Hi John, On Wednesday, March 13, 2013 11:51:51 AM UTC-4, jcbollinger wrote: > > On the flip side, the Firewall resource type provided by that module does > not have any inherent dependency on such classes -- that's all coming from > the global resource defaults you declare. >
I understand that the ::pre and ::post dependencies are my own modifications to the resource defaults. If it helps to see where I got this from, I followed the "recommended" configuration from https://forge.puppetlabs.com/puppetlabs/firewall . The dependencies are a red herring and not my real problem. I will try stating what I want without any assumptions or postulation: - Any module can declare its own set of firewall rules - These rules are only enforced when a "switch" is flipped on the node That's all. - Define a use_firewall guard parameter >> > A parameter of what? The ::firewall class? > A node parameter to effectively wrap any Firewall resources in, e.g.: define firewall::rule($proto, $port, $action) { # real one would have all parameters if $::use_firewall { firewall {$title: proto => $proto, port => $port, action => $action, } } } class my_server_class ( $listen_port ) { firewall::rule {'500 my_server_class': proto => tcp, port => $listen_port, action => accept, } ... } Or even something like this? (untested): ##sites.pp Firewall { ensure => $::use_firewall ? { undef => absent, /(?i:no|false|off)/ => absent, /(?i:yes|true|on)/ => present, } } > - Move all Firewall resources into the firewall module as sub-classes >> > > That doesn't even make sense. Resources are not classes, so they cannot > be subclasses. > Sorry, poor choice of words. I meant pulling Firewall definitions out of all classes and putting them under ::firewall, as you guessed. I thought perhaps once I did that, I could put logic in the firewall class to load sets of Firewall resouces contained in subclasses based on what classes the current node was using. I abandoned that idea, it's too convoluted with too much magic, and I'd like to keep firewall definitions within the classes they concern. Upon further reflection and looking at the firewall type a little closer, I realize that disregarding any ::pre, ::post, or persist-firewall complications, the simple act of declaring a firewall resource will cause it to be loaded into iptables. So any solution would involve either preventing the resources' declarations in the first place, or changing the behaviour of the type itself. Thanks for making me think about it :) Regards, David -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
