{"host": "cloudweb2002-dev.wikimedia.org", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3047, "only_in_self": ["Ferm::Rule[skip_mcrouter_cloudweb_conntrack_in]", "Ferm::Rule[skip_mcrouter_cloudweb_conntrack_out]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out]"], "only_in_other": ["Ferm::Client[skip_mcrouter_cloudweb_conntrack_out]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client]", "Firewall::Client[skip_mcrouter_cloudweb_conntrack_out]", "Firewall::Service[mcrouter]", "Firewall::Service[memcached_for_mcrouter]", "Nftables::Client[skip_mcrouter_cloudweb_conntrack_out]", "Nftables::Service[mcrouter]", "Nftables::Service[memcached_for_mcrouter]"], "resource_diffs": [{"resource": "Firewall::Service[mcrouter]", "parameters": "--- Firewall::Service[mcrouter].orig\n+++ Firewall::Service[mcrouter]\n\n+ notrack => True\n+ desc => Allow connections to mcrouter\n+ proto => tcp\n+ ensure => present\n+ unrestricted_access => False\n+ prio => 10\n+ port => 11213\n+ srange => ['cloudweb2002-dev.wikimedia.org']\n"}, {"resource": "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client]", "content": "--- /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client.orig\n+++ /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client\n@@ -0,0 +1,8 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# Skip outgoing connection tracking for mcrouter\n+&CLIENT(tcp, 11213);\n+\n+\n+\n+&NO_TRACK_CLIENT(tcp, 11213);", "parameters": "--- File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client].orig\n+++ File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client]\n\n+ tag => ferm\n+ mode => 0400\n+ group => root\n+ notify => Service[ferm]\n+ require => File[/etc/ferm/conf.d]\n+ ensure => present\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in]", "content": "--- /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in.orig\n+++ /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 10_skip_mcrouter_cloudweb_conntrack_in: Skip incoming connection tracking for mcrouter\n-\n-domain (ip ip6) {\n-\ttable raw {\n-\t\tchain PREROUTING {\n-\t\t\tproto tcp dport (11213) NOTRACK;\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in].orig\n+++ File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in]\n\n- tag => ferm\n- mode => 0400\n- group => root\n- notify => Service[ferm]\n- require => File[/etc/ferm/conf.d]\n- ensure => present\n- owner => root\n"}, {"resource": "Ferm::Rule[skip_mcrouter_cloudweb_conntrack_out]", "parameters": "--- Ferm::Rule[skip_mcrouter_cloudweb_conntrack_out].orig\n+++ Ferm::Rule[skip_mcrouter_cloudweb_conntrack_out]\n\n- rule => proto tcp sport (11213) NOTRACK;\n- domain => (ip ip6)\n- prio => 10\n- chain => OUTPUT\n- desc => Skip outgoing connection tracking for mcrouter\n- ensure => present\n- table => raw\n"}, {"resource": "Nftables::Service[memcached_for_mcrouter]", "parameters": "--- Nftables::Service[memcached_for_mcrouter].orig\n+++ Nftables::Service[memcached_for_mcrouter]\n\n+ notrack => True\n+ desc => Allow connections to memcached\n+ proto => tcp\n+ ensure => present\n+ unrestricted_access => False\n+ prio => 10\n+ port => 11000\n+ src_ips => ['208.80.153.41', '2620:0:860:2:208:80:153:41']\n"}, {"resource": "Ferm::Client[skip_mcrouter_cloudweb_conntrack_out]", "parameters": "--- Ferm::Client[skip_mcrouter_cloudweb_conntrack_out].orig\n+++ Ferm::Client[skip_mcrouter_cloudweb_conntrack_out]\n\n+ notrack => True\n+ desc => Skip outgoing connection tracking for mcrouter\n+ proto => tcp\n+ ensure => present\n+ prio => 10\n+ drange => []\n+ port => 11213\n+ skip_output_chain => False\n"}, {"resource": "Nftables::Client[skip_mcrouter_cloudweb_conntrack_out]", "parameters": "--- Nftables::Client[skip_mcrouter_cloudweb_conntrack_out].orig\n+++ Nftables::Client[skip_mcrouter_cloudweb_conntrack_out]\n\n+ prio => 10\n+ port => 11213\n+ proto => tcp\n+ notrack => True\n+ desc => Skip outgoing connection tracking for mcrouter\n+ ensure => present\n+ skip_output_chain => False\n"}, {"resource": "Firewall::Service[memcached_for_mcrouter]", "parameters": "--- Firewall::Service[memcached_for_mcrouter].orig\n+++ Firewall::Service[memcached_for_mcrouter]\n\n+ notrack => True\n+ desc => Allow connections to memcached\n+ proto => tcp\n+ ensure => present\n+ unrestricted_access => False\n+ prio => 10\n+ port => 11000\n+ srange => ['cloudweb2002-dev.wikimedia.org']\n"}, {"resource": "Ferm::Rule[skip_mcrouter_cloudweb_conntrack_in]", "parameters": "--- Ferm::Rule[skip_mcrouter_cloudweb_conntrack_in].orig\n+++ Ferm::Rule[skip_mcrouter_cloudweb_conntrack_in]\n\n- rule => proto tcp dport (11213) NOTRACK;\n- domain => (ip ip6)\n- prio => 10\n- chain => PREROUTING\n- desc => Skip incoming connection tracking for mcrouter\n- ensure => present\n- table => raw\n"}, {"resource": "Nftables::Service[mcrouter]", "parameters": "--- Nftables::Service[mcrouter].orig\n+++ Nftables::Service[mcrouter]\n\n+ notrack => True\n+ desc => Allow connections to mcrouter\n+ proto => tcp\n+ ensure => present\n+ unrestricted_access => False\n+ prio => 10\n+ port => 11213\n+ src_ips => ['208.80.153.41', '2620:0:860:2:208:80:153:41']\n"}, {"resource": "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out]", "content": "--- /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out.orig\n+++ /etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out\n@@ -1,11 +0,0 @@\n-# Autogenerated by puppet. DO NOT EDIT BY HAND!\n-#\n-# 10_skip_mcrouter_cloudweb_conntrack_out: Skip outgoing connection tracking for mcrouter\n-\n-domain (ip ip6) {\n-\ttable raw {\n-\t\tchain OUTPUT {\n-\t\t\tproto tcp sport (11213) NOTRACK;\n-\t\t}\n-\t}\n-}", "parameters": "--- File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out].orig\n+++ File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out]\n\n- tag => ferm\n- mode => 0400\n- group => root\n- notify => Service[ferm]\n- require => File[/etc/ferm/conf.d]\n- ensure => present\n- owner => root\n"}, {"resource": "Firewall::Client[skip_mcrouter_cloudweb_conntrack_out]", "parameters": "--- Firewall::Client[skip_mcrouter_cloudweb_conntrack_out].orig\n+++ Firewall::Client[skip_mcrouter_cloudweb_conntrack_out]\n\n+ prio => 10\n+ port => 11213\n+ proto => tcp\n+ notrack => True\n+ desc => Skip outgoing connection tracking for mcrouter\n+ ensure => present\n+ skip_output_chain => False\n"}], "perc_changed": "0.79%"}, "core": {"total": 3047, "only_in_self": ["File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out]"], "only_in_other": ["File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client]"], "resource_diffs": [], "perc_changed": "0.10%"}, "main": {"total": 3047, "only_in_self": ["Ferm::Rule[skip_mcrouter_cloudweb_conntrack_in]", "Ferm::Rule[skip_mcrouter_cloudweb_conntrack_out]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_in]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out]"], "only_in_other": ["Ferm::Client[skip_mcrouter_cloudweb_conntrack_out]", "File[/etc/ferm/conf.d/10_skip_mcrouter_cloudweb_conntrack_out_client]", "Firewall::Client[skip_mcrouter_cloudweb_conntrack_out]", "Firewall::Service[mcrouter]", "Firewall::Service[memcached_for_mcrouter]", "Nftables::Client[skip_mcrouter_cloudweb_conntrack_out]", "Nftables::Service[mcrouter]", "Nftables::Service[memcached_for_mcrouter]"], "resource_diffs": [], "perc_changed": "0.39%"}}}