Comments (10)
#130 talks about using ipset, its a far more performant way of support multiple source/destination address lists.
from puppetlabs-firewall.
Do you have any idea when this will be resolved one way or the other? And/or is there any way I could help?
from puppetlabs-firewall.
I've written a patch that seems to work, based on a fairly-ugly merge of this tree and https://github.com/glesperance/puppetlabs-firewall; I don't have adequate testing facilities at the moment, though, nor am I entirely sure how to test the hard part here (that is: making sure that puppet runs without re-updating rules after setting things up the first time, and updating rules rather than just adding/deleting them).
from puppetlabs-firewall.
tskirvin, Can you post a fork of your work? I just found out I need this kind of thing and I'm saddened to see it's been up in the air so long. I'll gladly test your changes however I can, and I'll try to write some unit tests to make sure it's testable upstream (hoping I don't just say this and walk away from it :)
from puppetlabs-firewall.
@rfdrake @tskirvin absolutely, get this PR raised don't just paste a link - someone is bound to help out with tests as this is an often sought out feature. Up until now though, there has always been bugs with every patch put forth so I'm keen to see someone do a quality job on this. I think if you get the basics up, people can clean it up and make it work 100%.
from puppetlabs-firewall.
Okay, I've put this together: https://github.com/tskirvin/puppet-firewall-tskirvin
As I note in the README, this includes two tracks to solve the same problem. The first one is what I was referring to in my comment from last month - it's a bunch of patches to the main source tree that more-or-less support multiple sourcing, and may be a good place to work from, but it didn't work all the way. The second track is a simple define that lets you set up multiple firewall resources; it's extremely hack-y, but we're using it in production right now.
Hopefully this will help!
from puppetlabs-firewall.
After the missing "recent" iptables module support, then the provider limitation which prevents ip6tables from being purged, this is the next brick wall I've stumbled upon with the puppetlabs-firewall module.
This is just a "me too". With hiera, this feature would really make a lot of sense.
from puppetlabs-firewall.
Hey guys,
May I ask what is the status of this? It would be great to use arrays in source and destination.
Now I have to use this to achieve source array usage. But this seems odd.
class something {
$src = [ '1.1.1.1','2.2.2.2','3.3.3.3','4.4.4.4','5.5.5.5' ]
allow_nfs { $src: }
}
define allow_nfs {
firewall { "130 Allow TCP NFS Portmap from $name":
state => 'NEW',
source => $name,
destination => $dst,
port => $dport,
proto => tcp,
action => 'accept',
}
firewall { "131 Allow UDP NFS Portmap from $name":
source => $name,
destination => $dst,
port => $dport,
proto => udp,
action => 'accept',
}
}
from puppetlabs-firewall.
This is something I'd very much like to see. @tskirvin would you be willing to make a pull request for this based upon your existing work? I'm new to raw ruby but I could spend some time on this if it helps.
from puppetlabs-firewall.
Hello! We are doing some house keeping and noticed that this issue has been open for a long time.
We're going to close it but please do raise another issue if the issue still persists. 😄
from puppetlabs-firewall.
Related Issues (20)
- Use nftables instead of iptables where it is supported.
- Getting problems on the firewall on redhat 8
- No value is detected for nflog-prefix HOT 2
- Allow --reject-with tcp-reset for TCP rules
- Could not evaluate: `proto` must be set to `tcp` for `isfragment` to be true.
- firewall.toports expects an undef value or a match for Pattern[/^\d+(?:-\d+)?$/], got Integer
- Hyphen in the ipset's hash name breaks a firewall resource
- Puppet repeatedly attempts to correct firewall rules when `source` has a prefix length of zero HOT 8
- Add path option for cgroup
- Add back IPv6 protocol support for recent rule masks HOT 1
- Add support for parsing and using socket parameters
- issue with match_mark regex HOT 1
- Performance degradation in resource_api version
- single quotes in rule comments produces errors HOT 4
- puppet generate types fail on versions >= 7.0.0 HOT 2
- Non idempotent logs for empty firewall chains HOT 8
- hostnames with multiple address are not handled completely
- Link in CONTRIBUTING.md returns a 404.
- Defining a state as an array can cause an unnecessary updating action
- Using a LOG jump with a log_level of 4 causes an unnecessary updating action
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppetlabs-firewall.