Puppet Class: firewall::linux::debian

Inherits:
::firewall::params
Defined in:
manifests/linux/debian.pp

Summary

Installs the `iptables-persistent` package for Debian-alike systems. This allows rules to be stored to file and restored on boot.

Overview

Parameters:

  • ensure (Any) (defaults to: running)

    Ensure parameter passed onto Service[] resources. Valid options: ‘running’ or ‘stopped’. Defaults to ‘running’.

  • enable (Any) (defaults to: true)

    Enable parameter passed onto Service[] resources. Defaults to ‘true’.

  • service_name (Any) (defaults to: $firewall::params::service_name)

    Specify the name of the IPv4 iptables service. Defaults defined in firewall::params.

  • package_name (Any) (defaults to: $firewall::params::package_name)

    Specify the platform-specific package(s) to install. Defaults defined in firewall::params.

  • package_ensure (Any) (defaults to: $firewall::params::package_ensure)

    Controls the state of the iptables package on your system. Valid options: ‘present’ or ‘latest’. Defaults to ‘latest’.



21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'manifests/linux/debian.pp', line 21

class firewall::linux::debian (
  $ensure         = running,
  $enable         = true,
  $service_name   = $firewall::params::service_name,
  $package_name   = $firewall::params::package_name,
  $package_ensure = $firewall::params::package_ensure,
) inherits ::firewall::params {
  if $package_name {
    #Fixes hang while installing iptables-persistent on debian 8
    exec { 'iptables-persistent-debconf':
      command     => "/bin/echo \"${package_name} ${package_name}/autosave_v4 boolean false\" |
                      /usr/bin/debconf-set-selections && /bin/echo \"${package_name} ${package_name}/autosave_v6 boolean false\" |
                      /usr/bin/debconf-set-selections",

      refreshonly => true,
    }
    ensure_packages([$package_name],{
        ensure  => $package_ensure,
        require => Exec['iptables-persistent-debconf']
    })
  }

  if($::operatingsystemrelease =~ /^6\./ and $enable == true and $::iptables_persistent_version
  and versioncmp($::iptables_persistent_version, '0.5.0') < 0) {
    # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
    # we lose idempotency
    exec { 'iptables-persistent-enable':
      logoutput => on_failure,
      command   => '/usr/sbin/update-rc.d iptables-persistent enable',
      unless    => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
      require   => Package[$package_name],
    }
  } else {
    # This isn't a real service/daemon. The start action loads rules, so just
    # needs to be called on system boot.
    service { $service_name:
      ensure    => undef,
      enable    => $enable,
      hasstatus => true,
      require   => Package[$package_name],
    }
  }
}