feature: ipset.present to idempotently manage an entire ipset

[ahammond]

Currently I need a minimum of 2 formula calls to manage an ipset set. This should be a single formula with an interface like this:

my_set_name:
  ipset.present:
    - set_type: hash:net
    - comment: my_set_name_comment
    - entries:
      - entry1: entry1_comment
      - entry2: entry2_comment
      - entry3

This should check to see if there is a my_set_name ipset of type hash:net with the appropriate comment and the appropriate entries (one call to ipset -L my_set_name, cache the output for later)

IF the state is not as expected (wrong type, missing or extra entries), it should

• create a set named temp_XXXX
• set the entries appropriately, with associated comments
• uses ipset -W my_set_name temp_XXXX to idempotently upgrade my_set_name
• call ipset -L my_set_name again and diff it with the cached output for reporting changes
• ipset -X temp_XXXX to get rid of old set data

[ahammond]

I recognize that this is overloading the functionality of ipset.present, however it is easily differentiated by the presence/absence of the set_type kwarg.

[jfindlay]

@ahammond, thanks for the report.

[ahammond]

Reasoning behind this: we're managing ipsets with hundreds of memebers. ipset while fast still bogs down when called multiple hundreds of times (first to check if a set has a member, then to add it). A single call that gathers data, followed by a minimal number of calls to implement an atomic change is very desirable. Even more clever would be to detect situations where the only change was adding members to the set and then just add the members without doing a swap.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.