Révision 03d9e7da
New parameter noflush_tables to selectivly skip flush
Introduces a new structured fact nftables
```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
- inet-f2b-table
```
By default the nft script will continue to contain `nft flush ruleset`
If noflush_tables is specified e.g.
```puppet
class{nftables:
noflush_tables => ['inet-f2b-table'],
}
```
the results script will explicity flush the other tables only.
i.e.
```
flush table inet filter
flush table ip nat
flush table ip6 nat
```
Motivation here is to allow a maintence of chain to managed by something else.
This example for fail2ban but could be docker, ...
| manifests/init.pp | ||
|---|---|---|
| 1 | 1 |
# @summary Configure nftables |
| 2 | 2 |
# |
| 3 |
# @example |
|
| 3 |
# @example allow dns out and do not allow ntp out
|
|
| 4 | 4 |
# class{'nftables:
|
| 5 | 5 |
# out_ntp = false, |
| 6 | 6 |
# out_dns = true, |
| 7 | 7 |
# } |
| 8 | 8 |
# |
| 9 |
# @example do not flush particular tables |
|
| 10 |
# In this case ignoring the fail2ban maintained |
|
| 11 |
# table |
|
| 12 |
# class{'nftables':
|
|
| 13 |
# noflush_tables = ['inet-f2b-table'], |
|
| 14 |
# } |
|
| 15 |
# |
|
| 9 | 16 |
# @param out_all |
| 10 | 17 |
# Allow all outbound connections. If `true` then all other |
| 11 | 18 |
# out parameters `out_ntp`, `out_dns`, ... will be assuemed |
| ... | ... | |
| 64 | 71 |
# useful to set this to false if you're externaly removing firewalld from |
| 65 | 72 |
# the system completely. |
| 66 | 73 |
# |
| 74 |
# @param noflush_tables |
|
| 75 |
# If specified only other existings tables will be flushed. |
|
| 76 |
# If left unset all tables will be flushed via a `flush ruleset` |
|
| 77 |
# |
|
| 67 | 78 |
class nftables ( |
| 68 | 79 |
Boolean $in_ssh = true, |
| 69 | 80 |
Boolean $in_icmp = true, |
| ... | ... | |
| 85 | 96 |
$reject_with = 'icmpx type port-unreachable', |
| 86 | 97 |
Variant[Boolean[false], Enum['mask']] |
| 87 | 98 |
$firewalld_enable = 'mask', |
| 99 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] |
|
| 100 |
$noflush_tables = undef, |
|
| 88 | 101 |
) {
|
| 89 | 102 |
|
| 90 | 103 |
package{'nftables':
|
| ... | ... | |
| 107 | 120 |
recurse => true; |
| 108 | 121 |
'/etc/nftables/puppet-preflight.nft': |
| 109 | 122 |
ensure => file, |
| 110 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 123 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
|
| 111 | 124 |
} ~> exec{
|
| 112 | 125 |
'nft validate': |
| 113 | 126 |
refreshonly => true, |
| ... | ... | |
| 119 | 132 |
mode => '0640'; |
| 120 | 133 |
'/etc/nftables/puppet.nft': |
| 121 | 134 |
ensure => file, |
| 122 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 135 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
|
| 123 | 136 |
'/etc/nftables/puppet': |
| 124 | 137 |
ensure => directory, |
| 125 | 138 |
mode => '0750', |
| ... | ... | |
| 134 | 147 |
} |
| 135 | 148 |
|
| 136 | 149 |
systemd::dropin_file{'puppet_nft.conf':
|
| 137 |
ensure => present, |
|
| 138 |
unit => 'nftables.service', |
|
| 139 |
source => 'puppet:///modules/nftables/systemd/puppet_nft.conf',
|
|
| 140 |
notify => Service['nftables'], |
|
| 150 |
ensure => present,
|
|
| 151 |
unit => 'nftables.service',
|
|
| 152 |
content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),
|
|
| 153 |
notify => Service['nftables'],
|
|
| 141 | 154 |
} |
| 142 | 155 |
|
| 143 | 156 |
service{'firewalld':
|
Formats disponibles : Unified diff