[09:32:00] <jynus>	 for a new role, do I only need to set on hiera profile::firewall::provider: nftables ? or is more config needed
[09:34:30] <moritzm>	 if your role only uses firewall::service, then it's best to start right away with nftables as the provider (or if it's totally new and doesn't yet have any firewall rules configured)
[09:35:02] <moritzm>	 firewall:service writes out the config in the format suitable for ferm or nftables, depending on what is configured
[09:40:11] <jynus>	 sorry, I am not fully understanding what you are saying, can you send a patch or file I could look at as an example?
[09:41:06] <jynus>	 I think at the moment nothing is open (I am writing a new service)
[09:42:18] <jynus>	 yeah, envoy only uses firewall::service
[09:42:39] <jynus>	 so is that a yes?
[09:48:04] <moritzm>	 is this for new garage role? if so, then yes, please start with nftables from day one
[09:48:32] <moritzm>	 and if you want to open ports, we can do that via firewall::service
[09:48:44] <moritzm>	 it will generate nftables compatible rules automatically
[09:48:57] <moritzm>	 you can add me as reviewer to all such patches, happy to have a look
[09:49:58] <moritzm>	 from a user's perspective firewall::service is close to ferm::service, only more rigid in syntax checking
[09:50:17] <jynus>	 understood
[09:51:15] <moritzm>	 with nftables we're actually enforcing Puppet syntax types, with ferm pretty much everything got passed as a string and then parsed by perl
[09:51:53] <jynus>	 I was just very unfamiliar with the new config, and I didn't know if it required extra steps of different classes
[09:52:25] <jynus>	 so I wanted to setup the new way from the beginning
[09:54:42] <jynus>	 for example, I see now that for envoy it says it requires that more strict syntax you just told me about
[09:58:29] <moritzm>	 indeed, for Envoy you can allow source sets (which are the same as Ferm macros like PRODUCTION_HOSTS, all based on the network constants) via profile::tlsproxy::envoy::firewall_src_sets
[10:01:37] <jynus>	 I will have to set a new one, but that's my problem, no worries
[10:02:59] <jynus>	 I will take your offer for a sanity check later on
[10:12:19] <moritzm>	 ok
[15:37:34] <inflatador>	 dpogorzelski OK if I puppet-merge https://gerrit.wikimedia.org/r/c/operations/puppet/+/1208377 ?
[15:39:21] <inflatador>	 klausman ^^
[15:41:08] <klausman>	 yes, pls proceed
[15:44:19] <inflatador>	 ACK, done
[15:44:52] <klausman>	 if there's now another httpb change in there, that can also be merged
[15:45:26] <klausman>	 ty!
[15:48:05] <inflatador>	 yep, I think I got that one too