support for multiple source and dest address lists about puppetlabs-firewall HOT 10 CLOSED

#130 talks about using ipset, its a far more performant way of support multiple source/destination address lists.

from puppetlabs-firewall.

Do you have any idea when this will be resolved one way or the other? And/or is there any way I could help?

from puppetlabs-firewall.

I've written a patch that seems to work, based on a fairly-ugly merge of this tree and https://github.com/glesperance/puppetlabs-firewall; I don't have adequate testing facilities at the moment, though, nor am I entirely sure how to test the hard part here (that is: making sure that puppet runs without re-updating rules after setting things up the first time, and updating rules rather than just adding/deleting them).

from puppetlabs-firewall.

tskirvin, Can you post a fork of your work? I just found out I need this kind of thing and I'm saddened to see it's been up in the air so long. I'll gladly test your changes however I can, and I'll try to write some unit tests to make sure it's testable upstream (hoping I don't just say this and walk away from it :)

from puppetlabs-firewall.

@rfdrake @tskirvin absolutely, get this PR raised don't just paste a link - someone is bound to help out with tests as this is an often sought out feature. Up until now though, there has always been bugs with every patch put forth so I'm keen to see someone do a quality job on this. I think if you get the basics up, people can clean it up and make it work 100%.

from puppetlabs-firewall.

Okay, I've put this together: https://github.com/tskirvin/puppet-firewall-tskirvin
As I note in the README, this includes two tracks to solve the same problem. The first one is what I was referring to in my comment from last month - it's a bunch of patches to the main source tree that more-or-less support multiple sourcing, and may be a good place to work from, but it didn't work all the way. The second track is a simple define that lets you set up multiple firewall resources; it's extremely hack-y, but we're using it in production right now.

Hopefully this will help!

from puppetlabs-firewall.

After the missing "recent" iptables module support, then the provider limitation which prevents ip6tables from being purged, this is the next brick wall I've stumbled upon with the puppetlabs-firewall module.

This is just a "me too". With hiera, this feature would really make a lot of sense.

from puppetlabs-firewall.

Hey guys,

May I ask what is the status of this? It would be great to use arrays in source and destination.
Now I have to use this to achieve source array usage. But this seems odd.

class something {

$src = [ '1.1.1.1','2.2.2.2','3.3.3.3','4.4.4.4','5.5.5.5' ]

allow_nfs { $src: }

}

define allow_nfs {

    firewall { "130 Allow TCP NFS Portmap from $name":
        state  => 'NEW',
        source => $name,
        destination => $dst,
        port   => $dport,
        proto  => tcp,
        action => 'accept',
    }

    firewall { "131 Allow UDP NFS Portmap from $name":
        source => $name,
        destination => $dst,
        port   => $dport,
        proto  => udp,
        action => 'accept',
    }

}

from puppetlabs-firewall.

This is something I'd very much like to see. @tskirvin would you be willing to make a pull request for this based upon your existing work? I'm new to raw ruby but I could spend some time on this if it helps.

from puppetlabs-firewall.

Hello! We are doing some house keeping and noticed that this issue has been open for a long time.

We're going to close it but please do raise another issue if the issue still persists. 😄

from puppetlabs-firewall.