Allowing ICMP types.

puppetlabs · Apr 30, 2024 · 079e4ff · 079e4ff
1 parent 5f675b3
commit 079e4ff
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/lib/puppet_x/puppetlabs/firewall/utility.rb b/lib/puppet_x/puppetlabs/firewall/utility.rb
@@ -141,7 +141,7 @@ def self.host_to_mask(value, proto)
 
     # Translate the symbolic names for icmp packet types to integers
     def self.icmp_name_to_number(value_icmp, protocol)
-      if value_icmp.to_s.match?(%r{^\d+$})
+      if value_icmp.to_s.match?(%r{^(\d+|\d+\/\d+)$})
         value_icmp.to_s
       elsif ['IPv4', 'iptables'].include?(protocol)
         # https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb
@@ -194,6 +194,12 @@ class { 'firewall': }
           icmp   => 'time-exceeded',
           jump   => 'ACCEPT',
         }
+        firewall { '014 icmp destination-unreachable/fragmentation-needed':
+          proto  => 'icmp',
+          icmp   => '3/4',
+          jump   => 'ACCEPT',
+        }
+
         firewall { '443 ssl on aliased interface':
           proto   => 'tcp',
           dport   => '443',
@@ -260,6 +266,7 @@ class { 'firewall': }
       %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 3 -m comment --comment "013 icmp destination-unreachable" -j ACCEPT},
       %r{-A INPUT -s 10.0.0.0/(8|255\.0\.0\.0) -p (icmp|1) -m icmp --icmp-type 8 -m comment --comment "013 icmp echo-request" -j ACCEPT},
       %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 11 -m comment --comment "013 icmp time-exceeded" -j ACCEPT},
+      %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 3/4 -m comment --comment "014 icmp destination-unreachable/fragmentation-needed" -j ACCEPT},
       %r{-A INPUT -p (tcp|6) -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "020 ssh" -j ACCEPT},
       %r{-A INPUT -i eth0:3 -p (tcp|6) -m tcp --dport 443 -m conntrack --ctstate NEW -m comment --comment "443 ssl on aliased interface" -j ACCEPT},
       %r{-A INPUT -m comment --comment "900 LOCAL_INPUT" -j LOCAL_INPUT},

diff --git a/spec/unit/puppet_x/puppetlabs/firewall/utility_spec.rb b/spec/unit/puppet_x/puppetlabs/firewall/utility_spec.rb
@@ -143,6 +143,7 @@
       it { expect(utility.icmp_name_to_number('timestamp-reply', proto)).to eql '14' }
       it { expect(utility.icmp_name_to_number('address-mask-request', proto)).to eql '17' }
       it { expect(utility.icmp_name_to_number('address-mask-reply', proto)).to eql '18' }
+      it { expect(utility.icmp_name_to_number('3/4', proto)).to eql '3/4' }
     end
 
     context 'with proto IPv6' do