alex-harvey-z3q
commented
1 year ago Hi there, I am the maintainer of firewall_multi. I recall there being a fundamental limitation discussed in MODULES-3066. Unfortunately, I can't remember the specifics, and it appears the Jira ticket has been moved or is no longer accessible.
However, I concur with @robertc99 that it is worth revisiting this discussion.
I suspect the underlying issue lies in the firewall module's approach: it wraps a Linux iptables firewall rule within a custom provider. This design might not support arrays of inputs, such as source, dest, and the like. So, even though handling arrays of these inputs is highly beneficial for large organisations, the only feasible method to achieve this might be through code generation.
That's essentially what firewall_multi does. It provides a defined type firewall_multi that allows arrays on certain inputs and from these spawns multiple firewall resources.
But yes please have another look as many years have passed and I no longer manage firewalls myself.
Use Case
It would be very useful to support arrays for more of the parameters. At the moment, I think only port numbers support array inputs. It would also be useful to support arrays for things like source, destination, proto, icmp and protocol to also support array values.
The firewall_multi module wraps a layer around firewall to add this functionality. But its sensitive to changes in firewall and has to updated for every firewall release.
I believe the idea of supporting this functionality natively in the firewall module has been suggested before. But I believe there where technical issues that made it difficult. Im hoping the recent rewrite of firewall has removed these issues.
There is some discussion of the issue here https://groups.google.com/u/1/g/puppet-users/c/2Oy32a579jU
And I believe there was discussion in jira. But the jira has moved. Im hoping you can still reference the content The old links were https://tickets.puppetlabs.com/browse/MODULES-3066 http://projects.puppetlabs.com/issues/10116