Fix Undercloud masquerading firewall rules

Iterate over destination for each source to have the
correct return rules created. (Passing a list as
destination to tripleo::firewall::rule does not work.)

Also the "forward destinations" rules should use the
source addresses in the data for both source and
destination rules.

Change-Id: I3d572bf4aab65f5befb596f7c90c94fc0abe7afa
Closes-Bug: #1797455

manifests/masquerade_networks.pp

@@ -26,16 +26,20 @@ class tripleo::masquerade_networks (
 ){
   if $masquerade_networks {
     $masquerade_networks.each |$source, $destinations| {
+      $destinations.each |$destination| {
+        create_resources('tripleo::firewall::rule', {
+          "137 routed_network return src ${source} dest ${destination}" => {
+            'table'       => 'nat',
+            'source'      => $source,
+            'destination' => $destination,
+            'jump'        => 'RETURN',
+            'chain'       => 'POSTROUTING',
+            'proto'       => 'all',
+            'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
+          },
+        })
+      }
       create_resources('tripleo::firewall::rule', {
-        "137 routed_network return ${source}" => {
-          'table'       => 'nat',
-          'source'      => $source,
-          'destination' => $destinations,
-          'jump'        => 'RETURN',
-          'chain'       => 'POSTROUTING',
-          'proto'       => 'all',
-          'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
-        },
         "138 routed_network masquerade ${source}" => {
           'table'       => 'nat',
           'source'      => $source,
@@ -51,7 +55,7 @@ class tripleo::masquerade_networks (
           'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],
         },
         "140 routed_network forward destinations ${source}" => {
-          'destination' => $destinations,
+          'destination' => $source,
           'chain'       => 'FORWARD',
           'proto'       => 'all',
           'state'       => ['ESTABLISHED', 'NEW', 'RELATED'],

releasenotes/notes/fix-masquerade-networks-c9ab4affb17627e1.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Masquerading and forwarding rules are now correctly created when using
+    routed networks.
+    (See `bug: 1797455 <https://bugs.launchpad.net/tripleo/+bug/1797455>`_.)

spec/classes/tripleo_masquerade_networks_spec.rb

@@ -34,10 +34,19 @@ describe 'tripleo::masquerade_networks' do
       end
 
       it 'configure RETURN rule' do
-        is_expected.to contain_firewall('137 routed_network return 192.168.24.0/24 ipv4').with(
+        is_expected.to contain_firewall('137 routed_network return src 192.168.24.0/24 dest 192.168.24.0/24 ipv4').with(
           :table       => 'nat',
           :source      => '192.168.24.0/24',
-          :destination => ['192.168.24.0/24', '192.168.25.0/24'],
+          :destination => '192.168.24.0/24',
+          :jump        => 'RETURN',
+          :chain       => 'POSTROUTING',
+          :proto       => 'all',
+          :state       => ['ESTABLISHED', 'NEW', 'RELATED'],
+        )
+        is_expected.to contain_firewall('137 routed_network return src 192.168.24.0/24 dest 192.168.25.0/24 ipv4').with(
+          :table       => 'nat',
+          :source      => '192.168.24.0/24',
+          :destination => '192.168.25.0/24',
           :jump        => 'RETURN',
           :chain       => 'POSTROUTING',
           :proto       => 'all',
@@ -64,7 +73,7 @@ describe 'tripleo::masquerade_networks' do
           :state       => ['ESTABLISHED', 'NEW', 'RELATED'],
         )
         is_expected.to contain_firewall('140 routed_network forward destinations 192.168.24.0/24 ipv4').with(
-          :destination => ['192.168.24.0/24', '192.168.25.0/24'],
+          :destination => '192.168.24.0/24',
           :chain       => 'FORWARD',
           :proto       => 'all',
           :state       => ['ESTABLISHED', 'NEW', 'RELATED'],