Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Speed up ipset entries changes #175

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

jfroche
Copy link
Contributor

@jfroche jfroche commented Apr 26, 2018

We now use --add-entries-from-file and --remove-entries-from-file to
change firewalld ipset. Adding or removing entries one by one was really
slow.

This pull request is based on
https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
first pull request was here: kuleuven#4

@Rovanion
Copy link

What is the format of the files that feed this function?

@jovandeginste
Copy link
Contributor

@Rovanion some example:

ipset::set:
  some_name:
    type: hash:net
    hashsize: 1024
    family: inet6
    manage_entries: true
    set:
      - 2a02:2c40::1
      - 2a02:2c40::2

# We have a wrapper around firewalld module, should be similar
wrapped::firewalld::rich_rules:
  allow_from_some_name:
      zone: public
      family: ipv6
      source:
        ipset: some_name
      service: some_service
      action: accept

# cat /etc/firewalld/ipsets/some_name.xml

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <option name="hashsize" value="1024"/>
  <option name="family" value="inet6"/>
  <entry>2a02:2c40::1</entry>
  <entry>2a02:2c40::2</entry>
</ipset>

@pccibot
Copy link

pccibot commented Sep 22, 2019

Dear @jfroche, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@pccibot
Copy link

pccibot commented Sep 22, 2019

Dear @jfroche, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

1 similar comment
@pccibot
Copy link

pccibot commented Sep 22, 2019

Dear @jfroche, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@alexjfisher alexjfisher removed this from the 4.0.0 milestone Oct 14, 2019
@vox-pupuli-tasks
Copy link

Dear @jfroche, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @jfroche, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@jovandeginste
Copy link
Contributor

@dhoppe would you like us to fix the merge conflicts?

@dhoppe
Copy link
Member

dhoppe commented Jan 5, 2020

@jovandeginste That would be great. Thank you very much.

@jfroche
Copy link
Contributor Author

jfroche commented Jan 23, 2020

rebased on master branch

flush: true,
close!: true,
close: true,
path: '/tmp/ipset-rspec')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading from /tmp is insecure and could introduce a race condition. Suggest using a dedicated directory that is root:root 0700 and outside of temp.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the test ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure I need to notify using @ghoneycutt , sorry for the spam

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just use a real tempfile?

This is going to be an issue if a system is trying to run multiple tests at the same time.

A before(:each) with an instance variable should be fine (just tell rubocop to shut up).

@bastelfreak bastelfreak added the enhancement New feature or request label Feb 8, 2020
@jfroche
Copy link
Contributor Author

jfroche commented Feb 15, 2020

Are we speaking about using /tmp during unittest not being secure ?

@jovandeginste
Copy link
Contributor

ping @ghoneycutt

@ghoneycutt
Copy link
Member

I was mistaken, for the test it seems fine.

@jovandeginste
Copy link
Contributor

can we pick this PR up again, @ghoneycutt ?

@mnsmithuk
Copy link

mnsmithuk commented Jul 23, 2022

Can we get --add-entries-from-file and --remove-entries-from-file functionality in this module (obviously still keep the --add-entry and --remove-entry functionality) over the line please and in the latest version.

@jcpunk
Copy link
Contributor

jcpunk commented Sep 19, 2023

Can you rebase off head for the CI?

We now use `--add-entries-from-file` and `--remove-entries-from-file` to
change firewalld ipset. Adding or removing entries one by one was really
slow.

This pull request is based on
https://github.com/42wim/puppet-firewalld/blob/04683b46cbe6e6a925c585283941cc363752aceb/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request needs-rebase
Projects
None yet
Development

Successfully merging this pull request may close these issues.