Hi John,
On Wednesday, March 13, 2013 11:51:51 AM UTC-4, jcbollinger wrote:
> On the flip side, the Firewall resource type provided by that module does not
> have any inherent dependency on such classes -- that's all coming from the
> global resource defaults you declare.
I understand that the ::pre and ::post dependencies are my own
modifications to
the resource defaults. If it helps to see where I got this from, I
followed
the "recommended" configuration from
https://forge.puppetlabs.com/puppetlabs/firewall
The dependencies are a red herring and not my real problem.
I will try stating what I want without any assumptions or
postulation:
- Any module can declare its own set of firewall rules
- These rules are only enforced when a "switch" is flipped on the node
That's all.
> Define a use_firewall guard parameter A parameter of what? The ::firewall
> class?
A node parameter to effectively wrap any Firewall resources in, e.g.:
define firewall::rule($proto, $port, $action) {
if $::use_firewall {
firewall {$title:
proto => $proto,
port => $port,
action => $action,
}
}
}
class my_server_class ( $listen_port ) {
firewall::rule {'500 my_server_class':
proto => tcp,
port => $listen_port,
action => accept,
}
...
}
Or even something like this? (untested):
##sites.pp
Firewall {
ensure => $::use_firewall ? {
undef => absent,
/(?i:no|false|off)/ => absent,
/(?i:yes|true|on)/ => present,
}
}
> > - Move all Firewall resources into the firewall module as sub-classes
> >
> That doesn't even make sense. Resources are not classes, so they cannot be
> subclasses.
Sorry, poor choice of words. I meant pulling Firewall definitions out
of all
classes and putting them under ::firewall, as you guessed. I thought
perhaps
once I did that, I could put logic in the firewall class to load sets
of
Firewall resouces contained in subclasses based on what classes the
current
node was using. I abandoned that idea, it's too convoluted with too
much
magic, and I'd like to keep firewall definitions within the classes
they
concern.
Upon further reflection and looking at the firewall type a little
closer, I
realize that disregarding any ::pre, ::post, or persist-firewall
complications,
the simple act of declaring a firewall resource will cause it to be
loaded into
iptables. So any solution would involve either preventing the
resources'
existence in the first place, or changing the behaviour of the type
itself.
Thanks for making me think about it :)
Cheers,
David
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
