firewall_zone creation doesn't add icmp_blocks on first puppet run #139

posteingang · 2017-04-27T14:56:53Z

I want to create a new firewalld zone with the following code:

  firewalld_zone { 'restricted':
    ensure           => present,
    target           => '%%REJECT%%',
    purge_rich_rules => true,
    purge_services   => true,
    purge_ports      => true,
    icmp_blocks      => ['redirect', 'router-solicitation', 'router-advertisement']
  }

The problem is, that I have to run puppet twice, to get the defined changes.
First run

Notice: /Stage[main]/Profile::Base::Firewall/Firewalld_zone[restricted]/ensure: created
Info: /Stage[main]/Profile::Base::Firewall/Firewalld_zone[restricted]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profile::Base::Firewall/Firewalld_service[Allow SSH]/ensure: created
Info: /Stage[main]/Profile::Base::Firewall/Firewalld_service[Allow SSH]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profile::Base::Firewall/Firewalld_service[Allow SNMP]/ensure: created
Info: /Stage[main]/Profile::Base::Firewall/Firewalld_service[Allow SNMP]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Profile::Base::Firewall/Firewalld_direct_rule[ping - icmp]/ensure: created
Info: /Stage[main]/Profile::Base::Firewall/Firewalld_direct_rule[ping - icmp]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 4 events
Notice: /Stage[main]/Firewalld/Exec[firewalld::set_default_zone]/returns: executed successfully

Second run

Info: Applying configuration version '1493303993'
Notice: /Stage[main]/Profile::Base::Firewall/Firewalld_zone[restricted]/icmp_blocks: icmp_blocks changed [] to 'redirect router-solicitation router-advertisement'
Info: /Stage[main]/Profile::Base::Firewall/Firewalld_zone[restricted]: Scheduling refresh of Exec[firewalld::reload]
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Applied catalog in 16.02 seconds

I played a little bit around and found a working solution in lib/puppet/provider/firewalld_zone/firewall_cmd.rb (line 25)

  def create
    self.debug("Creating new zone #{@resource[:name]} with target: '#{@resource[:target]}'")
    execute_firewall_cmd(['--new-zone', @resource[:name]], nil)

    self.target=(@resource[:target]) if @resource[:target]
    self.sources=(@resource[:sources]) if @resource[:sources]
    self.interfaces=@resource[:interfaces]
    self.icmp_blocks=(@resource[:icmp_blocks]) if @resource[:icmp_blocks] #<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  end

Maybe someone can check this and push the change (i am not a ruby dev :-) ).

The text was updated successfully, but these errors were encountered:

crayfishx · 2017-04-28T07:23:39Z

Yep - this looks like a good fix, I'll test it out myself first and ship in a PR later. Thanks for the work tracking down the issue

Closes #139

crayfishx added accepted bug Something isn't working labels Apr 28, 2017

crayfishx added this to the 3.3.2 milestone Apr 28, 2017

crayfishx added a commit that referenced this issue Aug 3, 2017

Add creation of icmp_blocks to create method of firewalld_zone

f6158ad

Closes #139

crayfishx mentioned this issue Aug 3, 2017

Add creation of icmp_blocks to create method of firewalld_zone #150

Merged

crayfishx closed this as completed in #150 Aug 3, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

firewall_zone creation doesn't add icmp_blocks on first puppet run #139

firewall_zone creation doesn't add icmp_blocks on first puppet run #139

posteingang commented Apr 27, 2017

crayfishx commented Apr 28, 2017

firewall_zone creation doesn't add icmp_blocks on first puppet run #139

firewall_zone creation doesn't add icmp_blocks on first puppet run #139

Comments

posteingang commented Apr 27, 2017

crayfishx commented Apr 28, 2017