Add ip6tables service support for Red Hat
Currently we don't start ip6tables service on centos-7. This fixes that. Change-Id: I64e62074b41e49cc2dc9b6bafcfbeeded2029487 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
This commit is contained in:
Paul Belanger
parent
47ed5aabad
commit
5b178cefd3
|
|
@ -28,23 +28,30 @@ class iptables(
|
||||||
message => 'Iptables not refreshed, running in chroot',
|
message => 'Iptables not refreshed, running in chroot',
|
||||||
}
|
}
|
||||||
$notify_iptables = []
|
$notify_iptables = []
|
||||||
|
$notify_ip6tables = []
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$notify_iptables = Service['iptables']
|
|
||||||
|
|
||||||
# On centos 7 firewalld and iptables-service confuse each other and you
|
# On centos 7 firewalld and iptables-service confuse each other and you
|
||||||
# end up with no firewall rules at all. Disable firewalld so that
|
# end up with no firewall rules at all. Disable firewalld so that
|
||||||
# iptables-service can be in charge.
|
# iptables-service can be in charge.
|
||||||
if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease >= '7') {
|
if ($::osfamily == 'RedHat') {
|
||||||
exec { 'stop-firewalld-if-running':
|
$notify_iptables = Service['iptables']
|
||||||
command => '/usr/bin/systemctl stop firewalld',
|
$notify_ip6tables = Service['ip6tables']
|
||||||
onlyif => '/usr/bin/pgrep firewalld',
|
|
||||||
}
|
if ($::operatingsystemmajrelease >= '7') {
|
||||||
package { 'firewalld':
|
exec { 'stop-firewalld-if-running':
|
||||||
ensure => 'purged',
|
command => '/usr/bin/systemctl stop firewalld',
|
||||||
require => Exec['stop-firewalld-if-running'],
|
onlyif => '/usr/bin/pgrep firewalld',
|
||||||
before => Package['iptables'],
|
}
|
||||||
|
package { 'firewalld':
|
||||||
|
ensure => 'purged',
|
||||||
|
require => Exec['stop-firewalld-if-running'],
|
||||||
|
before => Package['iptables'],
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
$notify_iptables = Service['iptables']
|
||||||
|
$notify_ip6tables = Service['iptables']
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -57,6 +64,20 @@ class iptables(
|
||||||
enable => true,
|
enable => true,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($::osfamily == 'RedHat') {
|
||||||
|
# NOTE(pabelanger): Centos-7 has a dedicated service for ip6tables. Aside
|
||||||
|
# from the different service name, we keep the same settings as iptables.
|
||||||
|
service { 'ip6tables':
|
||||||
|
name => $::iptables::params::service6_name,
|
||||||
|
require => Package['iptables'],
|
||||||
|
hasstatus => $::iptables::params::service_has_status,
|
||||||
|
status => $::iptables::params::service_status_cmd,
|
||||||
|
hasrestart => $::iptables::params::service_has_restart,
|
||||||
|
enable => true,
|
||||||
|
subscribe => File["${::iptables::params::rules_dir}/rules"],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
file { $::iptables::params::rules_dir:
|
file { $::iptables::params::rules_dir:
|
||||||
ensure => directory,
|
ensure => directory,
|
||||||
require => Package['iptables'],
|
require => Package['iptables'],
|
||||||
|
|
@ -99,7 +120,7 @@ class iptables(
|
||||||
File[$::iptables::params::rules_dir],
|
File[$::iptables::params::rules_dir],
|
||||||
],
|
],
|
||||||
# When this file is updated, make sure the rules get reloaded.
|
# When this file is updated, make sure the rules get reloaded.
|
||||||
notify => $notify_iptables,
|
notify => $notify_ip6tables,
|
||||||
replace => true,
|
replace => true,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ class iptables::params {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$service_name = 'iptables'
|
$service_name = 'iptables'
|
||||||
|
$servicev6_name = 'ip6tables'
|
||||||
$rules_dir = '/etc/sysconfig'
|
$rules_dir = '/etc/sysconfig'
|
||||||
$ipv4_rules = '/etc/sysconfig/iptables'
|
$ipv4_rules = '/etc/sysconfig/iptables'
|
||||||
$ipv6_rules = '/etc/sysconfig/ip6tables'
|
$ipv6_rules = '/etc/sysconfig/ip6tables'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue