From 688a79c6c68422c0f873074370b1bbc87c6d1007 Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Wed, 23 Nov 2016 18:59:58 -0330
Subject: Do not configure state matching when using GRE

The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.

Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
---
 manifests/firewall/rule.pp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'manifests/firewall')

diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
index c63162b..6801dc4 100644
--- a/manifests/firewall/rule.pp
+++ b/manifests/firewall/rule.pp
@@ -83,14 +83,21 @@ define tripleo::firewall::rule (
     'sport'       => $sport,
     'proto'       => $proto,
     'action'      => $action,
-    'state'       => $state,
     'source'      => $source,
     'iniface'     => $iniface,
     'chain'       => $chain,
     'destination' => $destination,
   }
+  if $proto != 'gre' {
+    $state_rule = {
+      'state' => $state
+    }
+  } else {
+    $state_rule = {}
+  }
+
 
-  $rule = merge($basic, $extras)
+  $rule = merge($basic, $state_rule, $extras)
   validate_hash($rule)
 
   create_resources('firewall', { "${title}" => $rule })
-- 
cgit 1.2.3-korg