This was motivated by a need to make this work on Debian Jessie.
`ensure` can either be `running` or `stopped`. Default to `running`.
+####`package`
+
+Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`.
+
+####`service`
+
+Specify the platform-specific service(s) to start or stop. Defaults defined in `firewall::params`.
+
###Type: firewall
This type enables you to manage firewall rules within Puppet.
# Default: running
#
class firewall (
- $ensure = running
-) {
+ $ensure = running,
+ $service_name = $::firewall::params::service_name,
+ $package_name = $::firewall::params::package_name,
+) inherits ::firewall::params {
case $ensure {
/^(running|stopped)$/: {
# Do nothing.
case $::kernel {
'Linux': {
class { "${title}::linux":
- ensure => $ensure,
+ ensure => $ensure,
+ service_name => $service_name,
+ package_name => $package_name,
}
}
default: {
# Default: running
#
class firewall::linux (
- $ensure = running
-) {
+ $ensure = running,
+ $service_name = $::firewall::params::service_name,
+ $package_name = $::firewall::params::package_name,
+) inherits ::firewall::params {
$enable = $ensure ? {
running => true,
stopped => false,
'RedHat', 'CentOS', 'Fedora', 'Scientific', 'SL', 'SLC', 'Ascendos',
'CloudLinux', 'PSBM', 'OracleLinux', 'OVS', 'OEL', 'Amazon', 'XenServer': {
class { "${title}::redhat":
- ensure => $ensure,
- enable => $enable,
- require => Package['iptables'],
+ ensure => $ensure,
+ enable => $enable,
+ package_name => $package_name,
+ service_name => $service_name,
+ require => Package['iptables'],
}
}
'Debian', 'Ubuntu': {
class { "${title}::debian":
- ensure => $ensure,
- enable => $enable,
- require => Package['iptables'],
+ ensure => $ensure,
+ enable => $enable,
+ package_name => $package_name,
+ service_name => $service_name,
+ require => Package['iptables'],
}
}
'Archlinux': {
class { "${title}::archlinux":
- ensure => $ensure,
- enable => $enable,
- require => Package['iptables'],
+ ensure => $ensure,
+ enable => $enable,
+ package_name => $package_name,
+ service_name => $service_name,
+ require => Package['iptables'],
}
}
default: {}
# Default: true
#
class firewall::linux::archlinux (
- $ensure = 'running',
- $enable = true
-) {
- service { 'iptables':
- ensure => $ensure,
- enable => $enable,
- hasstatus => true,
+ $ensure = 'running',
+ $enable = true,
+ $service_name = $::firewall::params::service_name,
+ $package_name = $::firewall::params::package_name,
+) inherits ::firewall::params {
+ if $package_name {
+ package { $package_name:
+ ensure => $ensure,
+ }
}
- service { 'ip6tables':
+ service { $service_name:
ensure => $ensure,
enable => $enable,
hasstatus => true,
file { '/etc/iptables/iptables.rules':
ensure => present,
- before => Service['iptables'],
+ before => Service[$service_name],
}
file { '/etc/iptables/ip6tables.rules':
ensure => present,
- before => Service['ip6tables'],
+ before => Service[$service_name],
}
}
# Default: true
#
class firewall::linux::debian (
- $ensure = running,
- $enable = true
-) {
- package { 'iptables-persistent':
- ensure => present,
+ $ensure = running,
+ $enable = true,
+ $service_name = $::firewall::params::service_name,
+ $package_name = $::firewall::params::package_name,
+) inherits ::firewall::params {
+
+ if $package_name {
+ package { $package_name:
+ ensure => present,
+ }
}
if($::operatingsystemrelease =~ /^6\./ and $enable == true
- and versioncmp($::iptables_persistent_version, '0.5.0') < 0 ) {
+ and versioncmp($::iptables_persistent_version, '0.5.0') < 0 and ! $service_name) {
# This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
# we lose idempotency
exec { 'iptables-persistent-enable':
logoutput => on_failure,
command => '/usr/sbin/update-rc.d iptables-persistent enable',
unless => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
- require => Package['iptables-persistent'],
+ require => Package[$package_name],
}
} else {
# This isn't a real service/daemon. The start action loads rules, so just
# needs to be called on system boot.
- service { 'iptables-persistent':
+ service { $service_name:
