Do not configure state matching when using GRE

The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.

Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7

manifests/firewall/rule.pp

@@ -83,14 +83,21 @@ define tripleo::firewall::rule (
     'sport'       => $sport,
     'proto'       => $proto,
     'action'      => $action,
-    'state'       => $state,
     'source'      => $source,
     'iniface'     => $iniface,
     'chain'       => $chain,
     'destination' => $destination,
   }
+  if $proto != 'gre' {
+    $state_rule = {
+      'state' => $state
+    }
+  } else {
+    $state_rule = {}
+  }
 
-  $rule = merge($basic, $extras)
+
+  $rule = merge($basic, $state_rule, $extras)
   validate_hash($rule)
 
   create_resources('firewall', { "${title}" => $rule })

spec/classes/tripleo_firewall_spec.rb

@@ -76,7 +76,8 @@ describe 'tripleo::firewall' do
             '301 add custom application 2' => {'port' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
             '302 fwd custom cidr 1'        => {'chain' => 'FORWARD', 'destination' => '192.0.2.0/24'},
             '303 add custom application 3' => {'dport' => '8081', 'proto' => 'tcp', 'action' => 'accept'},
-            '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'}
+            '304 add custom application 4' => {'sport' => '1000', 'proto' => 'tcp', 'action' => 'accept'},
+            '305 add gre rule'             => {'proto' => 'gre'}
           }
         )
       end
@@ -109,6 +110,7 @@ describe 'tripleo::firewall' do
           :action => 'accept',
           :state  => ['NEW'],
         )
+        is_expected.to contain_firewall('305 add gre rule').without(:state)
       end
     end