Hello,
I'm interested in adding support for the iptables module "recent"
within the puppetlabs firewall module. I've tried adding in the new
feature (which I'll call recent_limiting), and all the various
newproperties/etc required, and I am now stuck. Please bear with me, as
I'm new to ruby and struggling through this.
It would seem the firewall module does not have a concept of having
an iptables switch that has no argument. In my code so far, I've made
the properties:
recent
seconds
hitcount
recentname
rsource
in the resource map I've put:
:recent => "-m recent"
:seconds => "--seconds"
:hitcount => "--hitcount"
:rsource => "--rsource"
:recentname => "--name"
My problem now is how to deal with "rsource", since "rsource" is passed
no arguments. (This results in rule_to_hash failing...since it picks up
"--rsource" from iptables-save.) If I specify 'rsource => ""' in the
node's firewall{} block, then iptables fails because it literally tries
to do 'iptables ... --rsource "" -m commen....'. So either the
rule_to_hash fails because it doesn't map rsource correctly (which gets
added by default by iptables if not specified), or iptables fails.
I do not really understand how I'm supposed to handle this flag within
the firewall module, and I could find no example for which a flag
without an argument is set within the firewall module. I was having the
same issue with "--set" and/or "--update", but I worked around that by
making them be arguments to recent.
IE:
recent => "set"
and then in the newproperty section for :recent I munged it:
newvalues(:set, :update, :rcheck)
munge do |value|
value = "--" + value
end
However, no such dirty workaround is available for rsource (especially
because iptables-save puts rsource after --name and before -m comment.
Hopefully this was clear enough to get some pointers on how to get this
working... ;)
Thanks,
-- Nicholas
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-dev/-/o1Jp7z40AXkJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
