/manifests/simplerule.pp - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / manifests / simplerule.pp @ 04176b0e

Historique | Voir | Annoter | Télécharger (2,69 ko)

1	b46c9ce9	Nacho Barrientos	# @summary Provides a simplified interface to nftables::rule
2	4ec94616	Nacho Barrientos	#
3	77abc10b	Nacho Barrientos	# @example allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
4	4ec94616	Nacho Barrientos	# nftables::simplerule{'my_service_in':
5			# action => 'accept',
6			# comment => 'allow traffic to port 543',
7			# counter => true,
8			# proto => 'tcp',
9			# dport => 543,
10			# daddr => '2001:1458::/32',
11	77abc10b	Nacho Barrientos	# sport => 541,
12	4ec94616	Nacho Barrientos	# }
13	2f28cced	Nacho Barrientos	#
14			# @param rulename
15			# The symbolic name for the rule to add. Defaults to the resource's title.
16			#
17			# @param order
18			# A number representing the order of the rule.
19			#
20			# @param chain
21			# The name of the chain to add this rule to.
22			#
23			# @param table
24			# The name of the table to add this rule to.
25			#
26			# @param action
27			# The verdict for the matched traffic.
28			#
29			# @param comment
30			# A typically human-readable comment for the rule.
31			#
32			# @param dport
33			# The destination port, ports or port range.
34			#
35			# @param proto
36			# The transport-layer protocol to match.
37			#
38			# @param daddr
39			# The destination address, CIDR or set to match.
40			#
41			# @param set_type
42			# When using sets as saddr or daddr, the type of the set.
43			# Use `ip` for sets of type `ipv4_addr`.
44			#
45			# @param sport
46			# The source port, ports or port range.
47			#
48	3a469f2b	Nacho Barrientos	# @param saddr
49			# The source address, CIDR or set to match.
50			#
51	2f28cced	Nacho Barrientos	# @param counter
52			# Enable traffic counters for the matched traffic.
53	467ea4e2	Nacho Barrientos	define nftables::simplerule (
54			Enum['present','absent'] $ensure = 'present',
55			Pattern[/^[-a-zA-Z0-9_]+$/] $rulename = $title,
56			Pattern[/^\d\d$/] $order = '50',
57			String $chain = 'default_in',
58			String $table = 'inet-filter',
59	5944b9cb	Nacho Barrientos	Enum['accept', 'continue', 'drop', 'queue', 'return'] $action = 'accept',
60	467ea4e2	Nacho Barrientos	Optional[String] $comment = undef,
61	09b07e56	Nacho Barrientos	Optional[Nftables::Port] $dport = undef,
62	fb58f7b3	Nacho Barrientos	Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef,
63	f1ef02c5	Nacho Barrientos	Optional[Nftables::Addr] $daddr = undef,
64	467ea4e2	Nacho Barrientos	Enum['ip', 'ip6'] $set_type = 'ip6',
65	09b07e56	Nacho Barrientos	Optional[Nftables::Port] $sport = undef,
66	f1ef02c5	Nacho Barrientos	Optional[Nftables::Addr] $saddr = undef,
67	467ea4e2	Nacho Barrientos	Boolean $counter = false,
68			) {
69	3a52fb41	Nacho Barrientos	if $dport and !$proto {
70	2489f932	Nacho Barrientos	fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
71	3a52fb41	Nacho Barrientos	}
72
73	77abc10b	Nacho Barrientos	if $sport and !$proto {
74			fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
75			}
76
77	83382bb5	Nacho Barrientos	if $ensure == 'present' {
78	467ea4e2	Nacho Barrientos	nftables::rule { "${chain}-${rulename}":
79	83382bb5	Nacho Barrientos	content => epp('nftables/simplerule.epp',
80			{
81	aaa37172	Nacho Barrientos	'action' => $action,
82			'comment' => $comment,
83	d43ced4d	Nacho Barrientos	'counter' => $counter,
84	6739966c	Nacho Barrientos	'daddr' => $daddr,
85	aaa37172	Nacho Barrientos	'dport' => $dport,
86			'proto' => $proto,
87	3a469f2b	Nacho Barrientos	'saddr' => $saddr,
88	6739966c	Nacho Barrientos	'set_type' => $set_type,
89	77abc10b	Nacho Barrientos	'sport' => $sport,
90	83382bb5	Nacho Barrientos	}
91			),
92			order => $order,
93			table => $table,
94			}
95			}
96			}

Projet

Général

Profil

puppet nftables

root / manifests / simplerule.pp @ 04176b0e