Feature #11091
Add a position attribute to firewall rules.
| Status: | Duplicate | Start date: | 11/30/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | firewall | Spent time: | - | |
| Target version: | - | |||
| Keywords: | iptables, firewall | Branch: | ||
| Votes: | 0 |
Description
Hi,
Currently with puppetlabs-firewall 0.0.3 a firewall rule instance, e.g.
firewall{'100 allow puppet clients to connect':
proto => 'tcp',
dport => '8140',
state => 'NEW',
action => 'accept'
}
Then this firewall rule is inserted in the chain using 100 allow puppet clients to connect as the index entry to sort the chain.
I think this could be a little fragile, while it is completely deterministic of course simple typos like:
- 1 allow something
- 100: allow something else, I just did exactly this with the extra colon
- I forgot to add a number
might not do what was expected actually intended.
Request is to add an optional position parameter. e.g.
firewall{'allow puppet clients to connect':
proto => 'tcp',
position => '100',
dport => '8140',
state => 'NEW',
action => 'accept'
}
If the position is defined then this should be used for the ordering. This has the advantage that integer ordering is very clear and obvious and validation that it is even an integer in the first place can be done.
In the case where position is not defined the name can be used instead of course as before.
More over one could add a default:
Firewall{
position => '999999999999'
}
so that entries not containing an explicit position will be added at the end after the deny all which hopefully won’t do any harm.
Of course the position if defined would have to be prefixed to the name within the iptables comment so the current state can be retrieved.
Many Thanks,
Steve.
Related issues
History
Updated by Dan Carley 6 months ago
- Status changed from Unreviewed to Duplicate
Hi Steve,
This is covered by #10275. Linking to that.