Use firewalld by default

* Mark `iptables::use_firewalld()` function deprecated
* Drop support for EOL operating systems
* Bump version to 7.0.0 since this is a breaking change

CHANGELOG

@@ -1,3 +1,9 @@
+* Mon Aug 19 2024 Steven Pritchard <steve@sicura.us> - 7.0.0
+- Use firewalld by default
+  - Drop use of `iptables::use_firewalld` function
+- Mark `iptables::use_firewalld` function deprecated
+- Drop EL7 support
+
 * Wed Jan 17 2024 Richard Gardner <rick@sicura.us> - 6.13.1
 - Fixed missing update to hiera.yaml for puppet 8 support
 

REFERENCE.md

@@ -35,7 +35,7 @@
 ### Functions
 
 * [`iptables::slice_ports`](#iptables--slice_ports): Split a stringified Iptables::DestPort into an Array that contain groupings of `max_length` size.
-* [`iptables::use_firewalld`](#iptables--use_firewalld): Returns ``true`` if the client can/should use firewalld
+* [`iptables::use_firewalld`](#iptables--use_firewalld): **DEPRECATED** Returns ``true`` if the client can/should use firewalld
 
 ### Data types
 
@@ -104,7 +104,7 @@ Explicitly enable management via ``simp_firewalld``
 
 * Systems that do not have ``firewalld`` installed will fall back to ``iptables``
 
-Default value: `iptables::use_firewalld($enable)`
+Default value: `true`
 
 ##### <a name="-iptables--ensure"></a>`ensure`
 
@@ -1761,11 +1761,11 @@ The maximum length of each group.
 
 Type: Puppet Language
 
-Returns ``true`` if the client can/should use firewalld
+**DEPRECATED** Returns ``true`` if the client can/should use firewalld
 
 #### `iptables::use_firewalld(Variant[String[1], Boolean] $enable = true)`
 
-Returns ``true`` if the client can/should use firewalld
+**DEPRECATED** Returns ``true`` if the client can/should use firewalld
 
 Returns: `Boolean`
 

data/os/Amazon-2.yaml

@@ -1,3 +1,4 @@
 ---
 iptables::install::ipv4_package: iptables-services
 iptables::install::ipv6_package: iptables-services
+iptables::use_firewalld: false

functions/use_firewalld.pp

@@ -1,4 +1,4 @@
-# Returns ``true`` if the client can/should use firewalld
+# **DEPRECATED** Returns ``true`` if the client can/should use firewalld
 #
 # @param enable
 #   The type of enablement to use
@@ -9,9 +9,10 @@
 #
 # @return [Boolean]
 #
-function iptables::use_firewalld(
-  Variant[String[1], Boolean] $enable = true
-) {
+function iptables::use_firewalld (
+  Variant[String[1], Boolean] $enable = true,
+) >> Boolean {
+  deprecation('iptables::use_firewalld', 'iptables::use_firewalld is deprecated')
 
   $_firewalld_os_list = {
     'RedHat'      => '8',

manifests/init.pp

@@ -105,7 +105,7 @@
 #
 class iptables (
   Variant[Enum['ignore','firewalld'],Boolean] $enable         = simplib::lookup('simp_options::firewall', { 'default_value' => true }),
-  Boolean                         $use_firewalld              = iptables::use_firewalld($enable),
+  Boolean                         $use_firewalld              = true,
   String                          $ensure                     = simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' }),
   Boolean                         $ipv6                       = true,
   Boolean                         $class_debug                = false,

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-iptables",
-  "version": "6.13.1",
+  "version": "7.0.0",
   "author": "SIMP Team",
   "summary": "Safely manages IPTables firewall rules",
   "license": "Apache-2.0",
@@ -37,23 +37,19 @@
     {
       "operatingsystem": "CentOS",
       "operatingsystemrelease": [
-        "7",
-        "8",
         "9"
       ]
     },
     {
       "operatingsystem": "RedHat",
       "operatingsystemrelease": [
-        "7",
         "8",
         "9"
       ]
     },
     {
       "operatingsystem": "OracleLinux",
       "operatingsystemrelease": [
-        "7",
         "8",
         "9"
       ]

spec/acceptance/nodesets/almalinux8.yml

@@ -0,0 +1,14 @@
+---
+HOSTS:
+  almalinux8:
+    roles:
+      - default
+      - firewalld
+    platform: el-8-x86_64
+    box: almalinux/8
+    hypervisor: <%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>
+CONFIG:
+  type: aio
+  log_level: verbose
+  synced_folder: disabled
+  puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/almalinux9.yml

