diff --git a/lib/puppet/util/firewall.rb b/lib/puppet/util/firewall.rb index 610b6034d..aa26d3bc7 100644 --- a/lib/puppet/util/firewall.rb +++ b/lib/puppet/util/firewall.rb @@ -166,11 +166,16 @@ def persist_iptables(proto) end end - # Fedora 15 and newer use systemd for to persist iptable rules + # Fedora 15 and newer use systemd to persist iptable rules if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'Fedora' && Facter.value(:operatingsystemrelease).to_i >= 15 os_key = 'Fedora' end + # RHEL 7 and newer also use systemd to persist iptable rules + if os_key == 'RedHat' && Facter.value(:operatingsystem) == 'RedHat' && Facter.value(:operatingsystemrelease).to_i >= 7 + os_key = 'Fedora' + end + cmd = case os_key.to_sym when :RedHat case proto.to_sym @@ -182,9 +187,9 @@ def persist_iptables(proto) when :Fedora case proto.to_sym when :IPv4 - %w{/usr/libexec/iptables.init save} + %w{/usr/libexec/iptables/iptables.init save} when :IPv6 - %w{/usr/libexec/ip6tables.init save} + %w{/usr/libexec/iptables/ip6tables.init save} end when :Debian case proto.to_sym diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp index c3d0628ed..a4c00b647 100644 --- a/manifests/linux/redhat.pp +++ b/manifests/linux/redhat.pp @@ -16,6 +16,22 @@ $ensure = running, $enable = true ) { + + # RHEL 7 and later and Fedora 15 and later require the iptables-services + # package, which provides the /usr/libexec/iptables/iptables.init used by + # lib/puppet/util/firewall.rb. + if $::operatingsystem == RedHat and $::operatingsystemrelease >= 7 { + package { 'iptables-services': + ensure => present, + } + } + + if $::operatingsystem == Fedora and $::operatingsystemrelease >= 15 { + package { 'iptables-services': + ensure => present, + } + } + service { 'iptables': ensure => $ensure, enable => $enable, diff --git a/spec/unit/puppet/util/firewall_spec.rb b/spec/unit/puppet/util/firewall_spec.rb index 2fbfabd07..8c33c34f0 100644 --- a/spec/unit/puppet/util/firewall_spec.rb +++ b/spec/unit/puppet/util/firewall_spec.rb @@ -116,20 +116,30 @@ describe 'when proto is IPv4' do let(:proto) { 'IPv4' } - it 'should exec for RedHat identified from osfamily' do + it 'should exec /sbin/service if running RHEL 6 or earlier' do allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('6') expect(subject).to receive(:execute).with(%w{/sbin/service iptables save}) subject.persist_iptables(proto) end + it 'should exec for systemd if running RHEL 7 or greater' do + allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('RedHat') + allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('7') + + expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save}) + subject.persist_iptables(proto) + end + it 'should exec for systemd if running Fedora 15 or greater' do allow(Facter.fact(:osfamily)).to receive(:value).and_return('RedHat') allow(Facter.fact(:operatingsystem)).to receive(:value).and_return('Fedora') allow(Facter.fact(:operatingsystemrelease)).to receive(:value).and_return('15') - expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables.init save}) + expect(subject).to receive(:execute).with(%w{/usr/libexec/iptables/iptables.init save}) subject.persist_iptables(proto) end