From: Lars Kellogg-Stedman Date: Tue, 25 Mar 2014 19:50:10 +0000 (-0400) Subject: Treat RHEL 7 and later like Fedora w/r/t iptables X-Git-Tag: 1.1.0~7^2~2 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=45ea1b080a0b7790e950e7d7d84587a69a192fb3;p=puppet-modules%2Fpuppetlabs-firewall.git Treat RHEL 7 and later like Fedora w/r/t iptables RHEL 7 replaces legacy init with systemd, and must be treated like Fedora w/r/t iptables persistence. This patches checks operatingsystemrelease in addition to operatingsystem in order to differentiate between RHEL 7 and earlier releases. Both RHEL 7 and recent Fedora releases require the iptables-services package to support the commands in lib/puppet/util/firewall.rb. This also corrects the path to /usr/libexec/iptables/iptables.init. --- diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb index 610b603..aa26d3b 100644 --- a/lib/puppet/util/firewall.rb +++ b/lib/puppet/util/firewall.rb @@ -166,11 +166,16 @@ module Puppet::Util::Firewall end end - # Fedora 15 and newer use systemd for to persist iptable rules + # Fedora 15 and newer use systemd to persist iptable rules if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'Fedora' && Facter.value(:operatingsystemrelease).to_i >= 15 os_key = 'Fedora' end + # RHEL 7 and newer also use systemd to persist iptable rules + if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'RedHat' && Facter.value(:operatingsystemrelease).to_i >= 7 + os_key = 'Fedora' + end + cmd = case os_key.to_sym when :RedHat case proto.to_sym @@ -182,9 +187,9 @@ module Puppet::Util::Firewall when :Fedora case proto.to_sym when :IPv4 - %w{/usr/libexec/iptables.init save} + %w{/usr/libexec/iptables/iptables.init save} when :IPv6 - %w{/usr/libexec/ip6tables.init save} + %w{/usr/libexec/iptables/ip6tables.init save} end when :Debian case proto.to_sym diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp index c3d0628..b95a05f 100644 --- a/manifests/linux/redhat.pp +++ b/manifests/linux/redhat.pp @@ -16,6 +16,22 @@ class firewall::linux::redhat ( $ensure = running, $enable = true ) { + + # RHEL 7 and later and Fedora 15 and later require the iptables-services + # package, which provides the /usr/libexec/iptables/iptables.init used by + # lib/puppet/util/firewall.rb. + if $::operatingsystem == "RedHat" && $::operatingsystemrelease >= 7 { + package { 'iptables-services': + ensure => present, + } + } + + if $::operatingsystem == "Fedora" && $::operatingsystemrelease >= 15 { + package { 'iptables-services': + ensure => present, + } + } + service { 'iptables': ensure => $ensure, enable => $enable, diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb index 2fbfabd..8c33c34 100644 --- a/spec/unit/puppet/util/firewall_spec.rb +++ b/spec/unit/puppet/util/firewall_spec.rb @@ -116,20 +116,30 @@ describe 'Puppet::Util::Firewall' do describe 'when proto is IPv4' do let(:proto) { 'IPv4' } - it 'should exec for RedHat identified from osfamily' do + it 'should exec /sbin/service if running RHEL 6 or earlier' do allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('6') expect(subject).to receive(:execute).with(%w{/sbin/service iptables save}) subject.persist_iptables(proto) end + it 'should exec for systemd if running RHEL 7 or greater' do + allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('7') + + expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save}) + subject.persist_iptables(proto) + end + it 'should exec for systemd if running Fedora 15 or greater' do allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Fedora') allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('15') - expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables.init save}) + expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save}) subject.persist_iptables(proto) end