Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to use extra_ghetto_ipsets #14

Open
alanorth opened this issue Aug 6, 2015 · 2 comments
Open

Add ability to use extra_ghetto_ipsets #14

alanorth opened this issue Aug 6, 2015 · 2 comments
Labels
enhancement

Comments

@alanorth
Copy link
Member

alanorth commented Aug 6, 2015

Right now ipsets are defined in our global (private) variables, but hosts can override them by copying the entire dict structure from private/vars/ipsets.yml to their host_vars and adding custom hosts. Unfortunately if the global ipsets change for some reason, we would probably forget to update the overridden ones too.

It would be nice for a host to be able to use something like extra_ghetto_ipsets, similar to how we useextra_iptables_rules.
@oguya
Copy link
Contributor

oguya commented Aug 10, 2015

I think we should just continue using the concept of ghetto_ipsets. The only con is that we'll endup adding a lot of checks in templates & tasks in which they'll be used/refered.

For instance:

  • in host_vars/hostname

    extra_ghetto_ipsets:
  addis_dmz: { src: '192.168.1.0/24' }
  nbo_dmz: { src: '192.168.2.0/24' }

  • in iptables template:

    {% for network in ssh_access %} 
{% if ghetto_ipsets[network] is defined and ghetto_ipsets[network].src is defined %}
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ ghetto_ipsets[network].src }} -j ACCEPT
{% endif %}
{% if extra_ghetto_ipsets[network] is defined and extra_ghetto_ipsets[network].src is defined %}
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ extra_ghetto_ipsets[network].src }} -j ACCEPT
{% endif %}
{% endfor %}

So, we'll have two sections, one for the normal ghetto_ipsets & another one for extra_ghetto_ipsets. To avoid issue of missing/undefined items in either variables, we have to check if an item exists & if it is defined.

@alanorth
Copy link
Member Author

This only causes problems because we treat web and ssh as special... but if you use them with extra iptables rules we would only need to check them where we process the extra rules:

extra_ghetto_ipsets:
  joguya_laptop: { src: '192.168.1.0/24' }

extra_iptables_rules:
  - { protocol: tcp, port: 22, acl: joguya_laptop }

But ugh... none of this is just simple and obvious, and actually will end up causing more problems. I dunno, it will start to outweigh the benefits. Perhaps a better question is if we need to streamline the way we run the iptables rules in the first place.

oguya pushed a commit that referenced this issue Aug 19, 2015
roles/common: Add extra-ipsets functionality in iptables
0ff7cad 
extra_ghetto_ipsets var. allows you to add additional ipsets which will
then be used to create extra firewall rules. Unfortunately,
extra_ghetto_ipsets only works with extra_iptables_rules because of the
extra variable checks added, otherwise you might end up with
'AnsibleUndefinedVariable' errors or missing attributes in dict object
errors.

This commit is related to issue #14 on GitHub[1].

1. #14

Signed-off-by: James Oguya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alanorth @oguya