xFirewall: Modify Set-TargetResource to support both Group/DisplayGroup #44
Comments
|
👍 I could have a go at this change this week if you like? I've have some ideas on the changes that need to be made. The fiddliest part is working around the issue where a DisplayGroup can't be renamed (https://connect.microsoft.com/PowerShell/feedbackdetail/view/1970765/add-ability-to-change-firewall-displaygroup-in-set-netfirewallrule-cmdlet) or where the Group needs to be renamed on an existing rule - because the only way to manage these two scenarios is to recreate the rule. But I think this can be managed. |
|
Also, I added another request to Windows Connect to allow the Group to be changed in the Set-NetFirewallRule cmdlet: |
|
One of these days we'll get everything open sourced so we can submit pull requests. 👍 |
|
Now that would be awesome :) I'll happen one day I'm sure. Still, Connect is a pretty good way to start. |
|
I've done some digging on this one and actually think it requires a slightly different solution that I originally thought. This does still require a change, so I'll summarize the situation here so that it is (hopefully) clear why this resource behaves this way and hopefully clarifies things. My original thinking was there is no possible way to set the DisplayGroup on an existing or new Firewall rule. It will always be set to the value of the Group parameter that is passed in the But after researching this I don't think the DisplayGroup is actually never meant to be set. We should ONLY ever allow the Group to be set. The DisplayGroup will always take on one of two values:
Another example: You will end up with the DisplayGroup of the rule being pulled from the IISRES.DLL - this is called a predefined rule (and you can't change the properties of this rule in WFAS): So I think this also explains why the Group can never be changed once assigned - because it could cause some pretty unexpected behavior when changing a non-predefined rule to a predefined rule. tl;dr;
So I'll make the above changes and get those through. Also, this makes my submissions to Windows Connect invalid as the Cmdlets are actually behaving exactly as they should. Although the documentation on this could be improved :) |
Fix for Issue #44 -xFirewall: Modify Set-TargetResource to support both Group/DisplayGroup
|
I'm going to call this one good with some of the merges that have been happening. |
|
👍 No argument from me. |
|
Note this was a breaking change. |
|
I'm curious why you're noting this now? |
|
I'm bringing configuration forward to use the latest resources and trying to figure out why the configuration broke. I don't see any notes in the review that this was a breaking change. |
|
Makes sense, I'll try to make sure we're calling that out in the release notes if we ever need to make another breaking change. 👍 |
|
Fair enough. It definitely could have been a bit clearer in the release notes 👍 |
Right now there is a limitation in the code where xFirewall doesn't support setting both Group and DisplayGroup, the code pretty much doesn't let us set Group. This should be changed to allow both.
The text was updated successfully, but these errors were encountered: