From 333ccbd15fc333a8d3c19f63b568393737d7ce7d Mon Sep 17 00:00:00 2001
From: Jeffrey Bird <jeffrey.bird@anu.edu.au>
Date: Tue, 25 Jun 2024 11:04:38 +1000
Subject: [PATCH] Fixes ordering for ipsets so that ipsets are defined before
 they are used.

Confirm autorequires for rich_rules and ipsets.

Make sure the ipset autorequires is actually for :firewalld_ipset.

Code error.

Code error.

Ensure the custom service name is correctly formed for rich rule autorequire.

Ensure ipsets are created before they are used.

Updated ordering for other resource types as well.

Updated ordering for port resources  as well.
---
 lib/puppet/type/firewalld_rich_rule.rb |  8 +++--
 manifests/init.pp                      | 42 ++++++++++++++------------
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/lib/puppet/type/firewalld_rich_rule.rb b/lib/puppet/type/firewalld_rich_rule.rb
index 1ae3882..e148631 100644
--- a/lib/puppet/type/firewalld_rich_rule.rb
+++ b/lib/puppet/type/firewalld_rich_rule.rb
@@ -165,15 +165,19 @@ def elements
     self[:policy] if self[:policy] != :unset
   end
 
-  autorequire(:ipset) do
+  autorequire(:firewalld_ipset) do
     self[:source]['ipset'] if self[:source].is_a?(Hash)
   end
 
-  autorequire(:ipset) do
+  autorequire(:firewalld_ipset) do
     self[:dest]['ipset'] if self[:dest].is_a?(Hash)
   end
 
   autorequire(:service) do
     ['firewalld']
   end
+
+  autorequire(:firewalld_custom_service) do
+    self[:service]&.gsub(%r{[^\w-]}, '_')
+  end
 end
diff --git a/manifests/init.pp b/manifests/init.pp
index efdc020..f584a51 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -182,14 +182,11 @@
     enable => $service_enable,
   }
 
-  # create ports
-  Firewalld_port {
-    zone      => $default_port_zone,
-    protocol  => $default_port_protocol,
-  }
 
-  $ports.each |String $key, Hash $attrs| {
-    firewalld_port { $key:
+
+  #...ipsets
+  $ipsets.each | String $key, Hash $attrs| {
+    firewalld_ipset { $key:
       *       => $attrs,
     }
   }
@@ -208,22 +205,21 @@
     }
   }
 
-  #...services
-  Firewalld_service {
-    zone      => $default_service_zone,
+  # create ports
+  Firewalld_port {
+    zone      => $default_port_zone,
+    protocol  => $default_port_protocol,
   }
 
-  $services.each | String $key, Hash $attrs| {
-    firewalld_service { $key:
+  $ports.each |String $key, Hash $attrs| {
+    firewalld_port { $key:
       *       => $attrs,
     }
   }
 
-  #...rich rules
-  $rich_rules.each | String $key, Hash $attrs| {
-    firewalld_rich_rule { $key:
-      *       => $attrs,
-    }
+  #...services
+  Firewalld_service {
+    zone      => $default_service_zone,
   }
 
   #...custom services
@@ -233,9 +229,8 @@
     }
   }
 
-  #...ipsets
-  $ipsets.each | String $key, Hash $attrs| {
-    firewalld_ipset { $key:
+  $services.each | String $key, Hash $attrs| {
+    firewalld_service { $key:
       *       => $attrs,
     }
   }
@@ -259,6 +254,13 @@
     }
   }
 
+  #...rich rules
+  $rich_rules.each | String $key, Hash $attrs| {
+    firewalld_rich_rule { $key:
+      *       => $attrs,
+    }
+  }
+
   Firewalld_direct_purge {
     notify => Class['firewalld::reload'],
   }