From ad961d79e433bf65ca8ff42bad89d00f6d127436 Mon Sep 17 00:00:00 2001
From: Trey Dockendorf <treydock@gmail.com>
Date: Mon, 21 Jul 2014 13:55:24 -0500
Subject: [PATCH] Improve support for EL7 and other related fixes

* Support RHEL7 by removing firewalld before installing iptables-services
* Autorequire Package[iptables-services] for Firewall and Firewallchain types
* Ensure /etc/sysconfig/iptables exists before starting Service[iptables]
---
 lib/puppet/type/firewall.rb                   |  6 +-
 lib/puppet/type/firewallchain.rb              |  6 +-
 manifests/linux/redhat.pp                     | 21 ++++--
 .../classes/firewall_linux_redhat_spec.rb     | 68 +++++++++++++++----
 spec/unit/classes/firewall_linux_spec.rb      |  2 +-
 spec/unit/puppet/type/firewall_spec.rb        |  5 +-
 spec/unit/puppet/type/firewallchain_spec.rb   |  5 +-
 7 files changed, 81 insertions(+), 32 deletions(-)

diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index e6be89e..bf28f73 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -22,8 +22,8 @@ Puppet::Type.newtype(:firewall) do
     `chain` or `jump` parameters, the firewall resource will autorequire
     those firewallchain resources.
 
-    If Puppet is managing the iptables or iptables-persistent packages, and
-    the provider is iptables or ip6tables, the firewall resource will
+    If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
+    and the provider is iptables or ip6tables, the firewall resource will
     autorequire those packages to ensure that any required binaries are
     installed.
   EOS
@@ -937,7 +937,7 @@ Puppet::Type.newtype(:firewall) do
   autorequire(:package) do
     case value(:provider)
     when :iptables, :ip6tables
-      %w{iptables iptables-persistent}
+      %w{iptables iptables-persistent iptables-services}
     else
       []
     end
diff --git a/lib/puppet/type/firewallchain.rb b/lib/puppet/type/firewallchain.rb
index 3e3c5d1..b962a0a 100644
--- a/lib/puppet/type/firewallchain.rb
+++ b/lib/puppet/type/firewallchain.rb
@@ -18,8 +18,8 @@ Puppet::Type.newtype(:firewallchain) do
     allow it.
 
     **Autorequires:**
-    If Puppet is managing the iptables or iptables-persistent packages, and
-    the provider is iptables_chain, the firewall resource will autorequire
+    If Puppet is managing the iptables, iptables-persistent, or iptables-services packages,
+    and the provider is iptables_chain, the firewall resource will autorequire
     those packages to ensure that any required binaries are installed.
   EOS
 
@@ -151,7 +151,7 @@ Puppet::Type.newtype(:firewallchain) do
   autorequire(:package) do
     case value(:provider)
     when :iptables_chain
-      %w{iptables iptables-persistent}
+      %w{iptables iptables-persistent iptables-services}
     else
       []
     end
diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp
index f697d21..b7a4d0e 100644
--- a/manifests/linux/redhat.pp
+++ b/manifests/linux/redhat.pp
@@ -20,15 +20,16 @@ class firewall::linux::redhat (
   # RHEL 7 and later and Fedora 15 and later require the iptables-services
   # package, which provides the /usr/libexec/iptables/iptables.init used by
   # lib/puppet/util/firewall.rb.
-  if $::operatingsystem == RedHat and $::operatingsystemrelease >= 7 {
-    package { 'iptables-services':
-      ensure => present,
+  if   ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
+    or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
+    package { 'firewalld':
+      ensure  => absent,
+      before  => Package['iptables-services'],
     }
-  }
 
-  if ($::operatingsystem == 'Fedora' and (( $::operatingsystemrelease =~ /^\d+/ and $::operatingsystemrelease >= 15 ) or $::operatingsystemrelease == "Rawhide")) {
     package { 'iptables-services':
-      ensure => present,
+      ensure  => present,
+      before  => Service['iptables'],
     }
   }
 
@@ -36,5 +37,13 @@ class firewall::linux::redhat (
     ensure    => $ensure,
     enable    => $enable,
     hasstatus => true,
+    require   => File['/etc/sysconfig/iptables'],
+  }
+
+  file { '/etc/sysconfig/iptables':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
   }
 }
diff --git a/spec/unit/classes/firewall_linux_redhat_spec.rb b/spec/unit/classes/firewall_linux_redhat_spec.rb
index ea49d2b..43263fa 100644
--- a/spec/unit/classes/firewall_linux_redhat_spec.rb
+++ b/spec/unit/classes/firewall_linux_redhat_spec.rb
@@ -1,22 +1,60 @@
 require 'spec_helper'
 
 describe 'firewall::linux::redhat', :type => :class do
-  it { should contain_service('iptables').with(
-    :ensure => 'running',
-    :enable => 'true'
-  )}
+  %w{RedHat CentOS Fedora}.each do |os|
+    oldreleases = (os == 'Fedora' ? ['14'] : ['6.5'])
+    newreleases = (os == 'Fedora' ? ['15','Rawhide'] : ['7.0.1406'])
 
