Author(s):	Lindsay Holmwood
Location	MCC5
Date	jan Wed 30	Days Raw Files
Start	15:40	First Raw Start	error-in-template
Duration	0:45:00	Offset	None
End	16:25	Last Raw End
Chapters
Total cuts_time	None min.

http://lca2013.linux.org.au/schedule/30293/view_talk
raw-playlist raw-mp4-playlist encoded-files-playlist mp4 svg png

assets release.pdf Ript_a_terse_but_expressive_DSL_for_iptables.json
logs
Admin: episode episode list cut list raw files day marks day marks day image_files

State:	--------- borked edit encode push to queue post richard review 1 email review 2 make public tweet to-miror conf done
Locked:	clear this to unlock
Locked by:	user/process that locked.
Start:	initially scheduled time from master, adjusted to match reality
Duration:	length in hh:mm:ss
Name:	Video Title (shows in video search results)
Emails:	email(s) of the presenter(s)
Released:	Unknown Yes No has someone authorised pubication
Normalise:
Channelcopy:	m=mono, 01=copy left to right, 10=right to left, 00=ignore.
Thumbnail:	filename.png
Description:	Netfilter is an extremely powerful framework for manipulating packets, but does anyone actually like writing rules for it with iptables? Anyone who says they do likely hasn't had to maintain rulesets at scale, and if they have, they've almost certainly used some sort of tool that does the heavy lifting for them. Enter Ript, a clean and opinionated Domain Specific Language for describing firewall rules, that implements database migrations-like functionality for applying these rules with zero downtime. At Ript's core is an easy to use Ruby DSL for describing both simple and complex sets of iptables firewall rules. After defining the hosts and networks you care about, Ript's DSL provides helpers for all the common use cases: accepting, dropping, & rejecting packets, as well as for performing DNAT and SNAT. Here is an example ruleset definition: # partitions/joeblogsco.rb partition "joeblogsco" do label "www.joeblogsco.com", :address => "72.14.191.216" label "app-01", :address => "10.60.1.230" rewrite "public website + ssh access" do ports 80, 22 dnat "www.joeblogsco.com" => "app-01" end end Ript provides a method to group common sets of rules together called "partitions", which are used at rule application time to perform zero-downtime migrations. This fosters a much more agile approach to firewall changes that limits the size and helps increase the frequency of changes - core principles behind Continuous Delivery. Ript is designed from the ground up to be easy to use, and is extremely well tested end-to-end. Developed at Bulletproof Networks, it's been in use since 2012 in multi-tenanted firewall platforms as well as standalone systems. In this talk Lindsay Holmwood will take you on a whirlwind tour of the DSL, explain how Ript utilises iptables features to work its magic, and provide some concrete examples of how Ript can help increase the reliability of the services you deliver. markdown
Comment:	production notes