Révision ce22630b
Remove duplicate flush on reload
When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
| files/systemd/puppet_nft.conf | ||
|---|---|---|
| 1 |
# Puppet Deployed |
|
| 2 |
[Service] |
|
| 3 |
ExecStart= |
|
| 4 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 5 |
ExecReload= |
|
| 6 |
ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 7 |
|
|
| manifests/init.pp | ||
|---|---|---|
| 148 | 148 |
systemd::dropin_file { 'puppet_nft.conf':
|
| 149 | 149 |
ensure => present, |
| 150 | 150 |
unit => 'nftables.service', |
| 151 |
content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),
|
|
| 151 |
content => file('nftables/systemd/puppet_nft.conf'),
|
|
| 152 | 152 |
notify => Service['nftables'], |
| 153 | 153 |
} |
| 154 | 154 |
|
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 44 | 44 |
it { is_expected.to be_file }
|
| 45 | 45 |
end |
| 46 | 46 |
|
| 47 |
describe file('/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
|
|
| 48 |
it { is_expected.to be_file }
|
|
| 49 |
end |
|
| 50 |
|
|
| 47 | 51 |
describe file('/etc/nftables/puppet') do
|
| 48 | 52 |
it { is_expected.to be_directory }
|
| 49 | 53 |
end |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 72 | 72 |
} |
| 73 | 73 |
|
| 74 | 74 |
it {
|
| 75 |
is_expected.to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 76 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$},
|
|
| 77 |
) |
|
| 78 |
} |
|
| 79 |
|
|
| 80 |
it {
|
|
| 75 | 81 |
is_expected.to contain_service('firewalld').with(
|
| 76 | 82 |
ensure: 'stopped', |
| 77 | 83 |
enable: 'mask', |
| ... | ... | |
| 176 | 182 |
end |
| 177 | 183 |
|
| 178 | 184 |
context 'with no nftables fact' do |
| 179 |
it {
|
|
| 180 |
is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
|
|
| 181 |
with_content(%r{^ExecReload.*flush ruleset; include.*$})
|
|
| 182 |
} |
|
| 183 | 185 |
it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
|
| 184 | 186 |
end |
| 185 | 187 |
|
| ... | ... | |
| 189 | 191 |
end |
| 190 | 192 |
|
| 191 | 193 |
it {
|
| 192 |
is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
|
|
| 193 |
with_content(%r{^ExecReload.*flush table inet abc; include.*$})
|
|
| 194 |
} |
|
| 195 |
it {
|
|
| 196 | 194 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
| 197 | 195 |
with_content(%r{^flush table inet abc$})
|
| 198 | 196 |
} |
| ... | ... | |
| 203 | 201 |
end |
| 204 | 202 |
|
| 205 | 203 |
it {
|
| 206 |
is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
|
|
| 207 |
with_content(%r{^ExecReload.*flush table inet abc; flush table inet ijk; include.*$})
|
|
| 208 |
} |
|
| 209 |
it {
|
|
| 210 | 204 |
is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
|
| 211 | 205 |
with_content(%r{^flush table inet abc; flush table inet ijk$})
|
| 212 | 206 |
} |
| templates/systemd/puppet_nft.conf.epp | ||
|---|---|---|
| 1 |
<%- | |
|
| 2 |
Optional[Array[String[1]]] $noflush = undef, |
|
| 3 |
| -%> |
|
| 4 |
<%- |
|
| 5 |
if $noflush and $facts['nftables'] and $facts['nftables']['tables'] {
|
|
| 6 |
$_flush_command = $facts['nftables']['tables'].filter |$_tab| { !( $_tab in $noflush) }.map |$_table| {
|
|
| 7 |
"flush table ${regsubst($_table,'-',' ')}"
|
|
| 8 |
} |
|
| 9 |
} else {
|
|
| 10 |
$_flush_command = ['flush ruleset'] |
|
| 11 |
} |
|
| 12 |
-%> |
|
| 13 |
# Specify directory to look for relative includes |
|
| 14 |
[Service] |
|
| 15 |
ExecStart= |
|
| 16 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 17 |
ExecReload= |
|
| 18 |
ExecReload=/sbin/nft -I /etc/nftables/puppet '<%= $_flush_command.join('; ') %>; include "/etc/sysconfig/nftables.conf";'
|
|
| 19 |
|
|
Formats disponibles : Unified diff