@@ -0,0 +1,15 @@
+---
+HOSTS:
+  almalinux9:
+    roles:
+      - default
+      - firewalld
+    platform: el-9-x86_64
+    box: almalinux/9
+    hypervisor: <%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>
+CONFIG:
+  type: aio
+  vagrant_memsize: 2048
+  log_level: verbose
+  synced_folder: disabled
+  puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/amzn2.yml

@@ -1,23 +1,16 @@
-<%
-  if ENV['BEAKER_HYPERVISOR']
-    hypervisor = ENV['BEAKER_HYPERVISOR']
-  else
-    hypervisor = 'vagrant'
-  end
--%>
+---
 HOSTS:
   amzn2:
     roles:
       - default
+      - iptables
     platform: el-7-x86_64
     box: gbailey/amzn2
-    hypervisor: <%= hypervisor %>
+    hypervisor: <%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>
 
 CONFIG:
   log_level: verbose
-  synced_folder : disabled
+  synced_folder: disabled
   type: aio
-  vagrant_memsize: 512
-<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
-  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
-<% end -%>
+  vagrant_memsize: 1024
+  puppet_collection: <%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>

spec/acceptance/nodesets/centos9.yml

@@ -0,0 +1,17 @@
+---
+HOSTS:
+  centos9:
+    roles:
+      - default
+      - firewalld
+    platform: el-9-x86_64
+    box: generic/centos9s
+    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+    family: centos-cloud/centos-stream-9
+    gce_machine_type: n1-standard-1
+CONFIG:
+  type: aio
+  vagrant_memsize: 1024
+  log_level: verbose
+  synced_folder: disabled
+  puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/default.yml

@@ -1,26 +1,17 @@
 ---
 HOSTS:
-  el7:
+  rocky9:
     roles:
-    - default
-    - iptables
-    - firewalld
-    platform: el-7-x86_64
-    box: centos/7
+      - default
+      - firewalld
+    platform: el-9-x86_64
+    box: generic/rocky9
     hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    family: centos-cloud/centos-7
-    gce_machine_type: n1-standard-2
-  el8:
-    roles:
-    - firewalld
-    platform: el-8-x86_64
-    box: generic/centos8
-    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    family: centos-cloud/centos-stream-8
-    gce_machine_type: n1-standard-2
+    family: rocky-linux-cloud/rocky-linux-9
+    gce_machine_type: n1-standard-1
 CONFIG:
   type: aio
-  vagrant_memsize: 256
+  vagrant_memsize: 1024
   log_level: verbose
   synced_folder: disabled
   puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/oel.yml → spec/acceptance/nodesets/oel8.yml

@@ -1,26 +1,17 @@
 ---
 HOSTS:
-  oel7:
-    roles:
-    - default
-    - iptables
-    - firewalld
-    platform: el-7-x86_64
-    box: generic/oracle7
-    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
-    family: sicura-image-build/oracle-linux-7
-    gce_machine_type: n1-standard-2
   oel8:
     roles:
-    - firewalld
+      - default
+      - firewalld
     platform: el-8-x86_64
     box: generic/oracle8
     hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
     family: sicura-image-build/oracle-linux-8
-    gce_machine_type: n1-standard-2
+    gce_machine_type: n1-standard-1
 CONFIG:
   type: aio
-  vagrant_memsize: 256
+  vagrant_memsize: 1024
   log_level: verbose
   synced_folder: disabled
   puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/oel9.yml

@@ -0,0 +1,17 @@
+---
+HOSTS:
+  oel9:
+    roles:
+      - default
+      - firewalld
+    platform: el-9-x86_64
+    box: generic/oracle9
+    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+    family: sicura-image-build/oracle-linux-9
+    gce_machine_type: n1-standard-1
+CONFIG:
+  type: aio
+  vagrant_memsize: 1024
+  log_level: verbose
+  synced_folder: disabled
+  puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/nodesets/rhel8.yml

