Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suuport more parameters with array values #1168

Open
robertc99 opened this issue Oct 3, 2023 · 1 comment
Open

Suuport more parameters with array values #1168

robertc99 opened this issue Oct 3, 2023 · 1 comment
Labels
community

Comments

@robertc99
Copy link
Contributor

Use Case

It would be very useful to support arrays for more of the parameters.
At the moment, I think only port numbers support array inputs.
It would also be useful to support arrays for things like source, destination, proto, icmp and protocol to also
support array values.

The firewall_multi module wraps a layer around firewall to add this functionality.
But its sensitive to changes in firewall and has to updated for every firewall release.

I believe the idea of supporting this functionality natively in the firewall module has been suggested before.
But I believe there where technical issues that made it difficult. Im hoping the recent rewrite of firewall has removed
these issues.

There is some discussion of the issue here https://groups.google.com/u/1/g/puppet-users/c/2Oy32a579jU

And I believe there was discussion in jira. But the jira has moved. Im hoping you can still reference the content
The old links were
https://tickets.puppetlabs.com/browse/MODULES-3066
http://projects.puppetlabs.com/issues/10116
@alex-harvey-z3q
Copy link
Contributor

Hi there, I am the maintainer of firewall_multi. I recall there being a fundamental limitation discussed in MODULES-3066. Unfortunately, I can't remember the specifics, and it appears the Jira ticket has been moved or is no longer accessible.

However, I concur with @robertc99 that it is worth revisiting this discussion.

I suspect the underlying issue lies in the firewall module's approach: it wraps a Linux iptables firewall rule within a custom provider. This design might not support arrays of inputs, such as source, dest, and the like. So, even though handling arrays of these inputs is highly beneficial for large organisations, the only feasible method to achieve this might be through code generation.

That's essentially what firewall_multi does. It provides a defined type firewall_multi that allows arrays on certain inputs and from these spawns multiple firewall resources.

But yes please have another look as many years have passed and I no longer manage firewalls myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alex-harvey-z3q @robertc99 @ia-content