outerface?

[dragon2611]

Is outerface supported by the module?, I did try using it in the rule but it didn't seem to like it.

outerface does occasionally come in handy for forward rules where you want to match the outgoing interface either instead of or as well as the incoming one.

[bastelfreak]

Hi, this is currently not possible. Are you interested to provide a patch for this?

[dragon2611]

@bastelfreak I might have a look when I get a chance, is it just rules.pp or are there definitions elsewhere that also would need updating.

[bastelfreak]

I already implemented magic for the interface:

puppet-ferm/manifests/rule.pp

Lines 147 to 173 in 936d5f7

	if $interface {
	unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) {
	concat::fragment{"${chain}-${interface}-aaa":
	target => $filename,
	content => "interface ${interface} {\n",
	order => $interface,
	}
	}
	concat::fragment{"${chain}-${interface}-${name}":
	target => $filename,
	content => " ${rule}\n",
	order => $interface,
	}
	unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) {
	concat::fragment{"${chain}-${interface}-zzz":
	target => $filename,
	content => "}\n",
	order => $interface,
	}
	}
	} else {
	concat::fragment{"${chain}-${name}":
	target => $filename,
	content => "${rule}\n",
	}

You probably need to update the rule.pp and some tests. And you need to implement a check that prohibits settings interface and outerface. Let me know if you need any help. You can also ping us in the IRC channel #voxpupuli on freenode.

[dragon2611]

Sorry If i Misunderstood you but why would I want to prevent setting interface and outerface in the same rule, that's a perfectly valid thing to do in a forward chain.

[bastelfreak]

oh true, that's a valid usecase!

[dragon2611]

@bastelfreak I had a play but I'm afraid it's way beyond my understanding of how to write a puppet module, I'm right at the beginner level in that regard.

All I ended up doing was zapping most of my rules (whoops) although I did seem to manage to add the outerface in the output chain. It seems it's not just the case of copying you existing magic and writing an elsif to deal with outerface.

The only thing I did notice is I can't help think the rules are overly complicated for a single rule

for instance

interface wg99 {
  mod comment comment 'dns' proto (tcp udp) dport 53 ACCEPT;
}

can easily become

interface wg99 proto (tcp dup) dport 53 ACCEPT mod comment comment 'dns';

It really depends on if you wanted to put multiple rules with the same interface definition, then it would make sense.

e.g

interface wg99 {
   mod comment comment 'dns' proto (tcp udp) dport 53 ACCEPT;
   mod comment comment 'http' proto tcp dport 80 ACCEPT;
 }

That said for an interface AND outerface it might have to be a one liner I'm not sure if

interface wg99 outerface wg98 {   
   mod comment comment 'dns' proto (tcp udp) dport 53 ACCEPT;
   mod comment comment 'http' proto tcp dport 80 ACCEPT;
}

Is actually valid or not.

[dragon2611]

#78 - @bastelfreak might be worth a look, but I fear it's probably not upto the required code quality standards.