From 1c9914f7edc1384b3088c4d7720d9159acb3481c Mon Sep 17 00:00:00 2001
From: Craig Gumbley <craiggumbley@gmail.com>
Date: Tue, 22 Feb 2022 12:23:35 +0000
Subject: [PATCH] (SEC-944) Configurable duplicate behaviour

Here we add a new parameter that determines how the puppet run will
behave if a duplicate system rule is encountered. The default is to
warn and continue.
---
 lib/puppet/type/firewall.rb | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index e4cb1a2..d2ece90 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -234,6 +234,24 @@ Puppet::Type.newtype(:firewall) do
     newvalues(%r{^\d+[[:graph:][:space:]]+$})
   end
 
+  newparam(:onduplicaterulebehaviour) do
+    desc <<-PUPPETCODE
+      In certain situations it is possible for an unmanaged rule to exist
+      on the target system that has the same comment as the rule
+      specified in the manifest.
+
+      This setting determines what happens when such a duplicate is found.
+
+      It offers three options:
+
+        * ignore - The duplicate rule is ignored and any updates to the resource will continue unaffected.
+        * warn - The duplicate rule is logged as a warning and any updates to the resource will continue unaffected.
+        * error - The duplicate rule is logged as an error and any updates to the resource will be skipped.
+    PUPPETCODE
+    newvalues(:ignore, :warn, :error)
+    defaultto :warn
+  end
+
   newproperty(:action) do
     desc <<-PUPPETCODE
       This is the action to perform on a match. Can be one of:
-- 
2.45.2