puppetlabs-firewall icon indicating copy to clipboard operation
puppetlabs-firewall copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

Destination/Source accepts array but only use the first element

Open elfranne opened this issue 2 years ago • 2 comments

For example:

firewall { '200 http https':
  dport       => [80, 443],
  proto       => 'tcp',
  destination => ['1.2.3.4', '2.3.4.5'],
  action      => 'accept'
}

Puppet will only include the first IP in the firewall rule. There is no error or warning.

If you want to add multiple IP in a single firewall rule with Puppet you can use the ipset module:

ipset::set { 'web':
  set    => ['1.2.3.4', '2.3.4.5'],
}
firewall { '200 http https':
  dport   => [80, 443],
  proto   => 'tcp',
  ipset   => 'web dst',
  action  => 'accept'
  require => Ipset::Set['web'],
}

elfranne avatar Aug 05 '22 14:08 elfranne

Hello! 👋

This issue has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which issues need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the issue with a comment.

github-actions[bot] avatar Nov 04 '22 02:11 github-actions[bot]

Hey @elfranne, it looks like there is some mention of this behaviour in our documentation. It also contains another alternative to allow for multiple destination/source IP addresses via the use of another module. The forge link also seems to contain some context as to why the module behaves this way.

We do, however, agree that it might be wise to warn users when they try to use a feature this way. We will be adding this work to our backlog. Thanks for bringing this to our attention.

LukasAud avatar Nov 07 '22 17:11 LukasAud