Support specifying priority on rich rules

lib/puppet/provider/firewalld_rich_rule/firewall_cmd.rb

@@ -23,6 +23,11 @@ def key_val_opt(opt, resource_param = opt)
     quote_keyval(opt, @resource[resource_param.to_s])
   end
 
+  def eval_priority
+    return [] unless (priority = @resource[:priority])
+    quote_keyval('priority', priority)
+  end
+
   def eval_source
     args = []
     return [] unless (addr = @resource[:source])
@@ -112,6 +117,7 @@ def build_rich_rule
     rule = ['rule']
     rule << [
       key_val_opt('family'),
+      eval_priority,
       eval_source,
       eval_dest,
       eval_element,

lib/puppet/type/firewalld_rich_rule.rb

@@ -36,6 +36,11 @@
     munge(&:to_s)
   end
 
+  newparam(:priority) do
+    desc 'Rule priority, it can be in the range of -32768 to 32767'
+    munge(&:to_s)
+  end
+
   newparam(:source) do
     desc 'Specify source address, this can be a string of the IP address or a hash containing other options'
     munge do |value|

spec/unit/puppet/provider/firewalld_rich_rule_spec.rb

@@ -26,6 +26,7 @@
   describe 'when creating' do
     context 'with basic parameters' do
       it 'builds the rich rule' do
+        resource.expects(:[]).with(:priority).returns(nil)
         resource.expects(:[]).with(:source).returns('192.168.1.2/32').at_least_once
         resource.expects(:[]).with(:service).returns('ssh').at_least_once
         resource.expects(:[]).with('family').returns('ipv4').at_least_once
@@ -45,6 +46,7 @@
     end
     context 'with reject type' do
       it 'builds the rich rule' do
+        resource.expects(:[]).with(:priority).returns(nil)
         resource.expects(:[]).with(:source).returns(nil).at_least_once
         resource.expects(:[]).with(:service).returns('ssh').at_least_once
         resource.expects(:[]).with('family').returns('ipv4').at_least_once
@@ -62,5 +64,25 @@
         expect(provider.build_rich_rule).to eq('rule family="ipv4" destination address="192.168.0.1/32" service name="ssh" reject type="icmp-admin-prohibited"')
       end
     end
+    context 'with priority' do
+      it 'builds the rich rule' do
+        resource.expects(:[]).with(:priority).returns(1200)
+        resource.expects(:[]).with(:source).returns(nil).at_least_once
+        resource.expects(:[]).with(:service).returns('ssh').at_least_once
+        resource.expects(:[]).with('family').returns('ipv4').at_least_once
+        resource.expects(:[]).with(:dest).returns('address' => '192.168.0.1/32')
+        resource.expects(:[]).with(:port).returns(nil)
+        resource.expects(:[]).with(:protocol).returns(nil)
+        resource.expects(:[]).with(:icmp_block).returns(nil)
+        resource.expects(:[]).with(:icmp_type).returns(nil)
+        resource.expects(:[]).with(:masquerade).returns(nil)
+        resource.expects(:[]).with(:forward_port).returns(nil)
+        resource.expects(:[]).with(:log).returns(nil)
+        resource.expects(:[]).with(:audit).returns(nil)
+        resource.expects(:[]).with(:raw_rule).returns(nil)
+        resource.expects(:[]).with(:action).returns(action: 'reject', type: 'icmp-admin-prohibited')
+        expect(provider.build_rich_rule).to eq('rule family="ipv4" priority="1200" destination address="192.168.0.1/32" service name="ssh" reject type="icmp-admin-prohibited"')
+      end
+    end
   end
 end