-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #16915: Firewall technique #1596
Fixes #16915: Firewall technique #1596
Conversation
PR updated with a new commit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is massive.
I made several remarks, some because I'm not sure of the use case, and other because I fear it may default to a firewall blocking everything
Some comments would be very welcomed also
"conf_pre" string => "flush ruleset${const.n}"; | ||
} | ||
|
||
bundle agent rudder_condition_from_string_compare(condition_prefix, string1, string2) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you need the &RudderUniqueID& don't you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also use it in mono-instance techniques?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it's monoinstance, its not necessary, so you can remove it from everywhere in the technique
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you move this in a common part of code ? idealy ncf?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These two bundle should be generic methods but I had enough of CFEngine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should use a different naming there, more specific, like with the technique name, else we'll risk duplicate bundle names
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added rudder_
before the name of what the generic method would be, what do you suggest to add?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the name of the technique, so that we have a "perfect" scoping
we have many bundles starting with rudder_ everywhere, so we might accidentaly create another with this name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok
"${condition_prefix}_false" not => "${condition_prefix}_true", scope => "namespace"; | ||
} | ||
|
||
bundle agent rudder_variable_string_canonify(prefix, name, string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you move this in a common part of code ? idealy ncf?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
opened https://issues.rudder.io/issues/17513 and https://issues.rudder.io/issues/17512, the technique will be able to use them once added without compatibility problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, so you should use a different naming there, more specific, like with the technique name, else we'll risk duplicate bundle names
} | ||
|
||
# Uses the systemd service, compatible with recent debian, rhel and derivatives | ||
bundle common rudder_nftables { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this could go in another file that would be a resource, so unique
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you also have a more specific name, as long as it's in the technique?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rudder_firewall_nftables ?
PR updated with a new commit |
@@ -0,0 +1,2 @@ | |||
-- Alexis Mousset <alexis.mousset@rudder.io> Mon, 26 Sep 2020 17:19:00 +0100 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i didn't realized it was so old
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I just changed the year because I was not sure of the correct date format... I can this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now this is in the future. I'm amazed that we can access code from september.
PR updated with a new commit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some minors changes requested
great work
PR updated with a new commit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just 3 minors bundle naming changes. This is awesome work
"conf_pre" string => "flush ruleset${const.n}"; | ||
} | ||
|
||
bundle agent rudder_condition_from_string_compare(condition_prefix, string1, string2) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should use a different naming there, more specific, like with the technique name, else we'll risk duplicate bundle names
} | ||
|
||
# Uses the systemd service, compatible with recent debian, rhel and derivatives | ||
bundle common rudder_nftables { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you also have a more specific name, as long as it's in the technique?
PR updated with a new commit |
This PR is not mergeable to upper versions. |
OK, squash merging this PR |
e1c3f51
to
cb6fc6b
Compare
https://issues.rudder.io/issues/16915