GitHub puppet-firewalld

Puppet module for managing firewalld

Add method instances and prefetch into firewalld_service provider.

We now use --add-entries-from-file and --remove-entries-from-file to
change firewalld ipset. Adding or removing entries one by one was really
slow.

This pull request is based on
https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
first pull request was here: jfroche/puppet-firewalld#4

<!--
Thank you for contributing to this project!

• This project has a Contributor Code of Conduct: https://voxpupuli.org/coc/
• Please check that here is no existing issue or PR that addresses your problem.
• Our vulnerabilities reporting process is at https://voxpupuli.org/security/

-->

Pull Request (PR) description

This pull request adds the ability to purge unmanaged firewalld zones.

This Pull Request (PR) fixes the following issues:

Fixes #134

Add the option to manage or not the package. Don't change default behaviour.

Pull Request (PR) description

This allows you to specify protocols in through firewalld::custom_service, which are then passed on to firewalld_custom_service.

Signed-off-by: Jo Vandeginste Jo.Vandeginste@kuleuven.be

<!--
Thank you for contributing to this project!

• This project has a Contributor Code of Conduct: https://voxpupuli.org/coc/
• Please check that here is no existing issue or PR that addresses your problem.
• Our vulnerabilities reporting process is at https://voxpupuli.org/security/

-->

Pull Request (PR) description

This pull request allows the reload of firewalld rules to get triggered when they are not present in the runtime stage of firewalld and are only present in permanent. It fixes the rules that get stuck in permanent stage because of a skipped reload caused by a puppet error between the deployment of rules and the reload.

This Pull Request (PR) fixes the following issues

Fixes #276

<!--
Thank you for contributing to this project!

• This project has a Contributor Code of Conduct: https://voxpupuli.org/coc/
• Please check that here is no existing issue or PR that addresses your problem.
• Our vulnerabilities reporting process is at https://voxpupuli.org/security/

-->

Pull Request (PR) description

Possibly due to a change in recent firewalld versions (I'm on 2.1.1), creating a new zone fails with:

Debug: Firewalldzone[test3](provider=firewallcmd): Creating new zone test3 with target: ''
Debug: Puppet::Type::Firewalldzone::ProviderFirewallcmd: Executing --state command - current value
Debug: Executing: '/usr/sbin/firewall-cmd --state'
Debug: Executing: '/usr/sbin/firewall-offline-cmd --new-zone test3'
Debug: Puppet::Type::Firewalldzone::ProviderFirewallcmd: Executing --state command - current value
Debug: Executing: '/usr/sbin/firewall-cmd --state'
Debug: Executing: '/usr/sbin/firewall-offline-cmd --zone test3 --list-interfaces'
Debug: Firewalldzone[test3](provider=firewallcmd): removing icmp block inversion for zone test3
Debug: Puppet::Type::Firewalldzone::ProviderFirewallcmd: Executing --state command - current value
Debug: Executing: '/usr/sbin/firewall-cmd --state'
Debug: Executing: '/usr/sbin/firewall-offline-cmd --zone test3 --remove-icmp-block-inversion'
Error: Execution of '/usr/sbin/firewall-offline-cmd --zone test3 --remove-icmp-block-inversion' returned 12:
Error: /Stage[main]/Main/Firewalld_zone[test3]/ensure: change from 'absent' to 'present' failed: Execution of '/usr/sbin/firewall-offline-cmd --zone test3 --remove-icmp-block-inversion' returned 12:

which seems to be because ICMP block inversion is unset by default:

```

/usr/sbin/firewall-offline-cmd --zone test3 --remove-icmp-block-inversion
NOT_ENABLED: icmp-block-inversion
echo $?
12
```

Only manage icmp_block_inversion property on new zones if set to true.

This Pull Request (PR) fixes the following issues

None. This is a report and fix all in one. Feel free to suggest changes.