]> review.fuel-infra Code Review - puppet-modules/puppetlabs-firewall.git/commitdiff
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: d9ab1c0)
(MODULES-2159) ignore the --connlimit-saddr switch when parsing rules
authorPaul Seward <ispms@bris.ac.uk>
Mon, 1 Feb 2016 12:05:39 +0000 (12:05 +0000)
committerPaul Seward <ispms@bris.ac.uk>
Mon, 1 Feb 2016 12:39:54 +0000 (12:39 +0000)
Workaround for https://tickets.puppetlabs.com/browse/MODULES-2159 (as described by Greg Murphy in that ticket)

On some distributions (notably on Ubuntu 14.04 and above, and Centos7 and above) the --connlimit-saddr switch is added after the rule is applied causing rule_to_hash to ignore the rule.  Puppet then attempts (and failes) to re-create the rule every time it runs.

lib/puppet/provider/firewall/iptables.rb patch | blob | history

diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index 1b7beb3de00978941a254d8b5157dd156cba121e..1d7aec510ef9629929d4440f75ceed963e94f5a9 100644 (file)
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -364,6 +364,8 @@ Puppet::Type.type(:firewall).provide :iptables, :parent => Puppet::Provider::Fir
         (\s--next)?/x,
         '--pol "ipsec\1\2\3\4\5\6\7\8" '
     )
+    # on some iptables versions, --connlimit-saddr switch is added after the rule is applied
+    values = values.gsub(/--connlimit-saddr/, '')
 
     resource_map = munge_resource_map_from_existing_values(@resource_map, values)