Merge pull request #80 from dcarley/10274-zero_prefixlen_addresses

(#10274) Nullify addresses with zero prefixlen

Author: kbarber

lib/puppet/util/firewall.rb

@@ -69,11 +69,31 @@ def string_to_port(value)
     end
   end
 
+  # Takes an address and returns it in CIDR notation.
+  #
+  # If the address is:
+  #
+  #   - A hostname:
+  #     It will be resolved
+  #   - An IPv4 address:
+  #     It will be qualified with a /32 CIDR notation
+  #   - An IPv6 address:
+  #     It will be qualified with a /128 CIDR notation
+  #   - An IP address with a CIDR notation:
+  #     It will be normalised
+  #   - An IP address with a dotted-quad netmask:
+  #     It will be converted to CIDR notation
+  #   - Any address with a resulting prefix length of zero:
+  #     It will return nil which is equivilent to not specifying an address
+  #
   def host_to_ip(value)
     begin
-      Puppet::Util::IPCidr.new(value).cidr
+      value = Puppet::Util::IPCidr.new(value)
     rescue
-      Puppet::Util::IPCidr.new(Resolv.getaddress(value)).cidr
+      value = Puppet::Util::IPCidr.new(Resolv.getaddress(value))
     end
+
+    return nil if value.prefixlen == 0
+    value.cidr
   end
 end

spec/fixtures/iptables/conversion_hash.rb

@@ -274,6 +274,24 @@
     :args => ["-t", :filter, "-p", :tcp, "-m", "comment", "--comment",
       "100 no action"],
   },
+  'zero_prefixlen_ipv4' => {
+    :params => {
+      :name => '100 zero prefix length ipv4',
+      :table => 'filter',
+      :source => '0.0.0.0/0',
+      :destination => '0.0.0.0/0',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv4'],
+  },
+  'zero_prefixlen_ipv6' => {
+    :params => {
+      :name => '100 zero prefix length ipv6',
+      :table => 'filter',
+      :source => '::/0',
+      :destination => '::/0',
+    },
+    :args => ['-t', :filter, '-p', :tcp, '-m', 'comment', '--comment', '100 zero prefix length ipv6'],
+  },
   'sport_range_1' => {
     :params => {
       :name => "100 sport range",

spec/unit/puppet/type/firewall_spec.rb

@@ -116,6 +116,12 @@
         @resource[addr] = '127.0.0.1'
         @resource[addr].should == '127.0.0.1/32'
       end
+      ['0.0.0.0/0', '::/0'].each do |prefix|
+        it "should be nil for zero prefix length address #{prefix}" do
+          @resource[addr] = prefix
+          @resource[addr].should == nil
+        end
+      end
     end
   end
 

spec/unit/puppet/util/firewall_spec.rb

@@ -18,6 +18,8 @@
     specify { subject.host_to_ip('96.126.112.51/32').should == '96.126.112.51/32' }
     specify { subject.host_to_ip('2001:db8:85a3:0:0:8a2e:370:7334').should == '2001:db8:85a3::8a2e:370:7334/128' }
     specify { subject.host_to_ip('2001:db8:1234::/48').should == '2001:db8:1234::/48' }
+    specify { subject.host_to_ip('0.0.0.0/0').should == nil }
+    specify { subject.host_to_ip('::/0').should == nil }
   end
 
   describe '#icmp_name_to_number' do

spec/unit/puppet/util/ipcidr_spec.rb

@@ -25,6 +25,14 @@
     specify { subject.netmask.should == '255.255.255.0' }
   end
 
+  describe 'ipv4 open range with cidr' do
+    before { @ipcidr = Puppet::Util::IPCidr.new('0.0.0.0/0') }
+    subject { @ipcidr }
+    specify { subject.cidr.should == '0.0.0.0/0' }
+    specify { subject.prefixlen.should == 0 }
+    specify { subject.netmask.should == '0.0.0.0' }
+  end
+
   describe 'ipv6 address' do
     before { @ipaddr = Puppet::Util::IPCidr.new('2001:db8:85a3:0:0:8a2e:370:7334') }
     subject { @ipaddr }
@@ -48,4 +56,12 @@
     specify { subject.prefixlen.should == 48 }
     specify { subject.netmask.should == 'ffff:ffff:ffff:0000:0000:0000:0000:0000' }
   end
+
+  describe 'ipv6 open range with cidr' do
+    before { @ipaddr = Puppet::Util::IPCidr.new('::/0') }
+    subject { @ipaddr }
+    specify { subject.cidr.should == '::/0' }
+    specify { subject.prefixlen.should == 0 }
+    specify { subject.netmask.should == '0000:0000:0000:0000:0000:0000:0000:0000' }
+  end
 end