Feature #10275
firewall: proposal - 'order' parameter
| Status: | Needs Decision | Start date: | 10/25/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | firewall | Spent time: | - | |
| Target version: | - | |||
| Keywords: | order | Branch: | ||
| Votes: | 3 |
Description
There has been some discussion in other tickets around an ‘order’ parameter which will take the place of the numbers we use in front of the comment. This parameter was proposed recently again by Dan Carley and deserves a ticket and discussion I think.
The idea behind the order parameter means we can drop the silly regex match for the comment so existing comments will just work, and it removes the expectation that users need to number every comment. Ordering will now be based on this numbered field.
This of course contends with the proposal of just using internal puppet ordering: #10240 or perhaps it could work alongside it somehow.
Dan Carley also proposed using a default order of say 500 if undefined.
Related issues
History
Updated by Dan Carley 6 months ago
I have a branch on the go for this: https://github.com/dcarley/puppetlabs-firewall/tree/10275-order_param
It now appears to be working. In summary:
- Introduces new 3 digit order property with a default of 500.
- Removes all previous naming requirements for firewall{} resources.
- Deletes and re-insert, instead of updating, if a rule’s order changes.
Would appreciate some more eyes over it. Particularly in respect of how people expect existing unmanaged rules to be handled.
Updated by Ken Barber 6 months ago
This is looking pretty good man – if you squash the commits up I can comment on them in github, but I’ll just put my comments here for now (/me puts on his devil’s advocate hat).
- So the fact that we fallback to 9999 for comments that don’t have a comment – is this a problem if we are limiting the order to 3 digits?
- Do we want to limit order to 3 digits?
- Should we force an order? Instead of having a default?
- Obviously there are no tests yet … we really need tests around this stuff (we haven’t done it before I believe) as its fragile
- I still feel we should limit the length of the namevar to something … like 70-80 chars at least. I’m just conscious of resource cloning between different OS’s … and having an issue with comment length in one provider but not the other.
Looking really good so far though mate :–).
Updated by Johan Huysmans 5 months ago
This would be very useful, as this will make the module work with iptables which don’t support the —comment option.
Like iptables in Centos4 and ip6tables in Centos5
Updated by Daniel Black 5 months ago
Ken Barber wrote:
This is looking pretty good man
Agree.
- Do we want to limit order to 3 digits?
seems a little artificial. I’d be happy with a wider range.
- Should we force an order? Instead of having a default?
I tend to favour forcing an order. Once action and reject items come in the order becomes a little to important to leave to a default.
Updated by Dan Carley 2 months ago
I have a bit of time to look at this again. Sorry about the lull.
Requiring an order param sounds sensible. It also makes it easier to widen or remove the 3 digit limitation, since we no longer need to know what the “middle” value is for a default.
I think it makes sense to keep some limitation on the length of order integers since a) they’re used to construct comments and b) it gives people some idea of what the upper bounds are if they want to arrive last. How about extending it to 6 digits?
Agreed on tests and limiting namevar.
So the fact that we fallback to 9999 for comments that don’t have a comment – is this a problem if we are limiting the order to 3 digits?
It doesn’t seem to. But it’s probably not good practice. Not sure how else we can ensure stuff gets pushed onto the end of the stack without mingling with the other “default/last” rules.
This would be very useful, as this will make the module work with iptables which don’t support the —comment option.
Unfortunately this implementation still requires comments to store the desired orders.