MODULES-1309 - Make package and service names configurable

This was motivated by a need to make this work on Debian Jessie.

Author: Morgan Haskel

README.markdown

@@ -311,6 +311,14 @@ Parameter that controls the state of the `iptables` service on your system, allo
 
 `ensure` can either be `running` or `stopped`. Default to `running`.
 
+####`package`
+
+Specify the platform-specific package(s) to install. Defaults defined in `firewall::params`.
+
+####`service`
+
+Specify the platform-specific service(s) to start or stop. Defaults defined in `firewall::params`.
+
 ###Type: firewall
 
 This type enables you to manage firewall rules within Puppet.

manifests/init.pp

@@ -12,8 +12,10 @@
 #   Default: running
 #
 class firewall (
-  $ensure = running
-) {
+  $ensure  = running,
+  $service = $::firewall::params::service,
+  $package = $::firewall::params::package,
+) inherits ::firewall::params {
   case $ensure {
     /^(running|stopped)$/: {
       # Do nothing.
@@ -26,7 +28,9 @@
   case $::kernel {
     'Linux': {
       class { "${title}::linux":
-        ensure => $ensure,
+        ensure  => $ensure,
+        service => $service,
+        package => $package,
       }
     }
     default: {

manifests/linux.pp

@@ -12,8 +12,10 @@
 #   Default: running
 #
 class firewall::linux (
-  $ensure = running
-) {
+  $ensure  = running,
+  $service = $::firewall::params::service,
+  $package = $::firewall::params::package,
+) inherits ::firewall::params {
   $enable = $ensure ? {
     running => true,
     stopped => false,
@@ -29,20 +31,26 @@
       class { "${title}::redhat":
         ensure  => $ensure,
         enable  => $enable,
+        package => $package,
+        service => $service,
         require => Package['iptables'],
       }
     }
     'Debian', 'Ubuntu': {
       class { "${title}::debian":
         ensure  => $ensure,
         enable  => $enable,
+        package => $package,
+        service => $service,
         require => Package['iptables'],
       }
     }
     'Archlinux': {
       class { "${title}::archlinux":
         ensure  => $ensure,
         enable  => $enable,
+        package => $package,
+        service => $service,
         require => Package['iptables'],
       }
     }

manifests/linux/archlinux.pp

@@ -14,28 +14,30 @@
 #   Default: true
 #
 class firewall::linux::archlinux (
-  $ensure = 'running',
-  $enable = true
-) {
-  service { 'iptables':
-    ensure    => $ensure,
-    enable    => $enable,
-    hasstatus => true,
+  $ensure  = 'running',
+  $enable  = true,
+  $service = $::firewall::params::service,
+  $package = $::firewall::params::package,
+) inherits ::firewall::params {
+  if $package {
+    package { $package:
+      ensure => $ensure,
+    }
   }
 
-  service { 'ip6tables':
+  service { $service:
     ensure    => $ensure,
     enable    => $enable,
     hasstatus => true,
   }
 
   file { '/etc/iptables/iptables.rules':
     ensure => present,
-    before => Service['iptables'],
+    before => Service[$service],
   }
 
   file { '/etc/iptables/ip6tables.rules':
     ensure => present,
-    before => Service['ip6tables'],
+    before => Service[$service],
   }
 }

manifests/linux/debian.pp

@@ -14,31 +14,36 @@
 #   Default: true
 #
 class firewall::linux::debian (
-  $ensure = running,
-  $enable = true
-) {
-  package { 'iptables-persistent':
-    ensure => present,
+  $ensure  = running,
+  $enable  = true,
+  $service = $::firewall::params::service,
+  $package = $::firewall::params::package,
+) inherits ::firewall::params {
+
+  if $package {
+    package { $package:
+      ensure => present,
+    }
   }
 
   if($::operatingsystemrelease =~ /^6\./ and $enable == true
-  and versioncmp($::iptables_persistent_version, '0.5.0') < 0 ) {
+  and versioncmp($::iptables_persistent_version, '0.5.0') < 0 and ! $service) {
     # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
     # we lose idempotency
     exec { 'iptables-persistent-enable':
       logoutput => on_failure,
       command   => '/usr/sbin/update-rc.d iptables-persistent enable',
       unless    => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
-      require   => Package['iptables-persistent'],
+      require   => Package[$package],
     }
   } else {
     # This isn't a real service/daemon. The start action loads rules, so just
     # needs to be called on system boot.
-    service { 'iptables-persistent':
+    service { $service:
       ensure    => undef,
       enable    => $enable,
       hasstatus => true,
-      require   => Package['iptables-persistent'],
+      require   => Package[$package],
     }
   }
 }

manifests/linux/redhat.pp

@@ -13,38 +13,42 @@
 #   Default: true
 #
 class firewall::linux::redhat (
-  $ensure = running,
-  $enable = true
-) {
+  $ensure  = running,
+  $enable  = true,
+  $service = $::firewall::params::service,
+  $package = $::firewall::params::package,
+) inherits ::firewall::params {
 
   # RHEL 7 and later and Fedora 15 and later require the iptables-services
   # package, which provides the /usr/libexec/iptables/iptables.init used by
   # lib/puppet/util/firewall.rb.
-  if   ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
-    or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
-    service { "firewalld":
+  if ($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
+  or ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0) {
+    service { 'firewalld':
       ensure => stopped,
       enable => false,
-      before => Package['iptables-services']
+      before => Package[$package],
     }
+  }
 
-    package { 'iptables-services':
-      ensure  => present,
-      before  => Service['iptables'],
+  if $package {
+    package { $package:
+      ensure => present,
+      before => Service[$service],
     }
   }
 
