oguya
commented
9 years ago I think we should just continue using the concept of ghetto_ipsets. The only con is that we'll endup adding a lot of checks in templates & tasks in which they'll be used/refered.
For instance:
-
in
host_vars/hostnameextra_ghetto_ipsets: addis_dmz: { src: '192.168.1.0/24' } nbo_dmz: { src: '192.168.2.0/24' } -
in iptables template:
{% for network in ssh_access %} {% if ghetto_ipsets[network] is defined and ghetto_ipsets[network].src is defined %} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ ghetto_ipsets[network].src }} -j ACCEPT {% endif %} {% if extra_ghetto_ipsets[network] is defined and extra_ghetto_ipsets[network].src is defined %} -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ extra_ghetto_ipsets[network].src }} -j ACCEPT {% endif %} {% endfor %}
So, we'll have two sections, one for the normal ghetto_ipsets & another one for extra_ghetto_ipsets. To avoid issue of missing/undefined items in either variables, we have to check if an item exists & if it is defined.
alanorth
Right now ipsets are defined in our global (private) variables, but hosts can override them by copying the entire dict structure from
private/vars/ipsets.ymlto their host_vars and adding custom hosts. Unfortunately if the global ipsets change for some reason, we would probably forget to update the overridden ones too.It would be nice for a host to be able to use something like
extra_ghetto_ipsets, similar to how we useextra_iptables_rules.