ensure => undef,
enable => $enable,
hasstatus => true,
- require => Package['iptables-persistent'],
+ require => Package[$package_name],
}
}
}
# Default: true
#
class firewall::linux::redhat (
- $ensure = running,
- $enable = true
-) {
+ $ensure = running,
+ $enable = true,
+ $service_name = $::firewall::params::service_name,
+ $package_name = $::firewall::params::package_name,
+) inherits ::firewall::params {
# RHEL 7 and later and Fedora 15 and later require the iptables-services
# package, which provides the /usr/libexec/iptables/iptables.init used by
# lib/puppet/util/firewall.rb.
- if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
- or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
- service { "firewalld":
+ if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
+ or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
+ service { 'firewalld':
ensure => stopped,
enable => false,
- before => Package['iptables-services']
+ before => Package[$package_name],
}
+ }
- package { 'iptables-services':
- ensure => present,
- before => Service['iptables'],
+ if $package_name {
+ package { $package_name:
+ ensure => present,
+ before => Service[$service_name],
}
}
- service { 'iptables':
+ service { $service_name:
ensure => $ensure,
enable => $enable,
hasstatus => true,
}
file { '/etc/sysconfig/iptables':
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0600',
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
}
}
--- /dev/null
+class firewall::params {
+ case $::osfamily {
+ 'RedHat': {
+ case $::operatingsystem {
+ 'Archlinux': {
+ $service_name = ['iptables','ip6tables']
+ $package_name = undef
+ }
+ 'Fedora': {
+ if versioncmp($::operatingsystemrelease, '15') >= 0 {
+ $package_name = 'iptables-services'
+ } else {
+ $package_name = undef
+ }
+ $service_name = 'iptables'
+ }
+ default: {
+ if versioncmp($::operatingsystemrelease, '7.0') >= 0 {
+ $package_name = 'iptables-services'
+ } else {
+ $package_name = undef
+ }
+ $service_name = 'iptables'
+ }
+ }
+ }
+ 'Debian': {
+ if $::operatingsystemrelease =~ /^6\./ and versioncmp($::iptables_persistent_version, '0.5.0') < 0 {
+ $service_name = undef
+ $package_name = 'iptables-persistent'
+ } elsif $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8.0') >= 0 {
+ $service_name = 'netfilter-persistent'
+ $package_name = 'netfilter-persistent'
+ } else {
+ $service_name = 'iptables-persistent'
+ $package_name = 'iptables-persistent'
+ }
+ }
+ default: {
+ $package_name = undef
+ $service_name = 'iptables'
+ }
+ }
+}
require 'spec_helper'
describe 'firewall::linux::archlinux', :type => :class do
+ let(:facts) do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'Archlinux'
+ }
+ end
it { should contain_service('iptables').with(
:ensure => 'running',
:enable => 'true'
require 'spec_helper'
describe 'firewall::linux::debian', :type => :class do
- it { should contain_package('iptables-persistent').with(
- :ensure => 'present'
- )}
- it { should contain_service('iptables-persistent').with(
- :ensure => nil,
- :enable => 'true',
- :require => 'Package[iptables-persistent]'
- )}
+ context "Debian 7" do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '7.0'
+ }}
+ it { should contain_package('iptables-persistent').with(
+ :ensure => 'present'
+ )}
+ it { should contain_service('iptables-persistent').with(
+ :ensure => nil,
+ :enable => 'true',
+ :require => 'Package[iptables-persistent]'
+ )}
+ end
- context 'enable => false' do
+ context 'deb7 enable => false' do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '7.0'
+ }}
let(:params) {{ :enable => 'false' }}
it { should contain_service('iptables-persistent').with(
:enable => 'false'
)}
end
+
+ context "Debian 8" do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => 'jessie/sid'
+ }}
+ it { should contain_package('netfilter-persistent').with(
+ :ensure => 'present'
+ )}
+ it { should contain_service('netfilter-persistent').with(
+ :ensure => nil,
+ :enable => 'true',
+ :require => 'Package[netfilter-persistent]'
+ )}
+ end
+
+ context 'deb8 enable => false' do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => 'jessie/sid'
+ }}
+ let(:params) {{ :enable => 'false' }}
+ it { should contain_service('netfilter-persistent').with(
+ :enable => 'false'
+ )}
+ end
+
+ context "Debian 8, alt operatingsystem" do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '8.0'
+ }}
+ it { should contain_package('netfilter-persistent').with(
+ :ensure => 'present'
+ )}
+ it { should contain_service('netfilter-persistent').with(
+ :ensure => nil,
+ :enable => 'true',
+ :require => 'Package[netfilter-persistent]'
+ )}
+ end
+
+ context 'deb8, alt operatingsystem, enable => false' do
+ let(:facts) {{
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '8.0'
+ }}
+ let(:params) {{ :enable => 'false' }}
+ it { should contain_service('netfilter-persistent').with(
+ :enable => 'false'
+ )}
+ end
end
oldreleases.each do |osrel|
context "os #{os} and osrel #{osrel}" do
let(:facts) {{
+ :osfamily => 'RedHat',
:operatingsystem => os,
:operatingsystemrelease => osrel
}}
newreleases.each do |osrel|
context "os #{os} and osrel #{osrel}" do
let(:facts) {{
+ :osfamily => 'RedHat',
:operatingsystem => os,
:operatingsystemrelease => osrel
}}
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff