(CAT-376) Rework firewall module to use the resource_api #1145

david22swan · 2023-07-18T15:52:32Z

Summary

This PR has been created to update the Firewall module to utilize the resource_api, with the intention being to increase the ease with which the module can be updated and managed in the future.
As part of this several backwards incompatible changes where made, including:

The provider attribute with the Firewall type has been renamed protocol, due to both the resource_api forbidding the use of this as an attribute name and to bring it in line with the Firewallchain. Though it continues to accept both iptables and ip6tables alongside IPv4 and IPv6, this may change in the future.
The action attribute has been removed as it managed the same function as the jump attribute, only on a more limited scale. Though this was given a reason, to enforce the use of generic parameters, I found this to be a needlessly complex addition to the code.
Strict types have been declared for all attributes.
The port attribute has been removed as it was deprecated several years ago.
dport/sport ranges should be passed with : as a separator as this is the valid form of input for the flag. Code has been updated to allow the original separator -, though it is not preferred.
Array attributes, such as sport/dport, that require negation to be universal among all passed values have been updated so that rather than negating each and every value passed you now simply negate the first value in the array in order to negate them all, although the original form of negating each and every value is still allowed. Certain array values such as src_type/dst_type differ however and necessitate that each value be negated, or not negated as it were, separately.

**NOTES:

firewallchain purge tests disabled, waiting on puppet-resource_api functionality to be merged and released: (CAT-761) Add custom_generate as a feature puppet-resource_api#316 --> puppet-resource_api change has been merged and released (v1.9.0), waiting on update to puppet-agent to include this new version so that I can turn on the automated tests (CAT-761) Update puppet-resource_api version puppet-agent#2383 --> PR has been merged and will be included in 7.26.0 and 8.2.0 --> tests enabled
Unable to use the Stdlib IP types for most address style input as they include extra features such as ranges and negation.

Checklist

🟢 Spec tests.
🟢 Acceptance tests.
Manually verified. (For example puppet apply)

greatflyingsteve · 2023-08-04T01:40:29Z

lib/puppet/provider/firewall/firewall.rb

After the struggle I went through to get #1126 and #1127 in working order, there are large parts of this file that read like a bandaid being torn off. It might not be fun to re-work my PR to fit this framework, but I'm betting it'll be so much easier than writing the original draft was. Reading through this version is so much more satisfying!

One question, though - if the output of ip[6]tables-save is just the arguments one should append to iptables -t <blah> to regenerate the same rule again, would it have been simpler to use optparse to recover the sense from the rules' arguments?

Thanks for the positive response :)

In regards to the use of optparse, I had not encountered it before and so didn't consider it as an option.
It may be a little late for me to be rewriting the code, I am scheduled to move onto other work, however I will make sure to ticket it up as an improvement so if I do not get time to implement it myself, it will exist as a goal for the future.

README.md

LukasAud

Looking Good To Me. Hoping we will get a bunch more reviews. This deserves a lot of 👀

Ramesh7 · 2023-08-23T13:47:34Z

LGTM, can we get review from more experts?

david22swan · 2023-08-24T09:06:55Z

@bastelfreak Could you take a look at this?

.sync.yml

spec/spec_helper_acceptance_local.rb

spec/spec_helper_local.rb

spec/unit/classes/firewall_linux_archlinux_spec.rb

.rubocop.yml

README.md

david22swan · 2023-08-29T12:58:38Z

CentOS 8 failures have appeared on nightly,
cause found and accounted for

Remove all old code from the module

- support for IPv4 (CAT-683) - support for IPv6 (CAT-961)

- support for IPv4 (CAT-684) - support for IPv6 (CAT-961) - support for all attributes (CAT-960)

Update acceptance testing to account for changes. Includes: - standard_usage_spec.rb - rules_spec.rb - resource_cmd_spec.rb - firewallchain_spec.rb - firewall_duplicate_comment_spec.rb

Update acceptance testing to account for changes. Includes: - class_spec.rb - firewall_attributes_exceptions_spec.rb - firewall_attributes_happy_path_spec.rb - firewall_attributes_ipv6_exceptions_spec.rb - firewall_attributes_ipv6_happy_path_spec.rb

Unit test coverage for utility functions found within the puppet_x namespace

Test coverage for the firewall and firewallchain Types

Test separated out into three files due to the size and complexity of the provider.

Actionable errors left in file will be handled by a follow-up PR

README.md

bastelfreak

I'm not a resource_api expert, but the changes look good to me.

LukasAud

LGTM 👍

Dont forget to remove the Do Not Merge

traylenator · 2023-08-30T14:47:30Z

The action parameter going ? Is that necessary ?

If it could live till EOL for EL7?

david22swan · 2023-08-30T14:53:03Z

@traylenator The functionality behind the attribute is still there, it just means renaming the attribute your setting to jump instead.
I felt it was wasteful to have two attributes for the same iptables value.
It may be inconvenient in the short term but in the long term it helps to simplify the code.

As a side, any reason for E7 in particular?

traylenator · 2023-08-30T14:55:56Z

@traylenator The functionality behind the attribute is still there, it just means renaming the attribute your setting to jump instead. I felt it was wasteful to have two attributes for the same iptables value. It may be inconvenient in the short term but in the long term it helps to simplify the code.

Thanks for the reply - will live with the status quo till we launch EL7 into oblivion (and drop this module).

Add Requires on puppet-resource_api It's needed since the merge of [1] [1] puppetlabs/puppetlabs-firewall#1145 (cherry picked from commit 0b245d6) Change-Id: Id033e1418a4696726382b4ceeb684ae0afa3d253

It's needed since the merge of [1] [1] puppetlabs/puppetlabs-firewall#1145 Change-Id: If156134ecf968b98578a57dbe14030a1a8c93174

david22swan added the backwards-incompatible label Jul 18, 2023

david22swan requested a review from a team as a code owner July 18, 2023 15:52

david22swan changed the title ~~(CONT-376) Rework firewall module to use the resource_api~~ (WIP)(CONT-376) Rework firewall module to use the resource_api Jul 18, 2023

david22swan mentioned this pull request Jul 18, 2023

Re-Architect Firewall #1100

Closed

david22swan changed the title ~~(WIP)(CONT-376) Rework firewall module to use the resource_api~~ (WIP)(CAT-376) Rework firewall module to use the resource_api Jul 26, 2023

greatflyingsteve reviewed Aug 4, 2023

View reviewed changes

david22swan changed the title ~~(WIP)(CAT-376) Rework firewall module to use the resource_api~~ (DO NOT MERGE)(CAT-376) Rework firewall module to use the resource_api Aug 23, 2023

Ramesh7 reviewed Aug 23, 2023

View reviewed changes

README.md Show resolved Hide resolved

LukasAud previously approved these changes Aug 23, 2023

View reviewed changes

david22swan dismissed LukasAud’s stale review via f952013 August 23, 2023 12:58

jordanbreen28 reviewed Aug 24, 2023

View reviewed changes

.sync.yml Show resolved Hide resolved