Add ip6tables service support for Red Hat

Currently we don't start ip6tables service on centos-7. This fixes that. Change-Id: I64e62074b41e49cc2dc9b6bafcfbeeded2029487 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2016-08-26 16:10:47 -04:00 · 2016-08-26 16:10:47 -04:00 · 5b178cefd3
commit 5b178cefd3
parent 47ed5aabad
2 changed files with 34 additions and 12 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -28,23 +28,30 @@ class iptables(
      message => 'Iptables not refreshed, running in chroot',
    }
    $notify_iptables = []
+    $notify_ip6tables = []
  }
  else {
-    $notify_iptables = Service['iptables']
-
    # On centos 7 firewalld and iptables-service confuse each other and you
    # end up with no firewall rules at all. Disable firewalld so that
    # iptables-service can be in charge.
-    if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
-      exec { 'stop-firewalld-if-running':
-        command => '/usr/bin/systemctl stop firewalld',
-        onlyif  => '/usr/bin/pgrep firewalld',
-      }
-      package { 'firewalld':
-        ensure  => 'purged',
-        require => Exec['stop-firewalld-if-running'],
-        before  => Package['iptables'],
+    if ($::osfamily == 'RedHat') {
+      $notify_iptables = Service['iptables']
+      $notify_ip6tables = Service['ip6tables']
+
+      if ($::operatingsystemmajrelease >= '7') {
+        exec { 'stop-firewalld-if-running':
+          command => '/usr/bin/systemctl stop firewalld',
+          onlyif  => '/usr/bin/pgrep firewalld',
+        }
+        package { 'firewalld':
+          ensure  => 'purged',
+          require => Exec['stop-firewalld-if-running'],
+          before  => Package['iptables'],
+        }
      }
+    } else {
+      $notify_iptables = Service['iptables']
+      $notify_ip6tables = Service['iptables']
    }
  }

@ -57,6 +64,20 @@ class iptables(
    enable     => true,
  }

+  if ($::osfamily == 'RedHat') {
+    # NOTE(pabelanger): Centos-7 has a dedicated service for ip6tables. Aside
+    # from the different service name, we keep the same settings as iptables.
+    service { 'ip6tables':
+      name       => $::iptables::params::service6_name,
+      require    => Package['iptables'],
+      hasstatus  => $::iptables::params::service_has_status,
+      status     => $::iptables::params::service_status_cmd,
+      hasrestart => $::iptables::params::service_has_restart,
+      enable     => true,
+      subscribe  => File["${::iptables::params::rules_dir}/rules"],
+    }
+  }
+
  file { $::iptables::params::rules_dir:
    ensure  => directory,
    require => Package['iptables'],
@ -99,7 +120,7 @@ class iptables(
      File[$::iptables::params::rules_dir],
    ],
    # When this file is updated, make sure the rules get reloaded.
-    notify  => $notify_iptables,
+    notify  => $notify_ip6tables,
    replace => true,
  }
 }
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -30,6 +30,7 @@ class iptables::params {
        }
      }
      $service_name = 'iptables'
+      $servicev6_name = 'ip6tables'
      $rules_dir = '/etc/sysconfig'
      $ipv4_rules = '/etc/sysconfig/iptables'
      $ipv6_rules = '/etc/sysconfig/ip6tables'