From 5ae166ca2293303acda986b5af920a7c5280a713 Mon Sep 17 00:00:00 2001
From: Jean-Francois Roche <jfroche@affinitic.be>
Date: Thu, 19 Apr 2018 16:04:08 +0200
Subject: [PATCH] Add option to remove unknown ipsets

This option is useful if you want to control ipsets only with puppet.
---
 manifests/init.pp         | 6 ++++++
 spec/classes/init_spec.rb | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 721fff4f..ca395d09 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -196,4 +196,10 @@
     Service['firewalld'] -> Firewalld_direct_rule <||> ~> Exec['firewalld::reload']
     Service['firewalld'] -> Firewalld_direct_passthrough <||> ~> Exec['firewalld::reload']
 
+    if $purge_unknown_ipsets {
+      Firewalld_ipset <||>
+      ~> resources { 'firewalld_ipset':
+        purge => true,
+      }
+    }
 }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 182b8ecc..5294ad2d 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -33,6 +33,7 @@
         :purge_direct_rules => true,
         :purge_direct_chains => true,
         :purge_direct_passthroughs => true,
+        :purge_unknown_ipsets => true
       }
     end
 
@@ -47,6 +48,12 @@
     it do
       should contain_firewalld_direct_purge('chain')
     end
+
+    it do
+      should contain_resources('firewalld_ipset')
+        .with_purge(true)
+    end
+
   end
 
   context 'with parameter ports' do