consider using a file, and using iptables-resource instead of modifying rules in place about puppetlabs-firewall HOT 6 CLOSED

If this can be done in away such that as a configuration it is possible to
creat the file but not actually do the (re) load.

from puppetlabs-firewall.

This could create more problems with interoperating with fail2ban and similar things, but it's otherwise easier to puppet firewall rules that way, since you could take advantage of templating. It would probably work fine if iptables-restore allowed you to restore on a per-chain basis, but it seems to only allow per-table.

from puppetlabs-firewall.

PLEASE do this. Using the iptables-restore command would be a huge win.

Also, I would try to ensure that you could ignore items based on target chain regex so that you could ignore fail2ban, libvirt, etc...

This does mean that a full restore would wipe those rules and you would have to have those service subscribe to the iptables restart exec but, when you're being authoritative, it's very difficult to add acceptance for randomization.

from puppetlabs-firewall.

iptables-restore only takes 2 options, and neither takes a regex.

from puppetlabs-firewall.

Sorry, I wasn't clear.

You would create a file with all relevant rules and compare it with the running system. However, you would have the ability to ignore certain rules based on regex such that you could prevent reloading the config should the running configuration match the new configuration without the ignored rules.

Hopefully that's more clear.

from puppetlabs-firewall.

Hello! We are doing some house keeping and noticed that this issue has been open for a long time.

We're going to close it but please do raise another issue if the issue still persists. 😄

from puppetlabs-firewall.