This repository has been archived by the owner on Jan 24, 2019. It is now read-only.
Major update of module from asasfu #30
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In order to avoid any chance of connections disconnecting complete-reload can't be used.
They will throw a detection of change and cause the provider to recompile the zone xml.
It was causing write and reload no matter what if rich_rules were present in firewalld_zone. Orovided better support for family, created method exec_firewall as firewall-cmd has issues with flat command line being sent to it from this ruby class with items such as --permanent. Implemented get-zone-of-interface and remove-interface from zone if it has been switched over to another interface. Updates the permanent as well as making the change on the fly. Modified XML printout to use Pretty.compact = true as firewall-cmd fails at XML handling and if XML values inside elements are on separate lines rather than all one line with open and close elements firewall-cmd that edits the interface using --permanent will delete all the text inside those problem elements. firewall-cmd's fault, I worked the support in for their poor XML implementation.
In order to allow for deletion of zone file if purge_zones is set to false.
They are not plain booleans, they are strings that contain a boolean word.
Than it can bypass the safe_insync in property.rb and then back to nil when writing xml file. This is so we can comment out target and have it actually notice and flush and write a new zonefile.
If they're set to nil or empty(they're always empty, not nil, due to the way the array_matching all is done) they will be checked against the IS value to see if it is nil, if it is, do nothing, else, suggest to provider that the value has changed. That way we can comment out values or set them to [] and it will notice it should flush and write zonefile. Default insync method checks and if .empty? it returns true and does not submit for flush and write, not what we want.
It should properly handle cleanup if cleared from manifest using either absent or empty string.
Logging being set to on for a rich_rule was causing it to always detect as a reload, fixed that.
Added consistency checking in a simple form. Checks what rules exist in the zone definition and then compares them to the allow and deny rules in IPTables to ensure the line count matches, if a service has more than one port, it will also open up the service xml file to create lines for every port. Port ranges are considered one port inside IPTables, so we do the same. We could consider adding checks to make sure source, dest and port match between zone and iptables if desired...
Nested nils and such were a case by case basis, fixed that with a nested nil cleaner. Special False values like masquerade still need to be handled on their own if we want to delete_if them. This makes new additions that can have nils much easier to deal with and avoid firewall reloads taking place by accident. Also reverted back to using true and false rather than 'true' and 'false' in invert.
xbezdick
force-pushed
the
master
branch
10 times, most recently
from
cea4043 to
1532ede
Compare
We broke notify metaparam by using this provider method. We will be fixing this in a near future release. This patch allows `firewall-cmd --reload` to run inside the provider rather than rely on outside puppet code.
|
@asasfu this could be mergeable state of the commits @cvtienhoven thanks for the reload patch |
|
So I found first issue there: |
|
http://paste.fedoraproject.org/269527/27884551 would fix the issue with consistent? I should create spec tests and acceptance tests :( |
xbezdick
force-pushed
the
master
branch
5 times, most recently
from
bc2a6f5 to
67c6146
Compare
The notify metaparameter should work again for zonefile. It is no longer needed to run reload in zonefile and it was also bugous. The zone type did not properly generate zonefile resource. By always agging it in eval_generate we ensure puppet does resolve dependancies for the resource.
HACK: we reload twice as firewalld fails on reload if you remove zone file without calling firewall-cmd --permanent --delete-zone <zone>. In that case it blocks all connections and another reload is needed.
|
@asasfu feel free to test this PR and +1 if it works for you. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.