saltstack-formulas / shorewall-formula Goto Github PK

Time goes on, and so we get shorewall 5 on the way.

I wish to keep the formula both compatible with version 4 and 5, but the following applies:

• obsolete configuration file:
  • 'tcrules' and 'tos' => 'mangle'
  • 'blacklist' => 'blrules'
  • 'routestopped' => 'stoppedrules'
  • 'notrack' => 'conntrack'
• macros only with format-2 (probably not a big issue)
• since shorewall 4.6 COMMENT, FORMAT and SECTION Lines now require the leading question mark ("?")

Looking ant YAML Idiosyncrasies Salt documentation, 0644 will be interpreted as octal and becomes 420.

salt.states.file always use '0644' or 644 in their examples.

Hello,

We are actually happily using this formula, but we are facing a new need, to dynamically generate a parameter with the salt mine.

Our situation looks like:

• a server S which provides a service on port P
• a bunch of 'client' servers C, they need to access the service on S
• C are tagged/identified/configured with a pillar UseService: True

If we want to maintain firewall of S to only open port P, we could use a pillar like this

shorewall:
  rules:
    NEW:
      - action: ACCEPT
      - source $S_CLIENTS
      - dest: $FW
      - proto: tcp
      - destport: P

But the param S_CLIENTS can only be specified statically with

shorewall:
  params:
    - key: S_CLIENTS
      value: 10.10.10.1,10.10.10.2,10.10.10.3

The only solution I see, would be to let shorewall:params manage (in addition to actual static values) mine queries. Something like what mysql-formula already implements. New pillar could look like

shorewall:
  params:
    - key: S_CLIENTS
      mine: 
        target: I@UseService
        function: <mine function to retrieve public IP>
        expr_form: compound

I already have some code to implement this idea (which still needs work before any PR), but I would like to know what users think about this idea.