From ce22630b450307b5989bf421af02e8cb370927e3 Mon Sep 17 00:00:00 2001
From: Steve Traylen <steve.traylen@cern.ch>
Date: Thu, 3 Dec 2020 12:37:01 +0100
Subject: [PATCH] Remove duplicate flush on reload

When nftables was reloaded a flush was being done both in the systemd
reload call and in the nft script itself.
---
 files/systemd/puppet_nft.conf         |  7 +++++++
 manifests/init.pp                     |  2 +-
 spec/acceptance/default_spec.rb       |  4 ++++
 spec/classes/nftables_spec.rb         | 18 ++++++------------
 templates/systemd/puppet_nft.conf.epp | 19 -------------------
 5 files changed, 18 insertions(+), 32 deletions(-)
 create mode 100644 files/systemd/puppet_nft.conf
 delete mode 100644 templates/systemd/puppet_nft.conf.epp

diff --git a/files/systemd/puppet_nft.conf b/files/systemd/puppet_nft.conf
new file mode 100644
index 00000000..e77d8381
--- /dev/null
+++ b/files/systemd/puppet_nft.conf
@@ -0,0 +1,7 @@
+# Puppet Deployed
+[Service]
+ExecStart=
+ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf
+ExecReload=
+ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf
+
diff --git a/manifests/init.pp b/manifests/init.pp
index 32deeace..ba813a2c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -148,7 +148,7 @@
   systemd::dropin_file { 'puppet_nft.conf':
     ensure  => present,
     unit    => 'nftables.service',
-    content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),
+    content => file('nftables/systemd/puppet_nft.conf'),
     notify  => Service['nftables'],
   }
 
diff --git a/spec/acceptance/default_spec.rb b/spec/acceptance/default_spec.rb
index aba7965f..a71c319a 100644
--- a/spec/acceptance/default_spec.rb
+++ b/spec/acceptance/default_spec.rb
@@ -44,6 +44,10 @@ class { 'nftables':
       it { is_expected.to be_file }
     end
 
+    describe file('/etc/systemd/system/nftables.service.d/puppet_nft.conf') do
+      it { is_expected.to be_file }
+    end
+
     describe file('/etc/nftables/puppet') do
       it { is_expected.to be_directory }
     end
diff --git a/spec/classes/nftables_spec.rb b/spec/classes/nftables_spec.rb
index 4974bc94..8c606f0b 100644
--- a/spec/classes/nftables_spec.rb
+++ b/spec/classes/nftables_spec.rb
@@ -71,6 +71,12 @@
         )
       }
 
+      it {
+        is_expected.to contain_systemd__dropin_file('puppet_nft.conf').with(
+          content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$},
+        )
+      }
+
       it {
         is_expected.to contain_service('firewalld').with(
           ensure: 'stopped',
@@ -176,10 +182,6 @@
         end
 
         context 'with no nftables fact' do
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush ruleset; include.*$})
-          }
           it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }
         end
 
@@ -188,10 +190,6 @@
             super().merge(nftables: { tables: ['inet-abc', 'inet-f2b-table'] })
           end
 
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush table inet abc; include.*$})
-          }
           it {
             is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
               with_content(%r{^flush table inet abc$})
@@ -202,10 +200,6 @@
             super().merge(nftables: { tables: ['inet-abc', 'inet-ijk'] })
           end
 
-          it {
-            is_expected.to contain_systemd__dropin_file('puppet_nft.conf').
-              with_content(%r{^ExecReload.*flush table inet abc; flush table inet ijk; include.*$})
-          }
           it {
             is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').
               with_content(%r{^flush table inet abc; flush table inet ijk$})
diff --git a/templates/systemd/puppet_nft.conf.epp b/templates/systemd/puppet_nft.conf.epp
deleted file mode 100644
index a1da0d26..00000000
--- a/templates/systemd/puppet_nft.conf.epp
+++ /dev/null
@@ -1,19 +0,0 @@
-<%- |
-  Optional[Array[String[1]]] $noflush = undef,
-| -%>
-<%-
-if $noflush and $facts['nftables'] and $facts['nftables']['tables'] {
- $_flush_command = $facts['nftables']['tables'].filter |$_tab| { !( $_tab in $noflush) }.map |$_table| {
-     "flush table ${regsubst($_table,'-',' ')}"
- }
-} else {
- $_flush_command = ['flush ruleset']
-}
--%>
-# Specify directory to look for relative includes
-[Service]
-ExecStart=
-ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf
-ExecReload=
-ExecReload=/sbin/nft -I /etc/nftables/puppet '<%= $_flush_command.join('; ') %>; include "/etc/sysconfig/nftables.conf";'
-