I''ve been using camptocamp''s iptables module. It works pretty
well, lets
me define rules in various modules, etc. Now I find myself needing to
generate a commented list of it''s rules. I notice that the README has a
nice exec suggestion. But, when I try it, I can''t get it to work.
In my iptables/manifests/init.pp I have:
Iptables {
before => Exec["iptables::save::rules"],
notify => Exec["iptables::save::rules"],
require => Package["iptables"],
}
exec { "iptables::save::rules":
command => "iptables-save > /etc/iptables.rules",
refreshonly => true,
}
But I don''t see that exec being called. Nor do I see any attempts at
calling it. (I''ve even been testing with the command set to
"false")
Anyone know what''s up with this, or have another suggestion for
generating such a list?
seph
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
You shouldn''t need the ''before'' in the ''iptables'' resource. Not quite sure why its not executing, but how about this ... http://github.com/kbarber/puppet-iptables Its a mod to the camptocamp code. It persists iptables with iptables- save without requiring an external exec notify. It also stores the resource name as a comment using iptables --comment ... so you can easily see the comments when you do an iptables -vnL. This is quite good for putting a ''reason'' for a rule and having ordinary admins see it themselves without having to check puppet. It also carries other modes like SNAT support and --tosource and -- toports for REDIRECT. It was only tested on RHEL5.x - your mileage may vary. ken. On Apr 19, 8:05 pm, seph <s...@directionless.org> wrote:> I''ve been using camptocamp''s iptables module. It works pretty well, lets > me define rules in various modules, etc. Now I find myself needing to > generate a commented list of it''s rules. I notice that the README has a > nice exec suggestion. But, when I try it, I can''t get it to work. > > In my iptables/manifests/init.pp I have: > > Iptables { > before => Exec["iptables::save::rules"], > notify => Exec["iptables::save::rules"], > require => Package["iptables"], > } > exec { "iptables::save::rules": > command => "iptables-save > /etc/iptables.rules", > refreshonly => true, > } > > But I don''t see that exec being called. Nor do I see any attempts at > calling it. (I''ve even been testing with the command set to "false") > Anyone know what''s up with this, or have another suggestion for > generating such a list? > > seph > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> But I don''t see that exec being called. Nor do I see any attempts at > calling it. (I''ve even been testing with the command set to "false") > Anyone know what''s up with this, or have another suggestion for > generating such a list?Actually - this smells like a scope thing. What scope did you define that code in? Try it in your /etc/puppet/ manifests/site.pp file. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ken <ken@bob.sh> writes:> What scope did you define that code in? Try it in your /etc/puppet/ > manifests/site.pp file.I tried it in both the iptables module and the site.pp file. But, I like your module more.> http://github.com/kbarber/puppet-iptables > > Its a mod to the camptocamp code. It persists iptables with iptables- > save without requiring an external exec notify. It also stores the > resource name as a comment using iptables --commentThis is awesome. It''s just what I needed. Thanks so much for writing it.> It was only tested on RHEL5.x - your mileage may vary.I found a couple problems on my ubuntu machines. I forked it to http://github.com/directionless/puppet-iptables I think you probably want to pull some of my patches up, I sent you a thing through github. seph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hehehe - cool bananas. Happy to merge - just one small problem. I''m guessing that syntax is how you persist rules in Ubuntu? I run Ubuntu at work now but I''m a newb: /sbin/iptables-save > /etc/iptables.rules Using that will break fedora - so we need a facter if/then. Do you have the time to add and test something like this? persist_cmd = case Facter.value(:operatingsystem) when /(Fedora|Redhat|Centos)/ then "/sbin/service iptables save" when /(Ubuntu|Debian)/ then "/sbin/iptables-save > /etc/ iptables.rules" else nil end system(persist_cmd) We should probably take this dev discussion off-thread to not create too much mail noise. Feel free to email me or get me on xmpp/google talk (same addy as my email address). ken. On Apr 21, 9:52 pm, seph <s...@directionless.org> wrote:> Ken <k...@bob.sh> writes: > > What scope did you define that code in? Try it in your /etc/puppet/ > > manifests/site.pp file. > > I tried it in both the iptables module and the site.pp file. But, I like > your module more. > > >http://github.com/kbarber/puppet-iptables > > > Its a mod to the camptocamp code. It persists iptables with iptables- > > save without requiring an external exec notify. It also stores the > > resource name as a comment using iptables --comment > > This is awesome. It''s just what I needed. Thanks so much for writing it. > > > It was only tested on RHEL5.x - your mileage may vary. > > I found a couple problems on my ubuntu machines. I forked it tohttp://github.com/directionless/puppet-iptablesI think you probably > want to pull some of my patches up, I sent you a thing through github. > > seph > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Marc Fournier
