Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Literature
  3. English Literature

[#MODULES-450] Enable inverse of rules

advertisement 
[MODULES-450] Enable inverse of rules Created: 2014/02/05
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Closed
Forge Modules
firewall
None
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Improvement
Hunter Haugen
Fixed
None
Not Specified
Issue Links:
Duplicate
is duplicated
by
Relates
relates to
Template:
Story Points:
Sprint:
Updated: 2014/12/12 Resolved: 2014/08/04
None
Priority:
Assignee:
Votes:
Normal
Hunter Haugen
2
Not Specified
Not Specified
MODULES-472 nosource, nodestination => ! -d , ! Resolved
-s
MODULES1592
Inversion of address types is
incomplete
Closed
customfield_10700 true
2
MODS July 23, MODS Aug 6
Description
Is it possible to add functionality so we can get the equivalent of using '!' in puppet.
I want to do rules like:
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW
-j DROP
But I can't find any way to do this using the puppet firewall module
Thanks!
Comments
Comment by Jarkko Ketola [ 2014/03/28 ]
Facing the same challenge (and rule) and haven't found any solution yet.
Comment by Hunter Haugen [ 2014/03/28 ]
Jarkko Ketola Do you have an idea of how this might actually look on the resources? The best I
can come up with is something like:
firewall { '005 test':
#...
tcp_flags => 'FIN,SYN,RST,ACK SYN',
negate
=> ['tcp_flags',...],
}
But that's pretty ugly imho.
Comment by Jarkko Ketola [ 2014/03/29 ]
getting following error "Invalid parameter negate at" with puppet-firewall 1.0.2 version =)
Comment by Hunter Haugen [ 2014/04/07 ]
Oh that hasn't been coded yet. I was just trying to come up with a way that it could actually be
done and make sense...
Comment by Thomas Sturm [ 2014/05/17 ]
I'm facing this issue as well. In my case I'd need to negate the proto parameter. I will end up
with allowing tcp,udp,icmp instead of !esp as workaround.
I don't know about the internals, but wouldn't it be possible to parse an exclamation mark in
front of a value? Like so:
tcp_flags -> '!FIN,!SYN'
Comment by Alexey Lapitsky [ 2014/06/26 ]
Facing the same issue. Ugly solution is better than no solution. Maybe, as a (temporary?)
workaround we can implement something like iptables_raw parameter?
firewall { '005 test':
#...
iptables_raw => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK
SYN',
action
=> 'accept',
}
This would permit migration of any iptables rules to the puppetlabs-firewall module.
Comment by Hunter Haugen [ 2014/07/30 ]
https://github.com/puppetlabs/puppetlabs-firewall/pull/394
I tried to use the examples given here as tests. If some of y'all could try this out, that would be
great!
Comment by Hunter Haugen [ 2014/07/30 ]
For posterity, I decided to not go with the invert parameter route because declarations like this
are confusing:
firewall
action
proto
negate
}
{ '001 disallow esp protocol':
=> 'accept',
=> 'esp',
=> 'proto',
Comment by Alexey Lapitsky [ 2014/08/01 ]
Tried it out on with tcp_flags, works great. Thanks!
Comment by Hunter Haugen [ 2014/08/04 ]
PR was merged.
Comment by Alexey Lapitsky [ 2014/08/04 ]
Cool, thanks for fixing that!
Generated at Sat Mar 05 20:15:02 PST 2016 using JIRA 6.4.12#64027sha1:e3691cc1283c0f3cef6d65d3ea82d47743692b57.
Related documents
(P2) Protocols
(P2) Protocols
Regional - New Hampshire Educational Theater Guild
Regional - New Hampshire Educational Theater Guild
Suppose that a real estate developer is interested in determining the
Suppose that a real estate developer is interested in determining the
Form for submission of comments
Form for submission of comments
PARENT INPUT INTO THE PLACEMENT PROCESS
PARENT INPUT INTO THE PLACEMENT PROCESS
POL – the NITOL approach
POL – the NITOL approach
Download
advertisement