Révision 0b1e3353
Added purge_unmanaged_rules new variant of method
| README.md | ||
|---|---|---|
| 73 | 73 |
If and only if successful the configuration will be copied to |
| 74 | 74 |
the real locations before the service is reloaded. |
| 75 | 75 |
|
| 76 |
## Un-managed rules |
|
| 77 |
|
|
| 78 |
By default, rules added manually by the administrator to the in-memory |
|
| 79 |
ruleset will be left untouched. However, |
|
| 80 |
`nftables::purge_unmanaged_rules` can be set to `true` to revert this |
|
| 81 |
behaviour and force a reload of the ruleset during the Puppet run if |
|
| 82 |
non-managed changes are detected. |
|
| 83 |
|
|
| 76 | 84 |
## Basic types |
| 77 | 85 |
|
| 78 | 86 |
### nftables::config |
| manifests/init.pp | ||
|---|---|---|
| 46 | 46 |
# @param nat_table_name |
| 47 | 47 |
# The name of the 'nat' table. |
| 48 | 48 |
# |
| 49 |
# @param purge_unmanaged_rules |
|
| 50 |
# Prohibits in-memory rules that are not declared in Puppet |
|
| 51 |
# code. Setting this to true activates a check that restarts nftables |
|
| 52 |
# if the rules in memory have been modified without Puppet. |
|
| 53 |
# |
|
| 54 |
# @param inmem_rules_hash_file |
|
| 55 |
# The name of the file where the hash of the in-memory rules |
|
| 56 |
# will be stored. |
|
| 57 |
# |
|
| 49 | 58 |
# @param sets |
| 50 | 59 |
# Allows sourcing set definitions directly from Hiera. |
| 51 | 60 |
# |
| ... | ... | |
| 134 | 143 |
Boolean $fwd_drop_invalid = $fwd_conntrack, |
| 135 | 144 |
Boolean $inet_filter = true, |
| 136 | 145 |
Boolean $nat = true, |
| 146 |
Boolean $purge_unmanaged_rules = false, |
|
| 137 | 147 |
Hash $rules = {},
|
| 138 | 148 |
Hash $sets = {},
|
| 139 | 149 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 140 | 150 |
String[1] $nat_table_name = 'nat', |
| 151 |
Stdlib::Unixpath $inmem_rules_hash_file = '/run/puppet-nft-memhash', |
|
| 141 | 152 |
Boolean $log_discarded = true, |
| 142 | 153 |
Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets', |
| 143 | 154 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| ... | ... | |
| 221 | 232 |
restart => 'PATH=/usr/bin:/bin systemctl reload nftables', |
| 222 | 233 |
} |
| 223 | 234 |
|
| 235 |
if $purge_unmanaged_rules {
|
|
| 236 |
# Reload the nftables ruleset from the on-disk ruleset if there are differences or it is absent. -s must be used to ignore counters |
|
| 237 |
exec { 'nftables_running_state_check':
|
|
| 238 |
command => 'echo "reloading nftables"', |
|
| 239 |
path => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'], |
|
| 240 |
unless => "/usr/bin/test -s /var/tmp/nftables_hash -a \"$(nft -s list ruleset | sha1sum)\" = \"$(cat ${inmem_rules_hash_file})\"",
|
|
| 241 |
notify => Service['nftables'], |
|
| 242 |
} |
|
| 243 |
|
|
| 244 |
# Generate nftables_hash upon any changes from the nftables service |
|
| 245 |
exec { 'generate_nftables_hash':
|
|
| 246 |
command => "nft -s list ruleset | sha1sum > ${inmem_rules_hash_file}",
|
|
| 247 |
path => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'], |
|
| 248 |
subscribe => Service['nftables'], |
|
| 249 |
refreshonly => true, |
|
| 250 |
} |
|
| 251 |
} |
|
| 252 |
|
|
| 224 | 253 |
systemd::dropin_file { 'puppet_nft.conf':
|
| 225 | 254 |
ensure => present, |
| 226 | 255 |
unit => 'nftables.service', |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 131 | 131 |
} |
| 132 | 132 |
|
| 133 | 133 |
it {
|
| 134 |
expect(subject).not_to contain_exec('nftables_running_state_check')
|
|
| 135 |
} |
|
| 136 |
|
|
| 137 |
it {
|
|
| 138 |
expect(subject).not_to contain_exec('generate_ntfables_hash')
|
|
| 139 |
} |
|
| 140 |
|
|
| 141 |
it {
|
|
| 142 |
expect(subject).not_to contain_file('/run/puppet-nft-memhash')
|
|
| 143 |
} |
|
| 144 |
|
|
| 145 |
it {
|
|
| 134 | 146 |
expect(subject).to contain_exec('nft validate').with(
|
| 135 | 147 |
refreshonly: true, |
| 136 | 148 |
command: %r{^#{nft_path} -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
|
| ... | ... | |
| 298 | 310 |
it { is_expected.to have_nftables__set_resource_count(0) }
|
| 299 | 311 |
end |
| 300 | 312 |
|
| 313 |
context 'when purging unmanaged rules' do |
|
| 314 |
let(:params) do |
|
| 315 |
{
|
|
| 316 |
'purge_unmanaged_rules' => true, |
|
| 317 |
'inmem_rules_hash_file' => '/foo/bar', |
|
| 318 |
} |
|
| 319 |
end |
|
| 320 |
|
|
| 321 |
it { is_expected.not_to contain_file('/foo/bar') }
|
|
| 322 |
it {
|
|
| 323 |
is_expected.to contain_exec('nftables_running_state_check').with(
|
|
| 324 |
command: %r{^echo "reloading nftables"$},
|
|
| 325 |
notify: 'Service[nftables]', |
|
| 326 |
unless: %r{^/usr/bin/test -s /var/tmp/nftables_hash -a "\$\(nft -s list ruleset \| sha1sum\)" = "\$\(cat /foo/bar\)"$}
|
|
| 327 |
) |
|
| 328 |
} |
|
| 329 |
it {
|
|
| 330 |
is_expected.to contain_exec('generate_nftables_hash').with(
|
|
| 331 |
command: %r{^nft -s list ruleset \| sha1sum > /foo/bar$},
|
|
| 332 |
subscribe: 'Service[nftables]', |
|
| 333 |
refreshonly: true, |
|
| 334 |
) |
|
| 335 |
} |
|
| 336 |
end |
|
| 337 |
|
|
| 301 | 338 |
%w[ip ip6 inet arp bridge netdev].each do |family| |
| 302 | 339 |
context "with noflush_tables parameter set to valid family #{family}" do
|
| 303 | 340 |
let(:params) do |
Formats disponibles : Unified diff