2010-Apr-21 22:39 UTC
Re: [Puppet Users] Re: getting a list of rules out of iptables
Seph, Ken, Thanks for your patches on this module ! I love the --comment idea. I will definitely pull this asap.> You shouldn''t need the ''before'' in the ''iptables'' resource. Not quite > sure why its not executing, but how about this ...I do know why it''s not executing: unfortunately this iptables type isn''t able to notify other resources. I wasn''t able to figure out quickly how this should be done, and never really got back to it... I''m not too comfortable with the idea of directly calling iptables-save in the ruby code and saving the output into a file. IMHO, the point of saving the output to a file is to be able to load the firewall at boot time, and the way this is done is distribution specific. I think this should be left out of the ruby part, and maybe put in some puppet class which does the right thing for each distribution. But of course, notify needs to be fixed first... Any pointer on this is very welcome: what sort of magic must be put in a puppet type to allow it to send notification to other resources once it has run ? Thanks ! Marc -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Marc - I was hoping you would join in the discussion :-).> Thanks for your patches on this module ! I love the --comment idea. I > will definitely pull this asap.Thanks for writing puppet-iptables in the first place - I use it all the time and it really makes my life easier.> I''m not too comfortable with the idea of directly calling iptables-save > in the ruby code and saving the output into a file. IMHO, the point of > saving the output to a file is to be able to load the firewall at boot > time, and the way this is done is distribution specific. I think this > should be left out of the ruby part, and maybe put in some puppet class > which does the right thing for each distribution. But of course, notify > needs to be fixed first...Hmm. I see your point re: worrying about OS dependant stuff - but examples of this are littered throughout most providers (including core) so its not abnormal to do it this way. I don''t think its as hard as you think, but obviously if someone tries to use the module on a distro that isn''t supported you can always do nothing by default. Of course some users may not want persistence and would want to turn it off ... The convenience of having your module ''just work'' without extra magic is a + for users I would imagine. At least for me it is. *shrug*.> Any pointer on this is very welcome: what sort of magic must be put in > a puppet type to allow it to send notification to other resources once > it has run ?I''ll take a look tonight. I think because you do all your changes quite late in the flow it might pose some problems with ordering. Let me take a proper look. ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ken <ken@bob.sh> writes:> Hehehe - cool bananas. Happy to merge - just one small problem. > > I''m guessing that syntax is how you persist rules in Ubuntu? I run > Ubuntu at work now but I''m a newb: > > /sbin/iptables-save > /etc/iptables.rulesYeah, that would be the ubuntu specific piece. I don''t think ubuntu actually has a proper way to save the iptables rules. It''s mostly left as an exercise for the end user, I''m not even sure that path is much agreed on.> persist_cmd = case Facter.value(:operatingsystem) > when /(Fedora|Redhat|Centos)/ then "/sbin/service iptables save" > when /(Ubuntu|Debian)/ then "/sbin/iptables-save > /etc/ > iptables.rules" > else nil > endOh, this is much more clever. I didn''t know enough ruby to do this. I think this is good approach. Ken <ken@bob.sh> writes:> Hey Marc - I was hoping you would join in the discussion :-). > >> Thanks for your patches on this module ! I love the --comment idea. I >> will definitely pull this asap. > > Thanks for writing puppet-iptables in the first place - I use it all > the time and it really makes my life easier.What he said. It''s really helped my manifests.>> I''m not too comfortable with the idea of directly calling iptables-save >> in the ruby code and saving the output into a file. IMHO, the point of >> saving the output to a file is to be able to load the firewall at boot >> time, and the way this is done is distribution specific. I think this >> should be left out of the ruby part, and maybe put in some puppet class >> which does the right thing for each distribution. But of course, notify >> needs to be fixed first... > > Hmm. I see your point re: worrying about OS dependant stuff - but > examples of this are littered throughout most providers (including > core) so its not abnormal to do it this way. I don''t think its as hard > as you think, but obviously if someone tries to use the module on a > distro that isn''t supported you can always do nothing by default. Of > course some users may not want persistence and would want to turn it > off ...I feel ambivalent. Given the lack of standards here I suspect there may be some site specific customizations. Which I''d rather expose in puppet manifests and not ruby type defs. But, I also don''t know how to make it, and tend to feel pragmatic about things. seph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.