Merge pull request #338 from larsks/master

Treat RHEL 7 and later like Fedora w/r/t iptables
redhat-openstack · Apr 3, 2014 · c147a62 · c147a62
2 parents e0130d4 + ff40235
commit c147a62
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb
@@ -166,11 +166,16 @@ def persist_iptables(proto)
       end
     end
 
-    # Fedora 15 and newer use systemd for to persist iptable rules
+    # Fedora 15 and newer use systemd to persist iptable rules
     if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'Fedora' && Facter.value(:operatingsystemrelease).to_i >= 15
       os_key = 'Fedora'
     end
 
+    # RHEL 7 and newer also use systemd to persist iptable rules
+    if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'RedHat' && Facter.value(:operatingsystemrelease).to_i >= 7
+      os_key = 'Fedora'
+    end
+
     cmd = case os_key.to_sym
     when :RedHat
       case proto.to_sym
@@ -182,9 +187,9 @@ def persist_iptables(proto)
     when :Fedora
       case proto.to_sym
       when :IPv4
-        %w{/usr/libexec/iptables.init save}
+        %w{/usr/libexec/iptables/iptables.init save}
       when :IPv6
-        %w{/usr/libexec/ip6tables.init save}
+        %w{/usr/libexec/iptables/ip6tables.init save}
       end
     when :Debian
       case proto.to_sym

diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp
@@ -16,6 +16,22 @@
   $ensure = running,
   $enable = true
 ) {
+
+  # RHEL 7 and later and Fedora 15 and later require the iptables-services
+  # package, which provides the /usr/libexec/iptables/iptables.init used by
+  # lib/puppet/util/firewall.rb.
+  if $::operatingsystem == RedHat and $::operatingsystemrelease >= 7 {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
+  if $::operatingsystem == Fedora and $::operatingsystemrelease >= 15 {
+    package { 'iptables-services':
+      ensure => present,
+    }
+  }
+
   service { 'iptables':
     ensure    => $ensure,
     enable    => $enable,

diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb
@@ -116,20 +116,30 @@
     describe 'when proto is IPv4' do
       let(:proto) { 'IPv4' }
 
-      it 'should exec for RedHat identified from osfamily' do
+      it 'should exec /sbin/service if running RHEL 6 or earlier' do
         allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
         allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('6')
 
         expect(subject).to receive(:execute).with(%w{/sbin/service iptables save})
         subject.persist_iptables(proto)
       end
 
+      it 'should exec for systemd if running RHEL 7 or greater' do
+        allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat')
+        allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('7')
+
+        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save})
+        subject.persist_iptables(proto)
+      end
+
       it 'should exec for systemd if running Fedora 15 or greater' do
         allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat')
         allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Fedora')
         allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('15')
 
-        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables.init save})
+        expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save})
         subject.persist_iptables(proto)
       end