]> review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commitdiff
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 1513dda)
Treat RHEL 7 and later like Fedora w/r/t iptables
authorLars Kellogg-Stedman <lars@redhat.com>
Tue, 25 Mar 2014 19:50:10 +0000 (15:50 -0400)
committerLars Kellogg-Stedman <lars@redhat.com>
Tue, 25 Mar 2014 21:33:21 +0000 (17:33 -0400)
RHEL 7 replaces legacy init with systemd, and must be treated like
Fedora w/r/t iptables persistence.  This patches checks
operatingsystemrelease in addition to operatingsystem in order
to differentiate between RHEL 7 and earlier releases.

Both RHEL 7 and recent Fedora releases require the iptables-services
package to support the commands in lib/puppet/util/firewall.rb.

This also corrects the path to /usr/libexec/iptables/iptables.init.

lib/puppet/util/firewall.rb patch | blob | history
manifests/linux/redhat.pp patch | blob | history
spec/unit/puppet/util/firewall_spec.rb patch | blob | history

diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb
index 610b6034d74e968fb91ef2072ffdc97ee7dfd6f0..aa26d3bc700f475308fdc241007e423d5376f1e0 100644 (file)
--- a/lib/puppet/util/firewall.rb
+++ b/lib/puppet/util/firewall.rb
@@ -166,11 +166,16 @@ module Puppet::Util::Firewall
       end
     end
 
-    # Fedora 15 and newer use systemd for to persist iptable rules
+    # Fedora 15 and newer use systemd to persist iptable rules
     if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'Fedora' && Facter.value(:operatingsystemrelease).to_i >= 15
       os_key = 'Fedora'
     end
 
+    # RHEL 7 and newer also use systemd to persist iptable rules
+    if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'RedHat' && Facter.value(:operatingsystemrelease).to_i >= 7
+      os_key = 'Fedora'
+    end
+
     cmd = case os_key.to_sym
     when :RedHat
       case proto.to_sym
@@ -182,9 +187,9 @@ module Puppet::Util::Firewall
     when :Fedora
       case proto.to_sym
       when :IPv4
-        %w{/usr/libexec/iptables.init save}
+        %w{/usr/libexec/iptables/iptables.init save}
       when :IPv6
-        %w{/usr/libexec/ip6tables.init save}
+        %w{/usr/libexec/iptables/ip6tables.init save}
       end
     when :Debian
       case proto.to_sym
diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp
index c3d0628ed0d0ecaa3f63328e78fdc39ec0c9eb00..b95a05f4e5d1f0e59c14d7c590af1b922f997994 100644 (file)
--- a/manifests/linux/redhat.pp
+++ b/manifests/linux/redhat.pp
@@ -16,6 +16,22 @@ class firewall::linux::redhat (
   $ensure = running,
   $enable = true
 ) {
+
+  # RHEL 7 and later and Fedora 15 and later require the iptables-services 
+  # package, which provides the /usr/libexec/iptables/iptables.init used by 
+  # lib/puppet/util/firewall.rb.
+  if $::operatingsystem == "RedHat" && $::operatingsystemrelease >= 7 {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
+  if $::operatingsystem == "Fedora" && $::operatingsystemrelease >= 15 {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
   service { 'iptables':
     ensure    => $ensure,
     enable    => $enable,
diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb
index 2fbfabd070a037385ef37e34f9b7d52da5afa3e9..8c33c34f0187bc67d8fbacbc11dc9c84128cdad0 100644 (file)
--- a/spec/unit/puppet/util/firewall_spec.rb
+++ b/spec/unit/puppet/util/firewall_spec.rb
@@ -116,20 +116,30 @@ describe 'Puppet::Util::Firewall' do
     describe 'when proto is IPv4' do
       let(:proto) { 'IPv4' }
 
-      it 'should exec for RedHat identified from osfamily' do
+      it 'should exec /sbin/service if running RHEL 6 or earlier' do
         allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
         allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('6')
 
         expect(subject).to receive(:execute).with(%w{/sbin/service iptables save})
         subject.persist_iptables(proto)
       end
 
+      it 'should exec for systemd if running RHEL 7 or greater' do
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('7')
+
+        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save})
+        subject.persist_iptables(proto)
+      end
+
       it 'should exec for systemd if running Fedora 15 or greater' do
         allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
         allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Fedora')
         allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('15')
 
-        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables.init save})
+        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save})
         subject.persist_iptables(proto)
       end