-  service { 'iptables':
+  service { $service:
     ensure    => $ensure,
     enable    => $enable,
     hasstatus => true,
     require   => File['/etc/sysconfig/iptables'],
   }
 
   file { '/etc/sysconfig/iptables':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
+    ensure => present,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
   }
 }

manifests/params.pp

@@ -0,0 +1,44 @@
+class firewall::params {
+  case $::osfamily {
+    'RedHat': {
+      case $::operatingsystem {
+        'Archlinux': {
+          $service = ['iptables','ip6tables']
+          $package = undef
+        }
+        'Fedora': {
+          if versioncmp($::operatingsystemrelease, '15') >= 0 {
+            $package = 'iptables-services'
+          } else {
+            $package = undef
+          }
+          $service = 'iptables'
+        }
+        default: {
+          if versioncmp($::operatingsystemrelease, '7.0') >= 0 {
+            $package = 'iptables-services'
+          } else {
+            $package = undef
+          }
+          $service = 'iptables'
+        }
+      }
+    }
+    'Debian': {
+      if $::operatingsystemrelease =~ /^6\./ and versioncmp($::iptables_persistent_version, '0.5.0') < 0 {
+        $service = undef
+        $package = 'iptables-persistent'
+      } elsif $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8.0') >= 0 {
+        $service = 'netfilter-persistent'
+        $package = 'netfilter-persistent'
+      } else {
+        $service = 'iptables-persistent'
+        $package = 'iptables-persistent'
+      }
+    }
+    default: {
+      $package = undef
+      $service = 'iptables'
+    }
+  }
+}

spec/unit/classes/firewall_linux_archlinux_spec.rb

@@ -1,6 +1,12 @@
 require 'spec_helper'
 
 describe 'firewall::linux::archlinux', :type => :class do
+  let(:facts) do
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'Archlinux'
+    }
+  end
   it { should contain_service('iptables').with(
     :ensure   => 'running',
     :enable   => 'true'

spec/unit/classes/firewall_linux_debian_spec.rb

@@ -1,19 +1,87 @@
 require 'spec_helper'
 
 describe 'firewall::linux::debian', :type => :class do
-  it { should contain_package('iptables-persistent').with(
-    :ensure => 'present'
-  )}
-  it { should contain_service('iptables-persistent').with(
-    :ensure   => nil,
-    :enable   => 'true',
-    :require  => 'Package[iptables-persistent]'
-  )}
+  context "Debian 7" do
+    let(:facts) {{
+        :osfamily              => 'Debian',
+        :operatingsystem       => 'Debian',
+        :operatingsystemrelease => '7.0'
+    }}
+    it { should contain_package('iptables-persistent').with(
+      :ensure => 'present'
+    )}
+    it { should contain_service('iptables-persistent').with(
+      :ensure   => nil,
+      :enable   => 'true',
+      :require  => 'Package[iptables-persistent]'
+    )}
+  end
 
-  context 'enable => false' do
+  context 'deb7 enable => false' do
+    let(:facts) {{
+        :osfamily              => 'Debian',
+        :operatingsystem       => 'Debian',
+        :operatingsystemrelease => '7.0'
+    }}
     let(:params) {{ :enable => 'false' }}
     it { should contain_service('iptables-persistent').with(
       :enable   => 'false'
     )}
   end
+
+  context "Debian 8" do
+    let(:facts) {{
+        :osfamily              => 'Debian',
+        :operatingsystem       => 'Debian',
+        :operatingsystemrelease => 'jessie/sid'
+    }}
+    it { should contain_package('netfilter-persistent').with(
+      :ensure => 'present'
+    )}
+    it { should contain_service('netfilter-persistent').with(
+      :ensure   => nil,
+      :enable   => 'true',
+      :require  => 'Package[netfilter-persistent]'
+    )}
+  end
+
+  context 'deb8 enable => false' do
+    let(:facts) {{
+        :osfamily              => 'Debian',
+        :operatingsystem       => 'Debian',
+        :operatingsystemrelease => 'jessie/sid'
+    }}
+    let(:params) {{ :enable => 'false' }}
+    it { should contain_service('netfilter-persistent').with(
+      :enable   => 'false'
+    )}
+  end
+
+  context "Debian 8, alt operatingsystem" do
+    let(:facts) {{
+        :osfamily               => 'Debian',
+        :operatingsystem        => 'Debian',
+        :operatingsystemrelease => '8.0'
+    }}
+    it { should contain_package('netfilter-persistent').with(
+      :ensure => 'present'
+    )}
+    it { should contain_service('netfilter-persistent').with(
+      :ensure   => nil,
+      :enable   => 'true',
+      :require  => 'Package[netfilter-persistent]'
+    )}
+  end
+
+  context 'deb8, alt operatingsystem, enable => false' do
+    let(:facts) {{
+        :osfamily               => 'Debian',
+        :operatingsystem        => 'Debian',
+        :operatingsystemrelease => '8.0'
+    }}
+    let(:params) {{ :enable => 'false' }}
+    it { should contain_service('netfilter-persistent').with(
+      :enable   => 'false'
+    )}
+  end
 end

spec/unit/classes/firewall_linux_redhat_spec.rb

@@ -8,6 +8,7 @@
     oldreleases.each do |osrel|
       context "os #{os} and osrel #{osrel}" do
         let(:facts) {{
+          :osfamily               => 'RedHat',
           :operatingsystem        => os,
           :operatingsystemrelease => osrel
         }}
@@ -20,6 +21,7 @@
     newreleases.each do |osrel|
       context "os #{os} and osrel #{osrel}" do
         let(:facts) {{
+          :osfamily               => 'RedHat',
           :operatingsystem        => os,
           :operatingsystemrelease => osrel
         }}