Merge pull request #252 from florianfa/master

#235 Backend Firewall
voxpupuli · Feb 12, 2020 · 10cedfd · 10cedfd
2 parents 09c8d1d + b6c1281
commit 10cedfd
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ class { 'firewalld': }
 * `service_ensure`: Whether the service should be running or not (default: running)
 * `service_enable`: Whether to enable the service
 * `default_zone`: Optional, set the default zone for interfaces (default: undef)
+* `firewall_backend`: Optional, set the firewall backend for firewalld (default: undef)
 * `default_service_zone`: Optional, set the default zone for services (default: undef)
 * `default_port_zone`: Optional, set the default zone for ports (default: undef)
 * `default_port_protocol`: Optional, set the default protocol for ports (default: undef)

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -31,34 +31,35 @@
 #
 #
 class firewalld (
-  Enum['present','absent','latest','installed'] $package_ensure = 'installed',
-  String $package = 'firewalld',
-  Stdlib::Ensure::Service $service_ensure = 'running',
-  String  $config_package            = 'firewall-config',
-  Boolean $install_gui               = false,
-  Boolean $service_enable            = true,
-  Hash    $zones                     = {},
-  Hash    $ports                     = {},
-  Hash    $services                  = {},
-  Hash    $rich_rules                = {},
-  Hash    $custom_services           = {},
-  Hash    $ipsets                    = {},
-  Hash    $direct_rules              = {},
-  Hash    $direct_chains             = {},
-  Hash    $direct_passthroughs       = {},
-  Boolean $purge_direct_rules        = false,
-  Boolean $purge_direct_chains       = false,
-  Boolean $purge_direct_passthroughs = false,
-  Boolean $purge_unknown_ipsets      = false,
-  Optional[String] $default_zone     = undef,
-  Optional[Enum['off','all','unicast','broadcast','multicast']] $log_denied = undef,
-  Optional[Enum['yes', 'no']] $cleanup_on_exit = undef,
-  Optional[Integer] $minimal_mark = undef,
-  Optional[Enum['yes', 'no']] $lockdown = undef,
-  Optional[Enum['yes', 'no']] $ipv6_rpfilter = undef,
-  Optional[String] $default_service_zone  = undef,
-  Optional[String] $default_port_zone     = undef,
-  Optional[String] $default_port_protocol = undef,
+  Enum['present','absent','latest','installed']                 $package_ensure            = 'installed',
+  String                                                        $package                   = 'firewalld',
+  Stdlib::Ensure::Service                                       $service_ensure            = 'running',
+  String                                                        $config_package            = 'firewall-config',
+  Boolean                                                       $install_gui               = false,
+  Boolean                                                       $service_enable            = true,
+  Hash                                                          $zones                     = {},
+  Hash                                                          $ports                     = {},
+  Hash                                                          $services                  = {},
+  Hash                                                          $rich_rules                = {},
+  Hash                                                          $custom_services           = {},
+  Hash                                                          $ipsets                    = {},
+  Hash                                                          $direct_rules              = {},
+  Hash                                                          $direct_chains             = {},
+  Hash                                                          $direct_passthroughs       = {},
+  Boolean                                                       $purge_direct_rules        = false,
+  Boolean                                                       $purge_direct_chains       = false,
+  Boolean                                                       $purge_direct_passthroughs = false,
+  Boolean                                                       $purge_unknown_ipsets      = false,
+  Optional[String]                                              $default_zone              = undef,
+  Optional[Enum['off','all','unicast','broadcast','multicast']] $log_denied                = undef,
+  Optional[Enum['yes', 'no']]                                   $cleanup_on_exit           = undef,
+  Optional[Integer]                                             $minimal_mark              = undef,
+  Optional[Enum['yes', 'no']]                                   $lockdown                  = undef,
+  Optional[Enum['yes', 'no']]                                   $ipv6_rpfilter             = undef,
+  Optional[Enum['iptables', 'nftables']]                        $firewall_backend          = undef,
+  Optional[String]                                              $default_service_zone      = undef,
+  Optional[String]                                              $default_port_zone         = undef,
+  Optional[String]                                              $default_port_protocol     = undef,
 ) {
 
     package { $package:
@@ -235,6 +236,18 @@
       }
     }
 
+    if $facts['firewalld_version'] and
+      (versioncmp($facts['firewalld_version'], '0.6.0') >= 0) and
+      $firewall_backend
+    {
+      augeas {
+        'firewalld::firewall_backend':
+          changes => [
+            "set FirewallBackend \"${firewall_backend}\"",
+          ];
+      }
+    }
+
     # Set dependencies using resource chaining so that resource declarations made
     # outside of this class (eg: from the profile) also get their dependencies set
     # automatically, this addresses various issues found in

diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -6,8 +6,15 @@
     Puppet::Provider::Firewalld.any_instance.stubs(:running).returns(:true) # rubocop:disable RSpec/AnyInstance
   end
 
+  let(:facts) do
+    {
+      firewalld_version: '0.5.0'
+    }
+  end
+
   context 'with defaults for all parameters' do
     it { is_expected.to contain_class('firewalld') }
+    it { is_expected.not_to contain_augeas('firewalld::firewallbackend') }
   end
 
   context 'when defining a default zone' do
@@ -254,6 +261,44 @@
     end
   end
 
+  context 'with parameter firewall_backend' do
+    context 'with firewalld version' do
+      let(:params) do
+        {
+          firewall_backend: 'nftables'
+        }
+      end
+
+      ['0.6.0', '1.0.0'].each do |version|
+        let(:facts) do
+          {
+            firewalld_version: version
+          }
+        end
+
+        context version do
+          it do
+            is_expected.to contain_augeas('firewalld::firewall_backend').with(
+              changes: ['set FirewallBackend "nftables"']
+            )
+          end
+        end
+      end
+
+      context '0.5.0' do
+        let(:facts) do
+          {
+            firewalld_version: '0.5.0'
+          }
+        end
+
+        it do
+          is_expected.not_to contain_augeas('firewalld::firewall_backend')
+        end
+      end
+    end
+  end
+
   context 'with parameter ipv6_rpfilter' do
     let(:params) do
       {