From b0cef2e7465d085f80ba359ecbf92540a0965ac2 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 19 Nov 2020 19:02:41 +0000
Subject: [PATCH] Process firewall_rule resources at compile time

This allows us to avoid deferring the creation of the shorewall
configuration and hence prevent it restarting with a partial set
of rules when something else fails.
---
 cookbooks/networking/recipes/default.rb         | 12 ------------
 cookbooks/networking/resources/firewall_rule.rb |  2 ++
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index eba2208f5..8eed59556 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -428,7 +428,6 @@ template "/etc/shorewall/policy" do
 end
 
 template "/etc/shorewall/rules" do
-  action :nothing
   source "shorewall-rules.erb"
   owner "root"
   group "root"
@@ -437,11 +436,6 @@ template "/etc/shorewall/rules" do
   notifies :restart, "service[shorewall]"
 end
 
-notify_group "shorewall-rules" do
-  action :run
-  notifies :create, "template[/etc/shorewall/rules]"
-end
-
 if node[:networking][:firewall][:enabled]
   service "shorewall" do
     action [:enable, :start]
@@ -571,7 +565,6 @@ unless node.interfaces(:family => :inet6).empty?
   end
 
   template "/etc/shorewall6/rules" do
-    action :nothing
     source "shorewall-rules.erb"
     owner "root"
     group "root"
@@ -580,11 +573,6 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :restart, "service[shorewall6]"
   end
 
-  notify_group "shorewall6-rules" do
-    action :run
-    notifies :create, "template[/etc/shorewall6/rules]"
-  end
-
   if node[:networking][:firewall][:enabled]
     service "shorewall6" do
       action [:enable, :start]
diff --git a/cookbooks/networking/resources/firewall_rule.rb b/cookbooks/networking/resources/firewall_rule.rb
index 7cac9f86e..e92681ec7 100644
--- a/cookbooks/networking/resources/firewall_rule.rb
+++ b/cookbooks/networking/resources/firewall_rule.rb
@@ -33,6 +33,8 @@ property :rate_limit, :kind_of => String, :default => "-"
 property :connection_limit, :kind_of => [String, Integer], :default => "-"
 property :helper, :kind_of => String, :default => "-"
 
+property :compile_time, TrueClass, :default => true
+
 action :accept do
   add_rule :accept
 end
-- 
2.39.5