In certain situations it is possible for an unmanaged rule to exist on
the target system that has the same comment as the rule specified in
the manifest.
When this condition is true puppet will ignore the the unmanaged rule
and continue to apply the rule in the manifest. This is because the
firewall module uses the comment field in IPT as it's namevar and
therefore expects it to be a unique identifier. In the case of IPT this
is not true given that you can have multiple rules with the same
comment.
This commit adds a check that will identify system rules that have their
comment field set to the same value as a rule in the manifest. If we
enter a situation where any of the duplicate counts are greater than 1
then we will respond with a configurable action. The behaviour of this
can be configured via the onduplicaterulebehaviour parameter.
Code Review / puppet-modules / puppetlabs-firewall.git / commit