Salt: Firewalld prune functionality is broken.

Created on 21 Jan 2017  路  4Comments  路  Source: saltstack/salt

Description of Issue/Question

The firewalld state is not implemented properly. Even if we select prune_services=False, it will still prune ports # and richrules. Please implement prune instead of just prune_services. The introduction of pruning_services cause a lot of hazards for many admins few month ago.

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Bug P1 Platform State Module TEAM Platform severity-medium
Source
picture hunkeelin

Most helpful comment

@gtmanfred I would argue that the problem with pruning in firewalld.present is a design flaw rather than a feature request. What business does a function named present have removing anything? Wouldn't it be better to refactor firewalld.present so that it strictly adds to firewalld configuration and add a corresponding function firewalld.absent that strictly removes firewalld configuration? This would make the firewalld state operate similarly to other states like pkg, with its installed and removed functions.

picture nhavens on 3 Nov 2017
👍2

All 4 comments

Thanks for the feature request, this would be good to have.

Daniel

gtmanfred picture gtmanfred on 23 Jan 2017

I'm working on a pull request to hopefully address this issue (as well as #41075 and #41717). I've added parameters similar to prune_services for each of the items that were getting pruned by default (prune_ports, prune_rich_rules, etc). I've also set the default value of the prune_* parameters (including prune_services) to False, since the current behavior is kind of confusing.

I've made most of the changes to the code, I'm just working on updating the docblock for firewalld.present since it currently doesn't explain any of the parameters or expected behavior. I'll try to have it finished by tomorrow night

connordelacruz picture connordelacruz on 26 Sep 2017

@gtmanfred I would argue that the problem with pruning in firewalld.present is a design flaw rather than a feature request. What business does a function named present have removing anything? Wouldn't it be better to refactor firewalld.present so that it strictly adds to firewalld configuration and add a corresponding function firewalld.absent that strictly removes firewalld configuration? This would make the firewalld state operate similarly to other states like pkg, with its installed and removed functions.

nhavens picture nhavens on 3 Nov 2017
👍2

It is tagged as a bug.

I retagged it as a bug a month after it was originally tagged as a feature request

gtmanfred picture gtmanfred on 3 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sfozz picture sfozz  路  3Comments
udf2457 picture udf2457  路  3Comments
icycle77 picture icycle77  路  3Comments
layer3switch picture layer3switch  路  3Comments
twangboy picture twangboy  路  3Comments