(CONT-256) Removing outdated code

Prior to this commit, the firewall modules had multiple instances of
outdated code.

This commit aims to clean-up some of that code to keep the module clean
and readable.

Author: LukasAud

lib/facter/iptables_persistent_version.rb

@@ -5,15 +5,7 @@
   setcode do
     # Throw away STDERR because dpkg >= 1.16.7 will make some noise if the
     # package isn't currently installed.
-    os = Facter.value(:operatingsystem)
-    os_release = Facter.value(:operatingsystemrelease)
-    cmd = if (os == 'Debian' && (Puppet::Util::Package.versioncmp(os_release, '8.0') >= 0)) ||
-             (os == 'Ubuntu' && (Puppet::Util::Package.versioncmp(os_release, '14.10') >= 0)) ||
-             (os == 'Debian' && (Puppet::Util::Package.versioncmp(os_release, 'unstable') >= 0))
-            "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null"
-          else
-            "dpkg-query -Wf '${Version}' iptables-persistent 2>/dev/null"
-          end
+    cmd = "dpkg-query -Wf '${Version}' netfilter-persistent 2>/dev/null"
     version = Facter::Core::Execution.execute(cmd)
 
     if version.nil? || !version.match(%r{\d+\.\d+})

lib/puppet/type/firewall.rb

@@ -2342,12 +2342,9 @@ def should_to_s(value)
     end
   end
 
-  # autobefore is only provided since puppet 4.0
-  if Puppet::Util::Package.versioncmp(Puppet.version, '4.0') >= 0
-    # On RHEL 7 this needs to be threaded correctly to manage SE Linux permissions after persisting the rules
-    autobefore(:file) do
-      ['/etc/sysconfig/iptables', '/etc/sysconfig/ip6tables']
-    end
+  # On RHEL 7 this needs to be threaded correctly to manage SE Linux permissions after persisting the rules
+  autobefore(:file) do
+    ['/etc/sysconfig/iptables', '/etc/sysconfig/ip6tables']
   end
 
   validate do

manifests/linux/debian.pp

@@ -25,39 +25,16 @@
   $package_name   = $firewall::params::package_name,
   $package_ensure = $firewall::params::package_ensure,
 ) inherits ::firewall::params {
-  if $package_name {
-    #Fixes hang while installing iptables-persistent on debian 8
-    exec { 'iptables-persistent-debconf':
-      command     => "/bin/echo \"${package_name} ${package_name}/autosave_v4 boolean false\" |
-                      /usr/bin/debconf-set-selections && /bin/echo \"${package_name} ${package_name}/autosave_v6 boolean false\" |
-                      /usr/bin/debconf-set-selections",
+  ensure_packages([$package_name], {
+      ensure  => $package_ensure
+  })
 
-      refreshonly => true,
-    }
-    ensure_packages([$package_name], {
-        ensure  => $package_ensure,
-        require => Exec['iptables-persistent-debconf']
-    })
-  }
-
-  if($::operatingsystemrelease =~ /^6\./ and $enable == true and $::iptables_persistent_version
-  and versioncmp($::iptables_persistent_version, '0.5.0') < 0) {
-    # This fixes a bug in the iptables-persistent LSB headers in 6.x, without it
-    # we lose idempotency
-    exec { 'iptables-persistent-enable':
-      logoutput => on_failure,
-      command   => '/usr/sbin/update-rc.d iptables-persistent enable',
-      unless    => '/usr/bin/test -f /etc/rcS.d/S*iptables-persistent',
-      require   => Package[$package_name],
-    }
-  } else {
-    # This isn't a real service/daemon. The start action loads rules, so just
-    # needs to be called on system boot.
-    service { $service_name:
-      ensure    => undef,
-      enable    => $enable,
-      hasstatus => true,
-      require   => Package[$package_name],
-    }
+  # This isn't a real service/daemon. The start action loads rules, so just
+  # needs to be called on system boot.
+  service { $service_name:
+    ensure    => undef,
+    enable    => $enable,
+    hasstatus => true,
+    require   => Package[$package_name],
   }
 }

manifests/linux/redhat.pp

@@ -49,9 +49,7 @@
   # RHEL 7 / CentOS 7 and later and Fedora 15 and later require the iptables-services
   # package, which provides the /usr/libexec/iptables/iptables.init used by
   # lib/puppet/util/firewall.rb.
-  if ($::operatingsystem != 'Amazon')
-  and (($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
-  or  ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0)) {
+  if ($::operatingsystem != 'Amazon') {
     if $firewalld_manage {
       service { 'firewalld':
         ensure => stopped,
@@ -74,9 +72,7 @@
     )
   }
 
-  if ($::operatingsystem != 'Amazon')
-  and (($::operatingsystem != 'Fedora' and versioncmp($::operatingsystemrelease, '7.0') >= 0)
-  or  ($::operatingsystem == 'Fedora' and versioncmp($::operatingsystemrelease, '15') >= 0)) {
+  if ($::operatingsystem != 'Amazon') {
     if $ensure == 'running' {
       exec { '/usr/bin/systemctl daemon-reload':
         require     => Package[$package_name],
@@ -134,13 +130,6 @@
       }
     }
 
-    # Before puppet 4, the autobefore on the firewall type does not work - therefore
-    # we need to keep this workaround here
-    if versioncmp($::puppetversion, '4.0') <= 0 {
-      File<| title == "/etc/sysconfig/${service_name}" |> -> Service<| title == $service_name |>
-      File<| title == "/etc/sysconfig/${service_name_v6}" |> -> Service<| title == $service_name_v6 |>
-    }
-
     # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to system_u
     # Redhat 7 selinux type context for /etc/sysconfig/iptables is set to system_conf_t
     case $::selinux {
@@ -149,11 +138,6 @@
         case $::operatingsystem {
           'CentOS': {
             case $::operatingsystemrelease {
-              /^5\..*/: {
-                $seluser = 'system_u'
-                $seltype = 'etc_t'
-              }
-
               /^6\..*/: {
                 $seluser = 'unconfined_u'
                 $seltype = 'system_conf_t'

manifests/params.pp

@@ -21,9 +21,6 @@
           if versioncmp($::operatingsystemrelease, '34') >= 0 {
             $package_name = 'iptables-services'
             $iptables_name = 'iptables-compat'
-          } elsif versioncmp($::operatingsystemrelease, '15') >= 0 {
-            $package_name = 'iptables-services'
-            $iptables_name = 'iptables'
           } else {
             $iptables_name = 'iptables'
             $package_name = undef