Projet

Général

Profil

Révision 0b1e3353

ID0b1e33532045343863de8c760b102e9050efdd18
Parent c3cd68d6
Enfant c6941cfe

Ajouté par canihavethisone il y a 10 mois

Added purge_unmanaged_rules new variant of method

Voir les différences:

manifests/init.pp
46 46 
# @param nat_table_name
47 47 
#   The name of the 'nat' table.
48 48 
#
49 
# @param purge_unmanaged_rules
50 
#   Prohibits in-memory rules that are not declared in Puppet
51 
#   code. Setting this to true activates a check that restarts nftables
52 
#   if the rules in memory have been modified without Puppet.
53 
#
54 
# @param inmem_rules_hash_file
55 
#   The name of the file where the hash of the in-memory rules
56 
#   will be stored.
57 
#
49 58 
# @param sets
50 59 
#   Allows sourcing set definitions directly from Hiera.
51 60 
#
......
134 143 
  Boolean $fwd_drop_invalid = $fwd_conntrack,
135 144 
  Boolean $inet_filter = true,
136 145 
  Boolean $nat = true,
146 
  Boolean $purge_unmanaged_rules = false,
137 147 
  Hash $rules = {},
138 148 
  Hash $sets = {},
139 149 
  String $log_prefix = '[nftables] %<chain>s %<comment>s',
140 150 
  String[1] $nat_table_name = 'nat',
151 
  Stdlib::Unixpath $inmem_rules_hash_file = '/run/puppet-nft-memhash',
141 152 
  Boolean $log_discarded = true,
142 153 
  Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets',
143 154 
  Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable',
......
221 232 
    restart    => 'PATH=/usr/bin:/bin systemctl reload nftables',
222 233 
  }
223 234 

  		




  
  235
  
    
  if $purge_unmanaged_rules {


  		




  
  236
  
    
    # Reload the nftables ruleset from the on-disk ruleset if there are differences or it is absent. -s must be used to ignore counters


  		




  
  237
  
    
    exec { 'nftables_running_state_check':


  		




  
  238
  
    
      command => 'echo "reloading nftables"',


  		




  
  239
  
    
      path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],


  		




  
  240
  
    
      unless  => "/usr/bin/test -s /var/tmp/nftables_hash -a \"$(nft -s list ruleset | sha1sum)\" = \"$(cat ${inmem_rules_hash_file})\"",


  		




  
  241
  
    
      notify  => Service['nftables'],


  		




  
  242
  
    
    }


  		




  
  243
  
    

  		




  
  244
  
    
    # Generate nftables_hash upon any changes from the nftables service 


  		




  
  245
  
    
    exec { 'generate_nftables_hash':


  		




  
  246
  
    
      command     => "nft -s list ruleset | sha1sum > ${inmem_rules_hash_file}",


  		




  
  247
  
    
      path        => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],     


  		




  
  248
  
    
      subscribe   => Service['nftables'],


  		




  
  249
  
    
      refreshonly => true,


  		




  
  250
  
    
    }


  		




  
  251
  
    
  }


  		




  
  252
  
    

  		




  224
  253
  
    
  systemd::dropin_file { 'puppet_nft.conf':


  		




  225
  254
  
    
    ensure  => present,


  		




  226
  255
  
    
    unit    => 'nftables.service',


  		












Formats disponibles :  Unified diff