-  context 'ensure => stopped' do
-    let(:params) {{ :ensure => 'stopped' }}
-    it { should contain_service('iptables').with(
-      :ensure => 'stopped'
-    )}
-  end
+    oldreleases.each do |osrel|
+      context "os #{os} and osrel #{osrel}" do
+        let(:facts) {{
+          :operatingsystem        => os,
+          :operatingsystemrelease => osrel
+        }}
+
+        it { should_not contain_package('firewalld') }
+        it { should_not contain_package('iptables-services') }
+      end
+    end
+
+    newreleases.each do |osrel|
+      context "os #{os} and osrel #{osrel}" do
+        let(:facts) {{
+          :operatingsystem        => os,
+          :operatingsystemrelease => osrel
+        }}
+
+        it { should contain_package('firewalld').with(
+          :ensure => 'absent',
+          :before => 'Package[iptables-services]'
+        )}
+
+        it { should contain_package('iptables-services').with(
+          :ensure => 'present',
+          :before => 'Service[iptables]'
+        )}
+      end
+    end
 
-  context 'enable => false' do
-    let(:params) {{ :enable => 'false' }}
-    it { should contain_service('iptables').with(
-      :enable => 'false'
-    )}
+    describe 'ensure' do
+      context 'default' do
+        it { should contain_service('iptables').with(
+          :ensure => 'running',
+          :enable => 'true'
+        )}
+      end
+      context 'ensure => stopped' do
+        let(:params) {{ :ensure => 'stopped' }}
+        it { should contain_service('iptables').with(
+          :ensure => 'stopped'
+        )}
+      end
+      context 'enable => false' do
+        let(:params) {{ :enable => 'false' }}
+        it { should contain_service('iptables').with(
+          :enable => 'false'
+        )}
+      end
+    end
   end
 end
diff --git a/spec/unit/classes/firewall_linux_spec.rb b/spec/unit/classes/firewall_linux_spec.rb
index 42056c1..e43c1e9 100644
--- a/spec/unit/classes/firewall_linux_spec.rb
+++ b/spec/unit/classes/firewall_linux_spec.rb
@@ -7,7 +7,7 @@ describe 'firewall::linux', :type => :class do
   context 'RedHat like' do
     %w{RedHat CentOS Fedora}.each do |os|
       context "operatingsystem => #{os}" do
-        releases = (os == 'Fedora' ? [14,15,'Rawhide'] : [6,7])
+        releases = (os == 'Fedora' ? ['14','15','Rawhide'] : ['6','7'])
         releases.each do |osrel|
           context "operatingsystemrelease => #{osrel}" do
             let(:facts) { facts_default.merge({ :operatingsystem => os,
diff --git a/spec/unit/puppet/type/firewall_spec.rb b/spec/unit/puppet/type/firewall_spec.rb
index 368d187..8e9ef56 100755
--- a/spec/unit/puppet/type/firewall_spec.rb
+++ b/spec/unit/puppet/type/firewall_spec.rb
@@ -628,12 +628,13 @@ describe firewall do
         rel.target.ref.should == @resource.ref
       end
 
-      it "provider #{provider} should autorequire packages iptables and iptables-persistent" do
+      it "provider #{provider} should autorequire packages iptables, iptables-persistent, and iptables-services" do
         @resource[:provider] = provider
         @resource[:provider].should == provider
         packages = [
           Puppet::Type.type(:package).new(:name => 'iptables'),
-          Puppet::Type.type(:package).new(:name => 'iptables-persistent')
+          Puppet::Type.type(:package).new(:name => 'iptables-persistent'),
+          Puppet::Type.type(:package).new(:name => 'iptables-services')
         ]
         catalog = Puppet::Resource::Catalog.new
         catalog.add_resource @resource
diff --git a/spec/unit/puppet/type/firewallchain_spec.rb b/spec/unit/puppet/type/firewallchain_spec.rb
index 3ce7768..bd3095e 100755
--- a/spec/unit/puppet/type/firewallchain_spec.rb
+++ b/spec/unit/puppet/type/firewallchain_spec.rb
@@ -121,11 +121,12 @@ describe firewallchain do
       rel.target.ref.should == resource.ref
     end
 
-    it "provider iptables_chain should autorequire packages iptables and iptables-persistent" do
+    it "provider iptables_chain should autorequire packages iptables, iptables-persistent, and iptables-services" do
       resource[:provider].should == :iptables_chain
       packages = [
         Puppet::Type.type(:package).new(:name => 'iptables'),
-        Puppet::Type.type(:package).new(:name => 'iptables-persistent')
+        Puppet::Type.type(:package).new(:name => 'iptables-persistent'),
+        Puppet::Type.type(:package).new(:name => 'iptables-services')
       ]
       catalog = Puppet::Resource::Catalog.new
       catalog.add_resource resource
-- 
2.45.2