Add support for icmp-block-inversion

lib/puppet/provider/firewalld_zone/firewall_cmd.rb

@@ -149,6 +149,23 @@ def icmp_blocks=(i)
     end
   end
 
+  def icmp_block_inversion
+    if execute_firewall_cmd(['--query-icmp-block-inversion'], @resource[:name], true, false).chomp == 'no'
+      return :false
+    else
+      return :true
+    end
+  end
+
+  def icmp_block_inversion=(bool)
+    case bool
+    when :true
+      execute_firewall_cmd(['--add-icmp-block-inversion'])
+    when :false
+      execute_firewall_cmd(['--remove-icmp-block-inversion'])
+    end
+  end
+
   # rubocop:disable Style/AccessorMethodName
   def get_rules
     perm = execute_firewall_cmd(['--list-rich-rules']).split(%r{\n})

lib/puppet/type/firewalld_zone.rb

@@ -17,16 +17,17 @@
     Note that setting `ensure => 'absent'` to the built in firewalld zones will
     not work, and will generate an error. This is a limitation of firewalld itself, not the module.
 
-    @example Create a zone called `restricted`
+    @example Create a zone called `restricted` allowing only `echo-request` icmp types
       firewalld_zone { 'restricted':
-        ensure           => present,
-        target           => '%%REJECT%%',
-        interfaces       => [],
-        sources          => [],
-        purge_rich_rules => true,
-        purge_services   => true,
-        purge_ports      => true,
-        icmp_blocks      => 'router-advertisement'
+        ensure               => present,
+        target               => '%%REJECT%%',
+        interfaces           => [],
+        sources              => [],
+        purge_rich_rules     => true,
+        purge_services       => true,
+        purge_ports          => true,
+        icmp_blocks          => 'echo-request'
+        icmp_block_inversion => true,
       }
   DOC
 
@@ -122,6 +123,12 @@ def insync?(is)
     end
   end
 
+  newproperty(:icmp_block_inversion) do
+    desc 'Can be set to true or false, specifies whether to set icmp_block_inversion from the zone'
+    newvalue(:true)
+    newvalue(:false)
+  end
+
   newproperty(:purge_rich_rules) do
     desc "When set to true any rich_rules associated with this zone
           that are not managed by Puppet will be removed.

spec/unit/puppet/provider/firewalld_zone_spec.rb

@@ -29,6 +29,7 @@
         resource.expects(:[]).with(:sources).returns(nil).at_least_once
         resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once
         resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once
+        resource.expects(:[]).with(:icmp_block_inversion).returns(nil).at_least_once
         resource.expects(:[]).with(:description).returns(nil).at_least_once
         resource.expects(:[]).with(:short).returns('little description').at_least_once
         provider.expects(:execute_firewall_cmd).with(['--list-interfaces'])
@@ -48,6 +49,7 @@
         resource.expects(:[]).with(:sources).returns(nil).at_least_once
         resource.expects(:[]).with(:interfaces).returns(['eth0']).at_least_once
         resource.expects(:[]).with(:icmp_blocks).returns(nil).at_least_once
+        resource.expects(:[]).with(:icmp_block_inversion).returns(nil).at_least_once
         resource.expects(:[]).with(:description).returns(nil).at_least_once
         resource.expects(:[]).with(:short).returns('little description').at_least_once
         provider.expects(:execute_firewall_cmd).with(['--list-interfaces'])

spec/unit/puppet/type/firewalld_zone_spec.rb

@@ -16,7 +16,7 @@
           end
         end
 
-        [:target, :icmp_blocks, :sources, :purge_rich_rules, :purge_services, :purge_ports].each do |param|
+        [:target, :icmp_blocks, :icmp_block_inversion, :sources, :purge_rich_rules, :purge_services, :purge_ports].each do |param|
           it "should have a #{param} parameter" do
             expect(described_class.attrtype(param)).to eq(:property)
           end
@@ -35,6 +35,7 @@
           target: '%%REJECT%%',
           interfaces: ['eth0'],
           icmp_blocks: ['redirect', 'router-advertisment'],
+          icmp_block_inversion: true,
           sources: ['192.168.2.2', '10.72.1.100']
         )
       end
@@ -67,6 +68,7 @@
         provider.expects(:execute_firewall_cmd).with(['--set-target', '%%REJECT%%'])
 
         provider.expects(:icmp_blocks=).with(['redirect', 'router-advertisment'])
+        provider.expects(:icmp_block_inversion=).with(true)
 
         provider.expects(:sources).returns([])
         provider.expects(:execute_firewall_cmd).with(['--add-source', '192.168.2.2'])
@@ -121,6 +123,16 @@
         expect(provider.icmp_blocks).to eq(['val'])
       end
 
+      it 'gets icmp_block_inversion false' do
+        provider.expects(:execute_firewall_cmd).with(['--query-icmp-block-inversion']).returns('no')
+        expect(provider.icmp_blocks).to eq(false)
+      end
+
+      it 'gets icmp_block_inversion true' do
+        provider.expects(:execute_firewall_cmd).with(['--query-icmp-block-inversion']).returns('yes')
+        expect(provider.icmp_blocks).to eq(true)
+      end
+
       it 'lists icmp types' do
         provider.expects(:execute_firewall_cmd).with(['--get-icmptypes'], nil).returns('echo-reply echo-request')
         expect(provider.get_icmp_types).to eq(['echo-reply', 'echo-request'])