Merge pull request #59 from jeremmfr/issue-58

Fixes #58: add icmp_code* sub-arguments to resource firewall_filter

CHANGELOG.md

@@ -9,6 +9,7 @@ ENHANCEMENTS:
 * add `log` argument in resource `security` (Fixes parts of [#54](https://github.com/jeremmfr/terraform-provider-junos/issues/54))
 * add `forwarding_options` argument in resource `security` (Fixes parts of [#54](https://github.com/jeremmfr/terraform-provider-junos/issues/54))
 * add `proposal_set` argument in resource `security_ike_policy` and `security_ipsec_policy` (Fixes [#55](https://github.com/jeremmfr/terraform-provider-junos/issues/55))
+* add `icmp_code` and `icmp_code_except` sub-arguments for 'term.N.from' to resource `firewall_filter` (Fixes [#58](https://github.com/jeremmfr/terraform-provider-junos/issues/58))
 
 BUG FIXES:
 * remove useless ForceNew for `bind_interface_auto` argument in resource `security_ipsec_vpn`

junos/resource_firewall_filter.go

@@ -177,6 +177,16 @@ func resourceFirewallFilter() *schema.Resource {
 										Type:     schema.TypeBool,
 										Optional: true,
 									},
+									"icmp_code": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+									"icmp_code_except": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
 									"icmp_type": {
 										Type:     schema.TypeList,
 										Optional: true,
@@ -642,6 +652,15 @@ func setFirewallFilterOptsFrom(setPrefixTermFrom string,
 	if fromMap["tcp_established"].(bool) {
 		configSet = append(configSet, setPrefixTermFrom+"tcp-established")
 	}
+	if len(fromMap["icmp_code"].([]interface{})) > 0 && len(fromMap["icmp_code_except"].([]interface{})) > 0 {
+		return nil, fmt.Errorf("conflict between icmp_code and icmp_code_except")
+	}
+	for _, icmp := range fromMap["icmp_code"].([]interface{}) {
+		configSet = append(configSet, setPrefixTermFrom+"icmp-code "+icmp.(string))
+	}
+	for _, icmp := range fromMap["icmp_code_except"].([]interface{}) {
+		configSet = append(configSet, setPrefixTermFrom+"icmp-code-except "+icmp.(string))
+	}
 	if len(fromMap["icmp_type"].([]interface{})) > 0 && len(fromMap["icmp_type_except"].([]interface{})) > 0 {
 		return nil, fmt.Errorf("conflict between icmp_type and icmp_type_except")
 	}
@@ -783,6 +802,11 @@ func readFirewallFilterOptsFrom(item string,
 		fromMap["tcp_initial"] = true
 	case strings.HasSuffix(item, "tcp-established"):
 		fromMap["tcp_established"] = true
+	case strings.HasPrefix(item, "icmp-code "):
+		fromMap["icmp_code"] = append(fromMap["icmp_code"].([]string), strings.TrimPrefix(item, "icmp-code "))
+	case strings.HasPrefix(item, "icmp-code-except "):
+		fromMap["icmp_code_except"] = append(fromMap["icmp_code_except"].([]string),
+			strings.TrimPrefix(item, "icmp-code-except "))
 	case strings.HasPrefix(item, "icmp-type "):
 		fromMap["icmp_type"] = append(fromMap["icmp_type"].([]string), strings.TrimPrefix(item, "icmp-type "))
 	case strings.HasPrefix(item, "icmp-type-except "):
@@ -861,6 +885,8 @@ func genMapFirewallFilterOptsFrom() map[string]interface{} {
 		"tcp_flags":                      "",
 		"tcp_initial":                    false,
 		"tcp_established":                false,
+		"icmp_code":                      make([]string, 0),
+		"icmp_code_except":               make([]string, 0),
 		"icmp_type":                      make([]string, 0),
 		"icmp_type_except":               make([]string, 0),
 		"is_fragment":                    false,

junos/resource_firewall_filter_test.go

@@ -21,7 +21,7 @@ func TestAccJunosFirewallFilter_basic(t *testing.T) {
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
 							"interface_specific", "true"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
-							"term.#", "1"),
+							"term.#", "2"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
 							"term.0.name", "testacc_fwFilter_term1"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
@@ -66,13 +66,23 @@ func TestAccJunosFirewallFilter_basic(t *testing.T) {
 							"term.0.then.0.port_mirror", "true"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
 							"term.0.then.0.service_accounting", "true"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.1.from.#", "1"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.1.from.0.icmp_code.#", "1"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.1.from.0.icmp_code.0", "network-unreachable"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.1.from.0.icmp_type.#", "1"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.1.from.0.icmp_type.0", "router-advertisement"),
 					),
 				},
 				{
 					Config: testAccJunosFirewallFilterConfigUpdate(),
 					Check: resource.ComposeTestCheckFunc(
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
-							"term.#", "4"),
+							"term.#", "5"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
 							"term.1.from.#", "1"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
@@ -125,6 +135,12 @@ func TestAccJunosFirewallFilter_basic(t *testing.T) {
 							"term.3.then.#", "1"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
 							"term.3.then.0.action", "reject"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.4.from.#", "1"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.4.from.0.icmp_code_except.#", "1"),
+						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter",
+							"term.4.from.0.icmp_type_except.#", "1"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter6",
 							"family", "inet6"),
 						resource.TestCheckResourceAttr("junos_firewall_filter.testacc_fwFilter6",
@@ -167,7 +183,7 @@ resource junos_firewall_filter "testacc_fwFilter" {
       prefix_list_except = [ junos_policyoptions_prefix_list.testacc_fwFilter2.name ]
       protocol = [ "tcp" ]
       tcp_flags = "!0x3"
-	 is_fragment = true
+	  is_fragment = true
     }
     then {
       action = "next term"
@@ -177,6 +193,16 @@ resource junos_firewall_filter "testacc_fwFilter" {
       service_accounting = true
     }
   }
+  term {
+    name = "testacc_fwFilter_term2"
+    from {
+	  icmp_code = ["network-unreachable"]
+	  icmp_type = ["router-advertisement"]
+    }
+    then {
+      action = "accept"
+    }
+  }
 }
 resource junos_policyoptions_prefix_list "testacc_fwFilter" {
   name = "testacc_fwFilter"
@@ -254,6 +280,16 @@ resource junos_firewall_filter "testacc_fwFilter" {
       action = "reject"
     }
   }
+  term {
+    name = "testacc_fwFilter_term5"
+    from {
+	  icmp_code_except = ["network-unreachable"]
+	  icmp_type_except = ["router-advertisement"]
+    }
+    then {
+      action = "reject"
+    }
+  }
 }
 resource junos_firewall_filter "testacc_fwFilter6" {
   name = "testacc_fwFilter6"

website/docs/r/firewall_filter.html.markdown

@@ -69,6 +69,8 @@ The following arguments are supported:
   * `tcp_flags` - (Optional)(`String`) Match TCP flags (in symbolic or hex formats).
   * `tcp_initial` - (Optional)(`Bool`) Match initial packet of a TCP connection.
   * `tcp_established` - (Optional)(`Bool`) Match packet of an established TCP connection.
+  * `icmp_code` - (Optional)(`ListOfString`) Match ICMP message code.
+  * `icmp_code_except` - (Optional)(`ListOfString`) Do not match ICMP message code.
   * `icmp_type` - (Optional)(`ListOfString`) Match ICMP message type.
   * `icmp_type_except` - (Optional)(`ListOfString`) Do not match ICMP message type.
   * `is_fragment` - (Optional)(`Bool`) Match if packet is a fragment.