Projet

Général

Profil

Révision 03d9e7da

ID03d9e7daab529101204acd9b22d888103860b545
Parent 9fe75e32
Enfant c3be15e0

Ajouté par Steve Traylen il y a plus de 4 ans

New parameter noflush_tables to selectivly skip flush

Introduces a new structured fact nftables

```yaml
nftables:
tables:
- inet-filter
- ip-nat
- ip6-nat
- inet-f2b-table
```

By default the nft script will continue to contain `nft flush ruleset`

If noflush_tables is specified e.g.

```puppet
class{nftables:
noflush_tables => ['inet-f2b-table'],
}
```
the results script will explicity flush the other tables only.
i.e.

```
flush table inet filter
flush table ip nat
flush table ip6 nat
```

Motivation here is to allow a maintence of chain to managed by something else.
This example for fail2ban but could be docker, ...

Voir les différences:

spec/classes/nftables_spec.rb
167 167 
          )
168 168 
        }
169 169 
      end
170 

  		




  
  171
  
    
      context 'with with noflush_tables parameter' do


  		




  
  172
  
    
        let(:params) do


  		




  
  173
  
    
          {


  		




  
  174
  
    
            noflush_tables: ['inet-f2b-table'],


  		




  
  175
  
    
          }


  		




  
  176
  
    
        end


  		




  
  177
  
    

  		




  
  178
  
    
        context 'with no nftables fact' do


  		




  
  179
  
    
          it {


  		




  
  180
  
    
            is_expected.to contain_systemd__dropin_file('puppet_nft.conf')


  		




  
  181
  
    
              .with_content(%r{^ExecReload.*flush ruleset; include.*$})


  		




  
  182
  
    
          }


  		




  
  183
  
    
          it { is_expected.to contain_file('/etc/nftables/puppet-preflight.nft').with_content(%r{^flush ruleset$}) }


  		




  
  184
  
    
        end


  		




  
  185
  
    

  		




  
  186
  
    
        context 'with nftables fact matching' do


  		




  
  187
  
    
          let(:facts) do


  		




  
  188
  
    
            super().merge(nftables: { tables: ['inet-abc', 'inet-f2b-table'] })


  		




  
  189
  
    
          end


  		




  
  190
  
    

  		




  
  191
  
    
          it {


  		




  
  192
  
    
            is_expected.to contain_systemd__dropin_file('puppet_nft.conf')


  		




  
  193
  
    
              .with_content(%r{^ExecReload.*flush table inet abc; include.*$})


  		




  
  194
  
    
          }


  		




  
  195
  
    
          it {


  		




  
  196
  
    
            is_expected.to contain_file('/etc/nftables/puppet-preflight.nft')


  		




  
  197
  
    
              .with_content(%r{^flush table inet abc$})


  		




  
  198
  
    
          }


  		




  
  199
  
    
        end


  		




  
  200
  
    
        context 'with nftables fact not matching' do


  		




  
  201
  
    
          let(:facts) do


  		




  
  202
  
    
            super().merge(nftables: { tables: ['inet-abc', 'inet-ijk'] })


  		




  
  203
  
    
          end


  		




  
  204
  
    

  		




  
  205
  
    
          it {


  		




  
  206
  
    
            is_expected.to contain_systemd__dropin_file('puppet_nft.conf')


  		




  
  207
  
    
              .with_content(%r{^ExecReload.*flush table inet abc; flush table inet ijk; include.*$})


  		




  
  208
  
    
          }


  		




  
  209
  
    
          it {


  		




  
  210
  
    
            is_expected.to contain_file('/etc/nftables/puppet-preflight.nft')


  		




  
  211
  
    
              .with_content(%r{^flush table inet abc; flush table inet ijk$})


  		




  
  212
  
    
          }


  		




  
  213
  
    
        end


  		




  
  214
  
    
      end


  		




  170
  215
  
    
    end


  		




  171
  216
  
    
  end


  		




  172
  217
  
    
end


  		












Formats disponibles :  Unified diff