(#13201) Firewall autorequire Firewallchains

Autorequire Firewallchain resources for Firewall resources that have jump or
chain parameters. Remove require params from README examples now that
they're not essential.

Only deals with iptables and ip6tables providers, which have support for
chains. Doesn't attempt to weed out chains that might be builtin. Just let
Puppet determine which of the resources are really managed.

diff --git a/README.markdown b/README.markdown
index bbef1101eb59bd3bbbc2b5deee191053a856bb7c..3244ffb55d82bd59e05ddd3d3acea216ff6e1be6 100644 (file)
--- a/README.markdown
+++ b/README.markdown
@@ -105,7 +105,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
     firewall { '100 forward to MY_CHAIN':
       chain   => 'INPUT',
       jump    => 'MY_CHAIN',
-      require => Firewallchain["MY_CHAIN:filter:IPv4"],
     }
     # The namevar here is in the format chain_name:table:protocol
     firewallchain { 'MY_CHAIN:filter:IPv4':
@@ -116,7 +115,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain:
       action  => 'accept',
       proto   => 'tcp',
       dport   => 5000,
-      require => Firewallchain["MY_CHAIN:filter:IPv4"],
     }
 
 You can make firewall rules persistent with the following iptables example:

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 4843895c3cfd8f02d4080757b1917b33d10f06fe..df26ad936ccbc036ee4702a1e66467bdac7312a9 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -462,6 +462,24 @@ Puppet::Type.newtype(:firewall) do
     EOS
   end
 
+  autorequire(:firewallchain) do
+    case value(:provider)
+    when :iptables
+      protocol = "IPv4"
+    when :ip6tables
+      protocol = "IPv6"
+    else
+      return
+    end
+
+    reqs = []
+    [value(:chain), value(:jump)].each do |chain|
+      reqs << "#{chain}:#{value(:table)}:#{protocol}" unless chain.nil?
+    end
+
+    reqs
+  end
+
   validate do
     debug("[validate]")