Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10522

Support xtables-addons --condition parameter in puppetlabs-firewall

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: firewall
    • Labels:
      None
    • Template:
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently puppetlabs-firewall does not support "-m condition --condition <filename>" which allows a rule to be matched - or not not matched - based on a boolean value (0 or 1) in /proc/net/nf_condition/<name>. This mechanism allows firewall rules to be fully in Puppet's control, while retaining the capability to change the actual behavior of the ruleset with external tools such as scripts. This can be useful for example when DNAT traffic needs to switched dynamically from one virtual machine to another (blue-green) on a KVM host.

      Without this capability doing such switches requires trickery with custom facts to prevent Puppet from changing a rule back to its previous state after an external tool has changed it.

      Installation of xtables-addons is required for --condition to work.

      A PR will follow shortly.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mattock Samuli Seppänen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support