root / manifests / simplerule.pp @ 0b2ccdda
Historique | Voir | Annoter | Télécharger (3,05 ko)
| 1 |
# @summary Provides a simplified interface to nftables::rule |
|---|---|
| 2 |
# |
| 3 |
# @example allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets |
| 4 |
# nftables::simplerule{'my_service_in':
|
| 5 |
# action => 'accept', |
| 6 |
# comment => 'allow traffic to port 543', |
| 7 |
# counter => true, |
| 8 |
# proto => 'tcp', |
| 9 |
# dport => 543, |
| 10 |
# daddr => '2001:1458::/32', |
| 11 |
# sport => 541, |
| 12 |
# } |
| 13 |
# @param ensure |
| 14 |
# Should the rule be created. |
| 15 |
# |
| 16 |
# @param rulename |
| 17 |
# The symbolic name for the rule to add. Defaults to the resource's title. |
| 18 |
# |
| 19 |
# @param order |
| 20 |
# A number representing the order of the rule. |
| 21 |
# |
| 22 |
# @param chain |
| 23 |
# The name of the chain to add this rule to. |
| 24 |
# |
| 25 |
# @param table |
| 26 |
# The name of the table to add this rule to. |
| 27 |
# |
| 28 |
# @param action |
| 29 |
# The verdict for the matched traffic. |
| 30 |
# |
| 31 |
# @param comment |
| 32 |
# A typically human-readable comment for the rule. |
| 33 |
# |
| 34 |
# @param dport |
| 35 |
# The destination port, ports or port range. |
| 36 |
# |
| 37 |
# @param proto |
| 38 |
# The transport-layer protocol to match. |
| 39 |
# |
| 40 |
# @param daddr |
| 41 |
# The destination address, CIDR or set to match. |
| 42 |
# |
| 43 |
# @param set_type |
| 44 |
# When using sets as saddr or daddr, the type of the set. |
| 45 |
# Use `ip` for sets of type `ipv4_addr`. |
| 46 |
# |
| 47 |
# @param sport |
| 48 |
# The source port, ports or port range. |
| 49 |
# |
| 50 |
# @param saddr |
| 51 |
# The source address, CIDR or set to match. |
| 52 |
# |
| 53 |
# @param counter |
| 54 |
# Enable traffic counters for the matched traffic. |
| 55 |
# |
| 56 |
# @param iifname |
| 57 |
# Optional filter for the incoming interface |
| 58 |
# @param oifname |
| 59 |
# Optional filter for the outgoing interface |
| 60 |
define nftables::simplerule ( |
| 61 |
Enum['present','absent'] $ensure = 'present', |
| 62 |
Nftables::SimpleRuleName $rulename = $title, |
| 63 |
Pattern[/^\d\d$/] $order = '50', |
| 64 |
String $chain = 'default_in', |
| 65 |
String $table = 'inet-filter', |
| 66 |
Enum['accept', 'continue', 'drop', 'queue', 'return'] $action = 'accept', |
| 67 |
Optional[String] $comment = undef, |
| 68 |
Optional[Nftables::Port] $dport = undef, |
| 69 |
Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef, |
| 70 |
Optional[Nftables::Addr] $daddr = undef, |
| 71 |
Enum['ip', 'ip6'] $set_type = 'ip6', |
| 72 |
Optional[Nftables::Port] $sport = undef, |
| 73 |
Optional[Nftables::Addr] $saddr = undef, |
| 74 |
Boolean $counter = false, |
| 75 |
Variant[Array[String[1]],String[1]] $iifname = [], |
| 76 |
Variant[Array[String[1]],String[1]] $oifname = [], |
| 77 |
) {
|
| 78 |
if $dport and !$proto {
|
| 79 |
fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
|
| 80 |
} |
| 81 |
|
| 82 |
if $sport and !$proto {
|
| 83 |
fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
|
| 84 |
} |
| 85 |
|
| 86 |
if $ensure == 'present' {
|
| 87 |
nftables::rule { "${chain}-${rulename}":
|
| 88 |
content => epp('nftables/simplerule.epp',
|
| 89 |
{
|
| 90 |
'action' => $action, |
| 91 |
'comment' => $comment, |
| 92 |
'counter' => $counter, |
| 93 |
'daddr' => $daddr, |
| 94 |
'dport' => $dport, |
| 95 |
'proto' => $proto, |
| 96 |
'saddr' => $saddr, |
| 97 |
'set_type' => $set_type, |
| 98 |
'sport' => $sport, |
| 99 |
'iifname' => [$iifname].flatten, |
| 100 |
'oifname' => [$oifname].flatten, |
| 101 |
} |
| 102 |
), |
| 103 |
order => $order, |
| 104 |
table => $table, |
| 105 |
} |
| 106 |
} |
| 107 |
} |