Bug #10984
firewall: Default firewall class to handle rote tasks for firewall provider
| Status: | Code Insufficient | Start date: | 11/21/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Sharif Nassar |
% Done: | 0% |
|
| Category: | firewall | Spent time: | - | |
| Target version: | - | |||
| Keywords: | Branch: | https://github.com/mediatemple/puppetlabs-firewall/tree/class-firewall | ||
| Votes: | 0 |
Description
The firewall provider needs some help to make nice things happen by default, and save people from writing the same defines over and over.
For instance:
- Defining platform specific exec{firewall-persist: } resources
- Ensuring platform specific packages are installed
History
Updated by Sharif Nassar 6 months ago
Pull request 34 with WIP:
There’s a couple known TODO items, but I wanted to open the discussion to make sure I’m on the right track.
- Update docs to suggest adding Firewall resource defaults in site.pp for the two new execs.
- Update to reflect that there is a package for Squeeze and newer iptables-persistence and not do silliness there. Sadly, however, this package does NOTHING for ip6tables, and is scarcely different than what I’ve provided.
Updated by Sharif Nassar 6 months ago
Also, on RHEL 5, ip6tables does not support comments. So the firewall provider is currently broken on RHEL 5.
This class works around that by bypassing the provider entirely and creating a REJECT all config for IPv6 on RHEL 5.
Updated by Ken Barber 6 months ago
- Category set to firewall
- Status changed from Unreviewed to In Topic Branch Pending Review
- Assignee set to Sharif Nassar
Updated by Ken Barber 6 months ago
- Status changed from In Topic Branch Pending Review to Code Insufficient
- Branch set to https://github.com/mediatemple/puppetlabs-firewall/tree/class-firewall
Pull request is here:
https://github.com/puppetlabs/puppetlabs-firewall/pull/34
But needs work.
Updated by Sharif Nassar 6 months ago
I’ve reworked this significantly and it’s now ready for a final review.
Updated by Ken Barber 6 months ago
Hi Sharif – there is still a couple of thinks that need fixing. See my comments in the pull request.
Just to warn others – there will need to be some changes to CI to install rspec-puppet before this can be merged in. I’ve been testing new CI scripts that install rspec-puppet with puppetlabs-ntp with some good success:
https://jenkins.puppetlabs.com/view/Puppet%20Modules/job/Puppet%20Module%20-%20ntp/
But it does require some scripting changes that only someone with access will be able to make.
Updated by Sharif Nassar 6 months ago
Updated the pull request to just get rid of the ‘firewall-init’ exec and moved it into the provider. Hopefully this is the last of it.
Updated by Sharif Nassar 5 months ago
Hi Ken, What’s up with this?
Updated by Daniel Black 5 months ago
in the general theme of this bug, getting common tasks implemented: * the dualstackfirewall definition in issue #1144 could be worth considering
Updated by Jonathan Boyett 4 months ago
Merging this in, since it’s been sitting completed for a while.
Updated by Sharif Nassar 4 months ago
Ok, it’s WTF time. After 5 weeks, Jonathan merges this code, and you guys reverted the merge ? Why do I bother contributing again ?
This is on the list of ways to murder a community.
Updated by Steve Snodgrass 3 months ago
I’m not sure what the status of this is, but I just wanted to chime in and say that I wish this module wouldn’t take over the “firewall” class namespace, as I’ve been using that for quite some time in my environment in conjunction with the old iptables module. I even have a bunch of stuff underneath it like “firewall::web” and “firewall::dns” etc. So far I’ve been able to keep using this in conjunction with 0.0.4, but this addition will break my class. If all else fails I will suck it up and rename my classes to something else, but I at least wanted to get a word in edgewise first. :)