From: Dan Carley Date: Sat, 17 Mar 2012 11:00:56 +0000 (+0000) Subject: (#13201) Firewall autorequire Firewallchains X-Git-Tag: 0.1.0~38^2~1 X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=7978397c542b3a7028cfca2dd72086a4ce176682;p=puppet-modules%2Fpuppetlabs-firewall.git (#13201) Firewall autorequire Firewallchains Autorequire Firewallchain resources for Firewall resources that have jump or chain parameters. Remove require params from README examples now that they're not essential. Only deals with iptables and ip6tables providers, which have support for chains. Doesn't attempt to weed out chains that might be builtin. Just let Puppet determine which of the resources are really managed. --- diff --git a/README.markdown b/README.markdown index bbef110..3244ffb 100644 --- a/README.markdown +++ b/README.markdown @@ -105,7 +105,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain: firewall { '100 forward to MY_CHAIN': chain => 'INPUT', jump => 'MY_CHAIN', - require => Firewallchain["MY_CHAIN:filter:IPv4"], } # The namevar here is in the format chain_name:table:protocol firewallchain { 'MY_CHAIN:filter:IPv4': @@ -116,7 +115,6 @@ Creating a new rule that forwards to a chain, then adding a rule to this chain: action => 'accept', proto => 'tcp', dport => 5000, - require => Firewallchain["MY_CHAIN:filter:IPv4"], } You can make firewall rules persistent with the following iptables example: diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb index 4843895..df26ad9 100644 --- a/lib/puppet/type/firewall.rb +++ b/lib/puppet/type/firewall.rb @@ -462,6 +462,24 @@ Puppet::Type.newtype(:firewall) do EOS end + autorequire(:firewallchain) do + case value(:provider) + when :iptables + protocol = "IPv4" + when :ip6tables + protocol = "IPv6" + else + return + end + + reqs = [] + [value(:chain), value(:jump)].each do |chain| + reqs << "#{chain}:#{value(:table)}:#{protocol}" unless chain.nil? + end + + reqs + end + validate do debug("[validate]")