The difficulty with allowing multiple sources is that it falls in line only with a scripted workflow, not an idempotent workflow. This is from the iptables manpage: "Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D)."
Converting the firewall type to manage multiple rules with a single resource is surely the way to madness ;). -Hunter On Thu, Feb 11, 2016 at 2:33 PM, Felix Frank < felix.fr...@alumni.tu-berlin.de> wrote: > On 02/09/2016 06:41 AM, Alex Harvey wrote: > >> Can I get some feedback at this early stage that my PR would be accepted, >> assuming I can come up with a clean, working solution? >> > > Hi, > > I don't think that anyone will be able to answer this without at least > looking at what you're building, or intend to. > > From experience, cool features like this have good chances, *unless* they > come with some pitfalls or a catch that the maintainer (Puppet Labs?) is > not willing to accept. > > As for the feature you're looking at: My gut tells me that you might not > be able to come up with a clean model to support all that. Multiple > destination ports should not be problematic, thanks to netfilter's > multiport module. > > But multiple addresses get expanded into distinct rules, IIRC. This likely > cannot be reconciled with Puppet's resource model, or not without > introducing some bizarre semantic tricks. > > So my advice is to open a PR as soon as possible, even if the feature does > not work yet, just to showcase your approach and gather the feedback you > came seeking here. > > HTH, > Felix > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/56BD0C52.80307%40Alumni.TU-Berlin.de > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJaQvGCc-J-BDhVErMp%3DRrUSDMKP%2BFYjNchCpCZCLYzXEAukZQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
