ensure INPUT, OUTPUT and FORWARD firewallchain are not autorequired when table is...

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 561cbf3ba1dac7a06ce87733705ba66d79984a24..551f3cbdb99637a3192f82097499a8acbdbb215f 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -667,8 +667,9 @@ Puppet::Type.newtype(:firewall) do
     end
 
     unless protocol.nil?
+      table = value(:table)
       [value(:chain), value(:jump)].each do |chain|
-        reqs << "#{chain}:#{value(:table)}:#{protocol}" unless chain.nil?
+        reqs << "#{chain}:#{table}:#{protocol}" unless ( chain.nil? || (['INPUT', 'OUTPUT', 'FORWARD'].include?(chain) && table == :filter) )
       end
     end
 

diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
index 5b8abdb9b6992a31f8b9cd5932faba5f35cd135c..1f9dc9614cc6075b01d73a039daa3305c6ad7eab 100755 (executable)
--- a/spec/unit/puppet/type/firewall_spec.rb
+++ b/spec/unit/puppet/type/firewall_spec.rb
@@ -486,6 +486,67 @@ describe firewall do
         rel.source.ref.should == chain.ref
         rel.target.ref.should == @resource.ref
       end
+
+      # test where autorequire is still needed (table != filter)
+      ['INPUT', 'OUTPUT', 'FORWARD'].each do |test_chain|
+        it "should autorequire fwchain #{test_chain} when table is mangle and provider is undefined" do
+          @resource[param] = test_chain
+          @resource[:table] = :mangle
+          @resource[:provider].should == :iptables
+
+          chain = Puppet::Type.type(:firewallchain).new(:name => "#{test_chain}:mangle:IPv4")
+          catalog = Puppet::Resource::Catalog.new
+          catalog.add_resource @resource
+          catalog.add_resource chain
+          rel = @resource.autorequire[0]
+          rel.source.ref.should == chain.ref
+          rel.target.ref.should == @resource.ref
+        end
+
+        it "should autorequire fwchain #{test_chain} when table is mangle and provider is ip6tables" do
+          @resource[param] = test_chain
+          @resource[:table] = :mangle
+          @resource[:provider] = :ip6tables
+
+          chain = Puppet::Type.type(:firewallchain).new(:name => "#{test_chain}:mangle:IPv6")
+          catalog = Puppet::Resource::Catalog.new
+          catalog.add_resource @resource
+          catalog.add_resource chain
+          rel = @resource.autorequire[0]
+          rel.source.ref.should == chain.ref
+          rel.target.ref.should == @resource.ref
+        end
+      end
+
+      # test of case where autorequire should not happen
+      ['INPUT', 'OUTPUT', 'FORWARD'].each do |test_chain|
+
+        it "should not autorequire fwchain #{test_chain} when table and provider are undefined" do
+          @resource[param] = test_chain
+          @resource[:table].should == :filter
+          @resource[:provider].should == :iptables
+
+          chain = Puppet::Type.type(:firewallchain).new(:name => "#{test_chain}:filter:IPv4")
+          catalog = Puppet::Resource::Catalog.new
+          catalog.add_resource @resource
+          catalog.add_resource chain
+          rel = @resource.autorequire[0]
+          rel.should == nil
+        end
+
+        it "should not autorequire fwchain #{test_chain} when table is undefined and provider is ip6tables" do
+          @resource[param] = test_chain
+          @resource[:table].should == :filter
+          @resource[:provider] = :ip6tables
+
+          chain = Puppet::Type.type(:firewallchain).new(:name => "#{test_chain}:filter:IPv6")
+          catalog = Puppet::Resource::Catalog.new
+          catalog.add_resource @resource
+          catalog.add_resource chain
+          rel = @resource.autorequire[0]
+          rel.should == nil
+        end
+      end
     end
   end