Add RHEL support to iptables module.

Updates the iptables module so that it uses parameters to define the package, service, and files used to setup and configure persistent iptables rules. With these updates the module should now support both RHEL and Ubuntu. Change-Id: I45af4e72065c9baaf1d9a03f18b47f6effdce322 Reviewed-on: https://review.openstack.org/23278 Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Approved: Jeremy Stanley <fungi@yuggoth.org> Reviewed-by: Jeremy Stanley <fungi@yuggoth.org> Tested-by: Jenkins
2013-03-01 09:55:57 -05:00 · 2013-03-01 09:55:57 -05:00 · 51bf7ed8c1
commit 51bf7ed8c1
parent 0a1737eb18
2 changed files with 66 additions and 27 deletions
--- a/modules/iptables/manifests/init.pp
+++ b/modules/iptables/manifests/init.pp
@ -15,64 +15,65 @@ class iptables(
  $public_tcp_ports = [],
  $public_udp_ports = []
 ) {
-  package { 'iptables-persistent':
+
+  include iptables::params
+
+  package { 'iptables':
    ensure => present,
+    name   => $::iptables::params::package_name,
  }

-  service { 'iptables-persistent':
-    require    => Package['iptables-persistent'],
-    # Because there is no running process for this service, the normal status
-    # checks fail.  Because puppet then thinks the service has been manually
-    # stopped, it won't restart it.  This fake status command will trick puppet
-    # into thinking the service is *always* running (which in a way it is, as
-    # iptables is part of the kernel.)
-    hasstatus  => true,
-    status     => true,
-    # Under Debian, the "restart" parameter does not reload the rules, so tell
-    # Puppet to fall back to stop/start, which does work.
-    hasrestart => false,
+  service { 'iptables':
+    name       => $::iptables::params::service_name,
+    require    => Package['iptables'],
+    hasstatus  => $::iptables::params::service_has_status,
+    status     => $::iptables::params::service_status_cmd,
+    hasrestart => $::iptables::params::service_has_restart,
  }

-  file { '/etc/iptables':
-    ensure => directory,
+  file { $::iptables::params::rules_dir:
+    ensure     => directory,
+    require    => Package['iptables'],
  }

-  file { '/etc/iptables/rules':
+  # This file is not required on Red Hat distros... but it
+  # won't hurt to softlink to it either
+  file { "${::iptables::params::rules_dir}/rules":
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
    content => template('iptables/rules.erb'),
    require => [
-      Package['iptables-persistent'],
-      File['/etc/iptables'],
+      Package['iptables'],
+      File[$::iptables::params::rules_dir],
    ],
    # When this file is updated, make sure the rules get reloaded.
-    notify  => Service['iptables-persistent'],
+    notify  => Service['iptables'],
  }

-  file { '/etc/iptables/rules.v4':
+  file { $::iptables::params::ipv4_rules:
    ensure  => link,
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
-    target  => '/etc/iptables/rules',
-    require => File['/etc/iptables/rules'],
-    notify  => Service['iptables-persistent'],
+    target  => "${::iptables::params::rules_dir}/rules",
+    require => File["${::iptables::params::rules_dir}/rules"],
+    notify  => Service['iptables'],
  }

-  file { '/etc/iptables/rules.v6':
+  file { $::iptables::params::ipv6_rules:
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0640',
    content => template('iptables/rules.v6.erb'),
    require => [
-      Package['iptables-persistent'],
-      File['/etc/iptables'],
+      Package['iptables'],
+      File[$::iptables::params::rules_dir],
    ],
    # When this file is updated, make sure the rules get reloaded.
-    notify  => Service['iptables-persistent'],
+    notify  => Service['iptables'],
    replace => true,
  }
 }
--- a/modules/iptables/manifests/params.pp
+++ b/modules/iptables/manifests/params.pp
@ -0,0 +1,38 @@
+# Class: iptables::params
+#
+# This class holds parameters that need to be
+# accessed by other classes.
+class iptables::params {
+  case $::osfamily {
+    'Redhat': {
+      $package_name = 'iptables'
+      $service_name = 'iptables'
+      $rules_dir = '/etc/sysconfig'
+      $ipv4_rules = '/etc/sysconfig/iptables'
+      $ipv6_rules = '/etc/sysconfig/ip6tables'
+      $service_has_status = true
+      $service_status_cmd = undef
+      $service_has_restart = false
+    }
+    'Debian', 'Ubuntu': {
+      $package_name = 'iptables-persistent'
+      $service_name = 'iptables-persistent'
+      $rules_dir = '/etc/iptables'
+      $ipv4_rules = '/etc/iptables/rules.v4'
+      $ipv6_rules = '/etc/iptables/rules.v6'
+      # Because there is no running process for this service, the normal status
+      # checks fail.  Because puppet then thinks the service has been manually
+      # stopped, it won't restart it.  This fake status command will trick
+      # puppet into thinking the service is *always* running (which in a way
+      # it is, as iptables is part of the kernel.)
+      $service_has_status = true
+      $service_status_cmd = true
+      # Under Debian, the "restart" parameter does not reload the rules, so
+      # tell Puppet to fall back to stop/start, which does work.
+      $service_has_restart = false
+    }
+    default: {
+      fail("Unsupported osfamily: ${::osfamily} The 'iptables' module only supports osfamily Ubuntu or Redhat(slaves only).")
+    }
+  }
+}