d8 100644
--- a/lib/puppet/type/firewalld_direct_chain.rb
+++ b/lib/puppet/type/firewalld_direct_chain.rb
@@ -39,8 +39,8 @@ def self.title_patterns
   end
 
   newparam(:inet_protocol) do
-    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)'
-    newvalues('ipv4', 'ipv6')
+    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)'
+    newvalues('ipv4', 'ipv6', 'eb')
     defaultto('ipv4')
     munge(&:to_s)
     isnamevar
diff --git a/lib/puppet/type/firewalld_direct_passthrough.rb b/lib/puppet/type/firewalld_direct_passthrough.rb
index 7ac2c0a2..a5eab941 100644
--- a/lib/puppet/type/firewalld_direct_passthrough.rb
+++ b/lib/puppet/type/firewalld_direct_passthrough.rb
@@ -27,8 +27,8 @@
   end
 
   newparam(:inet_protocol) do
-    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)'
-    newvalues('ipv4', 'ipv6')
+    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)'
+    newvalues('ipv4', 'ipv6', 'eb')
     defaultto('ipv4')
     munge(&:to_s)
   end
diff --git a/lib/puppet/type/firewalld_direct_rule.rb b/lib/puppet/type/firewalld_direct_rule.rb
index 20b45a01..65d8e963 100644
--- a/lib/puppet/type/firewalld_direct_rule.rb
+++ b/lib/puppet/type/firewalld_direct_rule.rb
@@ -28,8 +28,8 @@
   end
 
   newparam(:inet_protocol) do
-    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6)'
-    newvalues('ipv4', 'ipv6')
+    desc 'Name of the TCP/IP protocol to use (e.g: ipv4, ipv6, eb)'
+    newvalues('ipv4', 'ipv6', 'eb')
     defaultto('ipv4')
     munge(&:to_s)
   end
diff --git a/lib/puppet/type/firewalld_rich_rule.rb b/lib/puppet/type/firewalld_rich_rule.rb
index f75f428f..b03e8e57 100644
--- a/lib/puppet/type/firewalld_rich_rule.rb
+++ b/lib/puppet/type/firewalld_rich_rule.rb
@@ -42,8 +42,8 @@
   end
 
   newparam(:family) do
-    desc 'IP family, one of ipv4 or ipv6, defauts to ipv4'
-    newvalues(:ipv4, :ipv6)
+    desc 'IP family, one of ipv4, ipv6 or eb, defauts to ipv4'
+    newvalues(:ipv4, :ipv6, :eb)
     defaultto :ipv4
     munge(&:to_s)
   end
diff --git a/spec/unit/puppet/type/firewalld_direct_rule_spec.rb b/spec/unit/puppet/type/firewalld_direct_rule_spec.rb
index df9a9741..e50c9d9d 100644
--- a/spec/unit/puppet/type/firewalld_direct_rule_spec.rb
+++ b/spec/unit/puppet/type/firewalld_direct_rule_spec.rb
@@ -81,6 +81,32 @@
     end
   end
 
+  describe 'eb protocol' do
+    let(:resource) do
+      described_class.new(
+        name: 'disable vnet stp',
+        ensure: 'present',
+        inet_protocol: 'eb',
+        table: 'filter',
+        chain: 'FORWARD',
+        priority: 10,
+        args: '-i vnet+ -d BGA -j DROP'
+      )
+    end
+
+    let(:provider) { resource.provider }
+
+    it 'creates' do
+      provider.expects(:execute_firewall_cmd).with(['--direct', '--add-rule', ['eb', 'filter', 'FORWARD', '10', '-i', 'vnet+', '-d', 'BGA', '-j', 'DROP']], nil)
+      provider.create
+    end
+
+    it 'destroys' do
+      provider.expects(:execute_firewall_cmd).with(['--direct', '--remove-rule', ['eb', 'filter', 'FORWARD', '10', '-i', 'vnet+', '-d', 'BGA', '-j', 'DROP']], nil)
+      provider.destroy
+    end
+  end
+
   context 'autorequires' do
     # rubocop:disable RSpec/InstanceVariable
     before do