puppetlabs-firewall source array not working as expected

[Dusty Doris]

In puppetlabs-firewall it appears that you can provide an array of source ips as defined in types/firewall.rb (desc: An array of source addresses....).

However, when I pass in an array of source addresses, it only applies the first address to the ruleset.

eg:

  firewall { '100 allow web':

    dport => '8080',

    source => ['10.0.0.1', '10.0.0.2'],

    action => 'accept'

  }

If I were to apply that definition above, only the 10.0.0.1 rule would be applied.

Is this an error in my assumptions about what it means to accept an array of source addresses?  The example giving was source => '192.168.2.0/24', which is a CIDR block, not an array.  So, perhaps this is just strange wording in the code?

This feature would be a great one to have for our workflow.

Anyone have any ideas on work arounds?  How do others manage complex firewall rules in puppet without a giant node declaration.

Thanks.

[Bezerker]

Dusty,

I actually had the same issue and brought this up with Ken Barber at PuppetConf.  I believe he and several others have looked into this briefly but nothing much has come from it.  There was a puppet bug report where another user had managed to have it take arrays without too much issue: http://projects.puppetlabs.com/issues/10116

Unfortunately in my brief testing there was another issue created (it was always trying to add/remove a rule if I recall, it's been awhile.)

In the meantime a recommended workaround that works for some use cases is using a defined resource to accept the array and then create each firewall resource as a result.  

[Dusty Doris]

Thanks for the reply.  I will take a look at that patch. 

I have been trying to accomplish this with defined resources, unfortunately my particular case isn't working well for that.

Here is my attempt, perhaps anyone has some suggestions?

define myfirewall::accept($proto='tcp', $ports) {

  firewall { "100 $name":

    source => $name,

    proto => $proto,

    dport => $ports,

    action => 'accept'

  }

}

import 'myfirewall'

node 'mynode' {

  include myfirewall

  $web_servers = ['10.0.0.1','10.0.0.2']

  $db_servers  = ['10.0.0.3']

  myfirewall::accept { $web_servers: 

    ports  => ['80','443'],

  }

  myfirewall::accept { $db_servers:

    proto => 'tcp',

    ports => '3306'

  }

}

That works great.  It allows me to accept certain ports from certain groups of hosts.  You can see the value in this, as I could create node groups and automatically allow certain ports to certain sources.  For example, allow every machines access to ssh, allow all my app servers and all my db servers to my db port.  Allow all my app servers to some API port, etc...

But, now  say I want to a one-off rule on one of those particular hosts that is already defined, so I add another rule.

  myfirewall::accept { '10.0.0.1':

    ports => '8888'

  }

Error: Duplicate declaration: Myfirewall::Accept[10.0.0.1] is already declared in file /etc/puppet/manifests/nodes.pp at line 10; cannot redeclare on node mynode

It will error out here as having a duplicate.  I'm trying to figure out how I can re-write this to make it work, but it appears the puppet dsl only acts on arrays when they are the name variable and then calls the resource once for each item in the array, passing that as the name.

So, I suppose right now I need to make my groups better, so they include all the one-offs and make sure there are no duplicates.  Or, I could just define the one-offs one at a time in each node file.

I appreciate any suggestions.

[Terry Z.]

I believe you have stumbled into the same issue I ran into when attempting to workaround this with defined resources and unfortunately I had to continue using the legacy bobsh-iptables module as a result (which has its own inherent issues but at least properly accepts an array in source.)

It is rather disheartening to see the puppet-firewall module stuck with these limitations, but I do understand the difficulty in making this work as we expect so it's a trade off.

[jcbollinger]

On Monday, December 3, 2012 5:25:58 PM UTC-6, Dusty Doris wrote:

[...]  I'm trying to figure out how I can re-write this to make it work, but it appears the puppet dsl only acts on arrays when they are the name variable and then calls the resource once for each item in the array, passing that as the name.

Yes, that is precisely what Puppet does with arrays given as resource titles, and that behavior is triggered only by titles.

 

So, I suppose right now I need to make my groups better, so they include all the one-offs and make sure there are no duplicates.  Or, I could just define the one-offs one at a time in each node file.

I appreciate any suggestions.

One way to look at your issue is that your site-specific data is too commingled with your code.  That's why you have one-offs in the first place.  Pull the data together into a class variable somewhere, or even externalize it into an Hiera data store.  Drive your firewall declarations with your data instead of pulling the data along behind.

More specifically, you can use Puppet hashes or Hiera lookups to dynamically adapt your declarations to specific cases (e.g. to choose parameter values), or you can use the built-in create_resources() function to declare whole resources based on your data.  You already know about arrays as resource titles and combining that with defined types; those fit into the picture, too.


John

[Dusty Doris]

Thanks John.  That sounds like some fantastic advice. 

I'm brand new to puppet and still trying to wrap my mind around it.  I'd love any resources if you have any recommendations (eg: any good books?)

[Jakov Sosic]

It's really not that hard to code array support to custom provider, has
anyone tried it? Maybe if community can fix it, puppetlabs would accept
pull request?


--
Jakov Sosic
www.srce.unizg.hr