Deprecate netmask parameter

README.md

@@ -222,10 +222,10 @@ freeradius::client { "wlan-controller01":
 ```
 
 ##### `ip`
-The IP address of the client.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
+The IP address of the client or range in CIDR notation.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
 
 ##### `ip6`
-The IPv6 address of the client. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
+The IPv6 address of the client or range in CIDR notation. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
 
 ##### `shortname`
 A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Required.
@@ -239,9 +239,6 @@ The virtual server that traffic from this client should be sent to. Default: `un
 ##### `nastype`
 The `nastype` attribute is used to tell the `checkrad.pl` script which NAS-specific method it should use when checking simultaneous use. See [`man clients.conf`](http://freeradius.org/radiusd/man/clients.conf.txt) for a list of all options. Default: `undef`.
 
-##### `netmask`
-The netmask of the client, specified as an integer, e.g. `24`. Default: `undef`.
-
 ##### `port`
 The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server. Currently the port number is only used to create firewall exceptions and you only need to specify it if you set `firewall => true`. Use port range syntax as in [`puppetlabs-firewall`](https://forge.puppetlabs.com/puppetlabs/firewall). Default: `undef`.
 

manifests/client.pp

@@ -19,6 +19,21 @@ define freeradius::client (
   $fr_group    = $::freeradius::params::fr_group
   $fr_version  = $::freeradius::params::fr_version
 
+  # Calculate CIDR format IP now that FreeRADIUS has obsoleted use of separate netmask.
+  # This workaround means no syntax change is necessary, although we print a warning.
+  $cidr = $netmask ? {
+    undef   => $ip,
+    default => "${ip}/${netmask}",
+  }
+  $cidr6 = $netmask ? {
+    undef   => $ip6,
+    default => "${ip6}/${netmask}",
+  }
+
+  if ($netmask) {
+    warning("netmask field found in client ${shortname} is deprecated, use CIDR notation instead. Please fix your configuration.")
+  }
+
   file { "${fr_basepath}/clients.d/${shortname}.conf":
     ensure  => $ensure,
     mode    => '0640',
@@ -36,10 +51,7 @@ define freeradius::client (
           proto  => 'udp',
           dport  => $port,
           action => 'accept',
-          source => $netmask ? {
-            undef   => $ip,
-            default => "${ip}/${netmask}",
-          },
+          source => $cidr,
         }
       } elsif $ip6 {
         firewall { "100-${shortname}-${port}-v6":
@@ -47,10 +59,7 @@ define freeradius::client (
           dport    => $port,
           action   => 'accept',
           provider => 'ip6tables',
-          source   => $netmask ? {
-            undef   => $ip6,
-            default => "${ip6}/${netmask}",
-          },
+          source   => $cidr6,
         }
       }
     } else {

templates/client.conf.fr2.erb

 client <%= @shortname %> {
-	<% if @ip %>ipaddr= <%= @ip %><% end %>
-	<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
-	<% if @netmask %>netmask = <%= @netmask %><% end %>
+	<% if @ip %>ipaddr= <%= @cidr %><% end %>
+	<% if @ip6 %>ipv6addr = <%= @cidr6 %><% end %>
 	shortname = <%= @shortname %>
 	secret = "<%= @secret %>"
 	<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>

templates/client.conf.fr3.erb

 client <%= @shortname %> {
-	<% if @ip %>ipaddr= <%= @ip %><% end %>
-	<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
-	<% if @netmask %>netmask = <%= @netmask %><% end %>
+	<% if @ip %>ipaddr= <%= @cidr %><% end %>
+	<% if @ip6 %>ipv6addr = <%= @cidr6 %><% end %>
 	shortname = <%= @shortname %>
 	secret = "<%= @secret %>"
 	<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>