Merge pull request voxpupuli#34 from traylenator/dedupe_flush

Remove duplicate flush on reload
figless · Dec 9, 2020 · f0bd879 · f0bd879
2 parents 354a3ea + ce22630
commit f0bd879
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 32 deletions.
diff --git a/files/systemd/puppet_nft.conf b/files/systemd/puppet_nft.conf
@@ -0,0 +1,7 @@
+# Puppet Deployed
+[Service]
+ExecStart=
+ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf
+ExecReload=
+ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf
+
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -146,7 +146,7 @@
   systemd::dropin_file { 'puppet_nft.conf':
     ensure  => present,
     unit    => 'nftables.service',
-    content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),
+    content => file('nftables/systemd/puppet_nft.conf'),
     notify  => Service['nftables'],
   }
 

diff --git a/spec/acceptance/default_spec.rb b/spec/acceptance/default_spec.rb
@@ -44,6 +44,10 @@ class { 'nftables':
       it { is_expected.to be_file }
     end
 
+    describe file('/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
+      it { is_expected.to be_file }
+    end
+
     describe file('/etc/nftables/puppet') do
       it { is_expected.to be_directory }
     end

diff --git a/spec/classes/nftables_spec.rb b/spec/classes/nftables_spec.rb
@@ -71,6 +71,12 @@
         )
       }
 
+      it {
+        is_expected.to contain_systemd__dropin_file('puppet_nft.conf').with(
+          content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$},
+        )
+      }
+
       it {
         is_expected.to contain_service('firewalld').with(
           ensure: 'stopped',
@@ -176,10 +182,6 @@
         end
 
         context 'with no nftables fact' do
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush ruleset; include.*$})
-          }
           it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
         end
 
@@ -188,10 +190,6 @@
             super().merge(nftables: { tables: ['inet-abc', 'inet-f2b-table'] })
           end
 
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush table inet abc; include.*$})
-          }
           it {
             is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
               with_content(%r{^flush table inet abc$})
@@ -202,10 +200,6 @@
             super().merge(nftables: { tables: ['inet-abc', 'inet-ijk'] })
           end
 
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush table inet abc; flush table inet ijk; include.*$})
-          }
           it {
             is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
               with_content(%r{^flush table inet abc; flush table inet ijk$})

diff --git a/templates/systemd/puppet_nft.conf.epp b/templates/systemd/puppet_nft.conf.epp