@@ -1,19 +1,19 @@
 ---
 HOSTS:
-  server-el8:
+  rhel8:
     roles:
-    - default
-    - firewalld
+      - default
+      - firewalld
     platform: el-8-x86_64
     box: generic/rhel8
     hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
     yum_repos:
       epel:
         mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch
         gpgkeys:
-        - https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+          - https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
     family: rhel-cloud/rhel-8
-    gce_machine_type: n1-standard-2
+    gce_machine_type: n1-standard-1
 CONFIG:
   log_level: verbose
   type: aio

spec/acceptance/nodesets/rhel7.yml → spec/acceptance/nodesets/rhel9.yml

@@ -1,20 +1,19 @@
 ---
 HOSTS:
-  server-el7:
+  rhel9:
     roles:
-    - default
-    - iptables
-    - firewalld
-    platform: el-7-x86_64
-    box: generic/rhel7
+      - default
+      - firewalld
+    platform: el-9-x86_64
+    box: generic/rhel9
     hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
     yum_repos:
       epel:
-        mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
+        mirrorlist: https://mirrors.fedoraproject.org/metalink?repo=epel-9&arch=$basearch
         gpgkeys:
-        - https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
-    family: rhel-cloud/rhel-7
-    gce_machine_type: n1-standard-2
+          - https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
+    family: rhel-cloud/rhel-9
+    gce_machine_type: n1-standard-1
 CONFIG:
   validate: false
   log_level: verbose

spec/acceptance/nodesets/rocky8.yml

@@ -0,0 +1,17 @@
+---
+HOSTS:
+  rocky8:
+    roles:
+      - default
+      - firewalld
+    platform: el-8-x86_64
+    box: generic/rocky8
+    hypervisor: "<%= ENV.fetch('BEAKER_HYPERVISOR', 'vagrant') %>"
+    family: rocky-linux-cloud/rocky-linux-8
+    gce_machine_type: n1-standard-1
+CONFIG:
+  type: aio
+  vagrant_memsize: 1024
+  log_level: verbose
+  synced_folder: disabled
+  puppet_collection: "<%= ENV.fetch('BEAKER_PUPPET_COLLECTION', 'puppet7') %>"

spec/acceptance/suites/default/00_default_spec.rb

@@ -3,7 +3,17 @@
 test_name "iptables class"
 
 hosts.each do |host|
-  next unless host[:roles].include?('iptables')
+  unless host[:roles].include?('iptables')
+    describe 'iptables' do
+      context host.to_s do
+        it 'skips default test suite' do
+          true
+        end
+      end
+    end
+
+    next
+  end
 
   describe "iptables class #{host}" do
     before(:context) do
@@ -148,7 +158,21 @@ class { 'iptables': scanblock => true}
 
       it 'should configure xt_recent kernel module using hieradata overrides' do
         set_hieradata_on(host, hieradata_with_overrides)
-        apply_manifest_on(host, manifest_with_scanblock_enabled, :catch_failures => true)
+
+        # FIXME: On at least Amazon Linux 2, this will fail with a number of errors:
+        # Error: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_list_tot
+        # Error: /Stage[main]/Iptables::Rules::Mod_recent/Xt_recent[/sys/module/xt_recent/parameters]/ip_list_tot: change from '200' to 400 failed: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_list_tot
+        # Error: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_pkt_list_tot
+        # Error: /Stage[main]/Iptables::Rules::Mod_recent/Xt_recent[/sys/module/xt_recent/parameters]/ip_pkt_list_tot: change from '20' to 40 failed: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_pkt_list_tot
+        # Error: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_list_perms
+        # Error: /Stage[main]/Iptables::Rules::Mod_recent/Xt_recent[/sys/module/xt_recent/parameters]/ip_list_perms: change from '0640' to '0644' failed: Input/output error @ fptr_finalize_flush - /sys/module/xt_recent/parameters/ip_list_perms
+        pending 'https://github.com/simp/pupmod-simp-iptables/issues/129'
+        apply_manifest_on(host, manifest_with_scanblock_enabled, catch_failures: false)
+
+        # Reboot to ensure that the settings change takes effect
+        host.reboot
+
+        apply_manifest_on(host, manifest_with_scanblock_enabled, catch_failures: true)
 
         on(host, "cat /etc/modprobe.d/xt_recent.conf", :acceptable_exit_codes => 0) do
           expected = "options xt_recent ip_list_tot=400 ip_pkt_list_tot=40 ip_list_hash_size=256" +