(MODULES-8842) Fix ipvs not idempotent

diff --git a/README.markdown b/README.markdown
index fdabdc954ca7c36f932a7f1b750c704921e8b9f0..5112462072072348859b07ef98d5a86a8006d25d 100644 (file)
--- a/README.markdown
+++ b/README.markdown
@@ -524,6 +524,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `bpf`: The ability to use Berkeley Paket Filter rules.
 
+* `ipvs`: The ability to match IP Virtual Server packets.
+
 #### Parameters
 
 * `action`: This is the action to perform on a match. Valid values for this action are:
@@ -639,6 +641,8 @@ If Puppet is managing the iptables or iptables-persistent packages, and the prov
 
 * `ipset`: Matches IP sets. Value must be 'ipset_name (src|dst|src,dst)' and can be negated by putting ! in front. Requires ipset kernel module. Will accept a single element or an array.
 
+* `ipvs`: Matches packets belonging to an IP Virtual server connection.
+
 * `isfirstfrag`: If true, matches when the packet is the first fragment of a fragmented ipv6 packet. Cannot be negated. Supported by ipv6 only. Valid values are 'true', 'false'. Requires the `isfirstfrag` feature.
 
 * `isfragment`: If 'true', matches when the packet is a tcp fragment of a fragmented packet. Supported by iptables only. Valid values are 'true', 'false'. Requires features `isfragment`.

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 754d64a8ca73d6f19ac4ffcba88aa652bb45103e..61d7f1b4c5f1452ff19c96bb2a3f215d4ee85b04 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -304,7 +304,7 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
     :month_days, :week_days, :date_start, :date_stop, :time_contiguous, :kernel_timezone,
     :src_cc, :dst_cc, :hashlimit_upto, :hashlimit_above, :hashlimit_name, :hashlimit_burst,
     :hashlimit_mode, :hashlimit_srcmask, :hashlimit_dstmask, :hashlimit_htable_size,
-    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :name
+    :hashlimit_htable_max, :hashlimit_htable_expire, :hashlimit_htable_gcinterval, :bytecode, :ipvs, :name
   ]
 
   def insert

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index 2ffa925f624577dd4d232b64e8e0c25489fec404..0d4b926d9d33da73083cff468030ed89afc1de13 100644 (file)
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1750,6 +1750,7 @@ Puppet::Type.newtype(:firewall) do
     desc <<-PUPPETCODE
       Indicates that the current packet belongs to an IPVS connection.
     PUPPETCODE
+    newvalues(:true, :false)
   end
 
   autorequire(:firewallchain) do

diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index ddad46b2f081a225642032fecacf2f6827a1b7f6..80a8c0c0a162eaff75315044300b7bb1475091e1 100644 (file)
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -351,8 +351,9 @@ describe 'firewall attribute testing, happy path' do
           }
           firewall { '1002 - set ipvs':
             proto          => 'tcp',
-            dport           => '4321',
-            chain          => 'OUTPUT',
+            action         => accept,
+            chain          => 'INPUT',
+            ipvs           => true,
           }
       PUPPETCODE
       apply_manifest(pp, catch_failures: true)
@@ -507,5 +508,8 @@ describe 'firewall attribute testing, happy path' do
     it 'jump is set' do
       expect(result.stdout).to match(%r{-A INPUT -p tcp -m comment --comment "567 - jump" -j TEST})
     end
+    it 'ipvs is set' do
+      expect(result.stdout).to match(%r{-A INPUT -p tcp -m ipvs --ipvs -m comment --comment "1002 - set ipvs" -j ACCEPT})
+    end
   end
 end