PR progress checklist (to be filled in by reviewers)
[ ] Changes to documentation are appropriate (or tick if not required)
[ ] Changes to tests are appropriate (or tick if not required)
[ ] Reviews completed
What type of PR is this?
Primary type
[ ] [build] Changes related to the build system
[ ] [chore] Changes to the build process or auxiliary tools and libraries such as documentation generation
[ ] [ci] Changes to the continuous integration configuration
[x] [feat] A new feature
[ ] [fix] A bug fix
[ ] [perf] A code change that improves performance
[ ] [refactor] A code change that neither fixes a bug nor adds a feature
[ ] [revert] A change used to revert a previous commit
[ ] [style] Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)
Secondary type
[x] [docs] Documentation changes
[x] [test] Adding missing or correcting existing tests
Does this PR introduce a BREAKING CHANGE?
No.
Related issues and/or pull requests
Describe the changes you're proposing
Currently every deny rule is forced to be at the top (with insert 1)
There are use cases (like the new example in README) where you allow all traffic from a private interface, but want to explicitly deny access to a port (save for 1 IP).
on the cmdline you would first allow the IP access to the service, then deny the service. In the current state, the deny is forced as first line and thus negates the order in the pillar.
This feature introduces the 'force_first' that when set to False and used with 'deny', does not use deny insert 1 but deny.
Pillar / config required to test the proposed changes
Debug log showing how the proposed changes work
Documentation checklist
[x] Updated the README (e.g. Available states).
[x] Updated pillar.example.
Testing checklist
[x] Included in Kitchen (i.e. under state_top).
[x] Covered by new/existing tests (e.g. InSpec, Serverspec, etc.).
PR progress checklist (to be filled in by reviewers)
What type of PR is this?
Primary type
[build]Changes related to the build system[chore]Changes to the build process or auxiliary tools and libraries such as documentation generation[ci]Changes to the continuous integration configuration[feat]A new feature[fix]A bug fix[perf]A code change that improves performance[refactor]A code change that neither fixes a bug nor adds a feature[revert]A change used to revert a previous commit[style]Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc.)Secondary type
[docs]Documentation changes[test]Adding missing or correcting existing testsDoes this PR introduce a
BREAKING CHANGE?No.
Related issues and/or pull requests
Describe the changes you're proposing
Currently every deny rule is forced to be at the top (with
insert 1) There are use cases (like the new example in README) where you allow all traffic from a private interface, but want to explicitly deny access to a port (save for 1 IP).on the cmdline you would first allow the IP access to the service, then deny the service. In the current state, the deny is forced as first line and thus negates the order in the pillar.
This feature introduces the 'force_first' that when set to
Falseand used with 'deny', does not usedeny insert 1butdeny.Pillar / config required to test the proposed changes
Debug log showing how the proposed changes work
Documentation checklist
README(e.g.Available states).pillar.example.Testing checklist
state_top).Additional context