Add ability to use extra_ghetto_ipsets

[alanorth]

Right now ipsets are defined in our global (private) variables, but hosts can override them by copying the entire dict structure from private/vars/ipsets.yml to their host_vars and adding custom hosts. Unfortunately if the global ipsets change for some reason, we would probably forget to update the overridden ones too.

It would be nice for a host to be able to use something like extra_ghetto_ipsets, similar to how we useextra_iptables_rules.

[oguya]

I think we should just continue using the concept of ghetto_ipsets. The only con is that we'll endup adding a lot of checks in templates & tasks in which they'll be used/refered.

For instance:

• in host_vars/hostname

  extra_ghetto_ipsets:
    addis_dmz: { src: '192.168.1.0/24' }
    nbo_dmz: { src: '192.168.2.0/24' }
  

• in iptables template:

  {% for network in ssh_access %} 
  {% if ghetto_ipsets[network] is defined and ghetto_ipsets[network].src is defined %}
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ ghetto_ipsets[network].src }} -j ACCEPT
  {% endif %}
  {% if extra_ghetto_ipsets[network] is defined and extra_ghetto_ipsets[network].src is defined %}
  -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s {{ extra_ghetto_ipsets[network].src }} -j ACCEPT
  {% endif %}
  {% endfor %}
  

So, we'll have two sections, one for the normal ghetto_ipsets & another one for extra_ghetto_ipsets. To avoid issue of missing/undefined items in either variables, we have to check if an item exists & if it is defined.

[alanorth]

This only causes problems because we treat web and ssh as special... but if you use them with extra iptables rules we would only need to check them where we process the extra rules:

extra_ghetto_ipsets:
  joguya_laptop: { src: '192.168.1.0/24' }

extra_iptables_rules:
  - { protocol: tcp, port: 22, acl: joguya_laptop }

But ugh... none of this is just simple and obvious, and actually will end up causing more problems. I dunno, it will start to outweigh the benefits. Perhaps a better question is if we need to streamline the way we run the iptables rules in the first place.