(#9362) Create action property and perform transformation for accept, dro #15
Conversation
|
This is great work. There's only two things that came to mind, neither a huge issue:
|
Is the ip6tables stuff working? Okay - let me see what needs to be done.
What format do you think? Just .rb files with hashes in them? ... I was pondering this actually with YAML before you mentioned it but that seems ugly for this kind of thing. I don't conceptually mind the idea of having this all in its own file as it may get larger over time. |
|
IPv6 works ... although we lack specific tests for ip6tables. I've raised another task for that: http://projects.puppetlabs.com/issues/10086 Since I need to think specifically about what needs tests without doing test duplication. But I tested it using the folllowing and it seems to work: |
|
Okay - I've just submitted a second commit that moves the hashes into a separate file. Can you take a look at it and see if it looks okay? Don't merge as is - I'll squash if you're happy. |
|
This looks great. Let's squash and merge. |
… drop, reject value for iptables jump parameter. This commit introduces the new 'action' parameter which is designed to designate the action to take when a match succeeds. This is a cross-platform parameter and for the values 'accept','drop','reject' it will take the place of the existing jump parameter. The jump parameter is deemed as an iptables specific parameter so by splitting out this parameter for common actions it allows us to extend the firewall resource to include other providers much more easily in the future. By having such a common parameter we will be able to compare resources between boxes that may have different firewall implementations. The new behaviour is to force the usage for action parameter, and using 'accept', 'drop' or 'reject' for jump will now no longer work. Also - the default of 'accept' for jump has been removed which means you MUST specify an action if you want your rule to do something. Without an action the rule will match, but do nothing (so only useful for keeping counters generally). To aid in the testing of this new property I've added new ways to test converting iptables rules to hashes and hashes to general_args. This should simplify the testing of new bugs as well.
(#9362) Create action property and perform transformation for accept, dro
(#9362) Create action property and perform transformation for accept, drop, reject value for iptables jump parameter.
This commit introduces the new 'action' parameter which is designed to designate
the action to take when a match succeeds. This is a cross-platform parameter and
for the values 'accept','drop','reject' it will take the place of the existing
jump parameter.
The jump parameter is deemed as an iptables specific parameter so by splitting
out this parameter for common actions it allows us to extend the firewall resource
to include other providers much more easily in the future. By having such a common
parameter we will be able to compare resources between boxes that may have different
firewall implementations.
The new behaviour is to force the usage for action parameter, and using 'accept',
'drop' or 'reject' for jump will now no longer work.
To aid in the testing of this new property I've added new ways to test converting
iptables rules to hashes and hashes to general_args. This should simplify the
testing of new bugs as well.