Fix rpfilter parameter

[onyxmaster]

Hi,
In the current version of the module, the rpfilter parameter works as a no-op, no matter which value is provided since the feature is not specified. This commit fixes this issue.

Unfortunately, this is not the only issue with the parameter in question. The xt_rpfilter is one of the few extensions that perform meaningful work even when there are no extra parameters specified (in fact the default strict mode is invoked by just the -m rpfilter stanza), and currently, the Puppet module requires for the mode to be set to one of loose/validmark/accept-local/invert. In fact, all of these are optional flags and can be enabled simultaneously or not enabled at all. I'm not sure how to fix this and whether I should report this issue somewhere else.

So while this PR addresses part of the problem with rpfilter parameter just doing nothing, it doesn't fix the main issue with rpfilter support. Currently, to use default strict matching one can work around the issue by using one of the flags that do not significantly affect the processing most of the time (such as setting rpfilter => 'validmark'), but this is only a hacky workaround, not a complete solution. Please advise on where should I report the issue so it could be fixed completely.

[puppet-community-rangefinder]

firewall is a type

Breaking changes to this file WILL impact these 121 modules (exact match):

• echoes-strongswan
• jlambert121-puppet
• jonnyx-samba
• maxadamo-galera_proxysql
• oris-appserver
• echoes-echoes_firewall
• shearn89-toughen
• tracywebtech-dofirewall
• glorpen-g_firewall
• puppetlabs-pam_firewall
• dhollinger-devopsdays
• treydock-osg
• calmenergy-fail2ban
• wdec-echoes_monit
• mikegleasonjr-server
• thoherr-railsapp
• wdijkerman-zabbix
• olevole-memcached
• treydock-slurm
• themeier-ssh
• puppetfinland-puppetmaster
• puppet-cassandra
• puppetlabs-awsdemo_profiles
• echoes-monit
• compass-rserve
• jethrocarr-roadwarrior
• treydock-gpfs
• danfoster-networker
• maxadamo-zfs_nas
• myoung34-marklogic
• puppetfinland-packetfilter
• jmkeyes-gocd
• pmuller-aws_firewall
• puppet-zabbix
• pltraining-selfpaced
• radez-pacemaker
• ffquintella-firewallmanager
• eelcomaljaars-friendica
• rendhalver-nrpe
• evenup-puppet
• railsdog-awsfirewall
• godp1301-postgresql
• tomkrieger-remediate_install
• tedivm-psad
• rogierslag-openswan
• SchnWalter-happydev
• myoung34-hbase
• puppetlabs-puppetdb
• treydock-globus
• evenup-riakdev
• sjoeboo-puppet
• wazuh-wazuh
• emccode-scaleio
• evenup-common
• jgazeley-freeradius
• seteam-role
• abiquo-abiquo
• cloudscaling-scaleio
• sat6qe-katellovirt
• compass-learninglocker
• wdec-monit
• eschiller-trac
• cnafsd-bdii
• jgazeley-speedtest
• pennycoders-zookeeper
• narasimhasv-openstack
• 42ways-railsapp
• andrewkroh-base_firewall
• ghoneycutt-ssh
• danfoster-sitefirewall
• jgazeley-ekahau_throughput_server
• gnubilafrance-nfs
• gabe-pe_razor_complete
• ploperations-haproxy_consul
• jethrocarr-timemachine
• soli-monit
• olevole-ssh
• jgazeley-networker
• puppetlabs-wordpress_app
• jgazeley-monyog
• myoung34-mirthconnect
• tufin-secureapp
• compass-examdb
• fraenki-galera
• saz-memcached
• dhogland-splunk
• huit-ipa
• mdelaney-icecc
• puppet-smokeping
• enterprisemodules-ora_rac
• alexharvey-firewall_multi
• tomkrieger-security_baseline
• geoffwilliams-r_profile
• glarizza-profiles
• abstractit-nrpe
• maxadamo-galera_maxscale
• locp-cassandra
• praekeltfoundation-docker_firewall
• mvasilenko-gocd
• tscopp-jss
• maany-simple_grid
• maxchk-varnish
• aco-tomcat
• pennycoders-marathon
• thias-rhel
• karume-openstack
• pennycoders-mesos
• mtsinc1-trac
• jamesread-commonlinuxstuff
• inkling-postgresql
• bashtoni-masq
• maxadamo-tiny_nas
• puppetlabs-openstack
• binarin-binarin
• jgazeley-nagios
• hesco-weave
• CERNOps-bdii
• enterprisemodules-ora_profile
• stesie-gluon
• Nextdoor-strongswan
• openstack-pacemaker

Breaking changes to this file MAY impact these 143 modules (near match):

• netmanagers-nut
• jmkeyes-bind
• puppetfinland-znc
• esakazmi-mediawiki
• example42-proftpd
• example42-tomcat
• example42-lighttpd
• CERNOps-fts
• rehan-cfssl
• vinaycharles-mediawiki
• gururaj-mediawiki
• example42-sendmail
• puppetfinland-gitdaemon
• example42-autofs
• maestrodev-avahi
• lcgdm-voms
• counsyl-sys
• example42-monit
• example42-clvm
• example42-munin
• example42-puppet
• shantanumalik-mediawiki
• counsyl-redis
• jethrocarr-unifi_video
• example42-psick
• anthomas-mediawiki
• jethrocarr-unifi_controller
• raviforge-mediawiki
• puppetfinland-openvpn
• puppetfinland-aptcacherng
• puppetfinland-snmpd
• example42-exim
• example42-xinetd
• pia-mediawiki
• example42-tftp
• gsachar1-mediawiki
• seteam-profile
• camptocamp-pacemaker
• example42-vsftpd
• 214310-mediawiki
• example42-newrelic
• puppetfinland-ntp
• rehan-nginx
• sunilh-mediawiki
• example42-snmpd
• manish1984-mediawiki
• fuzeman-bind
• niksv-mediawiki
• example42-multipath
• example42-jboss
• example42-orientdb
• example42-openntpd
• webserve-mediawiki
• puppetfinland-easy_ipa
• puppet-jenkins
• example42-nrpe
• dharknes-scst
• intelliment-itlm
• mithilas-mediawiki
• puppetfinland-postfix
• rehan-samba
• netmanagers-dnsmasq
• vshn-uhosting
• example42-splunk
• puppetfinland-webserver
• puppetfinland-dirsrv
• example42-dhcpd
• example42-logstash
• netmanagers-bind
• example42-mysql
• nitish741-mediawiki
• Azcender-profile
• example42-samba
• tedivm-hieratic
• neillturner-teamcity
• puppetfinland-tinyproxy
• example42-openvpn
• puppetfinland-bacula
• maestrodev-maestro_nodes
• tykeal-gerrit
• ravishankar1jan-mediawiki
• example42-redis
• puppetfinland-buildbot
• example42-heartbeat
• example42-elasticsearch
• gardouille-proxmox
• example42-mcollective
• hemantgangwar-mediawiki
• example42-jenkins
• example42-nginx
• example42-freeradius
• prakash007-mediawiki
• example42-dovecot
• pbhutani-mediawiki
• example42-nfs
• example42-puppetdb
• example42-libvirt
• example42-graylog2
• example42-puppetdashboard
• kiranhosamani-mediawiki
• example42-sysklogd
• netmanagers-bareos
• jgazeley-iperf
• example42-openssh
• parthitraining-mediawiki
• mmack-cfssl
• concrete-nagios
• preethi-mediawiki
• echoes-wrappers
• example42-ntp
• infnpd-creamce
• example42-postgresql
• funaccount-mediawiki
• suvarnagodri-mediawiki
• example42-tinc
• example42-foreman
• tscopp-bigfix
• example42-rsyslog
• example42-apache
• example42-rsync
• narenv-mediawiki
• example42-activemq
• counsyl-memcached
• jaysingh-mediawiki
• devopera-docommon
• example42-postfix
• example42-vagrant
• byjupv-mediakwiki
• sathieu-c_icap
• soli-wrappers
• rtyler-jenkins
• hegdec-mediawiki
• puppetfinland-sshd
• abhaysoni-mediawiki
• puppetfinland-monit
• dbsrinivasulu-mediawiki
• autostructure-secure_linux_cis
• openstack-tripleo
• HEPPuppet-htcondor
• example42-resolver
• puppetfinland-mysql
• netmanagers-bacula
• example42-rhcs

This module is declared in 108 of 578 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[onyxmaster]

It looks like the proposed improvement highlighted the issue with testing environment, the CentOS-6 doesn't appear to have support for the xt_rpfilter extension :(

[onyxmaster]

Well, it looks like I fixed the problem with CentOS 6 by adding proper version checks. @adrianiurca, could you please take a look?

[github-actions]

This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days.

[onyxmaster]

This PR is important, but there is no feedback on it :(

[LukasAud]

Hi @onyxmaster, sorry for the delay in feedback. Our team has been undergoing some major changes over the last few months and that has translated into a lower level of engagement from our side with the community.

I will remove the 'stale' label and, hopefully, a member from our team might be able to take a look soon at your PR.

[LukasAud]

Hi @onyxmaster, your changes make sense to me and all checks are green, happy to merge this!

Regarding the bigger issue affecting the module, you can report it by creating a new issue here in GH. Please make sure you add as much relevant information as you can (even linking this PR would help) so that the next person that starts working on it has an easier time troubleshooting.

Thanks for your contribution.