A patch for Debian 6 for enable => true has a bug

Signed-off-by: Ken Barber <ken@bob.sh>

diff --git a/manifests/linux/debian.pp b/manifests/linux/debian.pp
index 49769e662b3c8040e0249de55a6f39c5a1669721..1470893104229e5f79b206a3dc2d556f7f8b96a6 100644 (file)
--- a/manifests/linux/debian.pp
+++ b/manifests/linux/debian.pp
@@ -6,11 +6,22 @@ class firewall::linux::debian (
     ensure => present,
   }
 
-  # This isn't a real service/daemon. The start action loads rules, so just
-  # needs to be called on system boot.
-  service { 'iptables-persistent':
-    ensure  => undef,
-    enable  => $enable,
-    require => Package['iptables-persistent'],
+  if($operatingsystemrelease =~ /^6\./ and $enable == true) {
+    # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
+    # we lose idempotency
+    exec { 'iptables-persistent-enable':
+      logoutput => on_failure,
+      command => '/usr/sbin/update-rc.d iptables-persistent enable',
+      unless => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
+      require => Package['iptables-persistent'],
+    }
+  } else {
+    # This isn't a real service/daemon. The start action loads rules, so just
+    # needs to be called on system boot.
+    service { 'iptables-persistent':
+      ensure  => undef,
+      enable  => $enable,
+      require => Package['iptables-persistent'],
+    }
   }
 }