root / manifests / chain.pp @ 0b7bcb5d
Historique | Voir | Annoter | Télécharger (1,69 ko)
| 1 | 8efbdf9a | tr | # manage a chain |
|---|---|---|---|
| 2 | 11bf7237 | Steve Traylen | define nftables::chain ( |
| 3 | 09cba182 | Steve Traylen | # lint:ignore:parameter_documentation |
| 4 | 31b17627 | Steve Traylen | Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/] $table = 'inet-filter', |
| 5 | Pattern[/^[a-zA-Z0-9_]+$/] $chain = $title, |
||
| 6 | Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] $inject = undef, |
||
| 7 | Optional[String] $inject_iif = undef, |
||
| 8 | Optional[String] $inject_oif = undef, |
||
| 9 | 09cba182 | Steve Traylen | # lint:endignore |
| 10 | 11bf7237 | Steve Traylen | ) {
|
| 11 | 8efbdf9a | tr | $concat_name = "nftables-${table}-chain-${chain}"
|
| 12 | |||
| 13 | 11bf7237 | Steve Traylen | concat {
|
| 14 | 8efbdf9a | tr | $concat_name: |
| 15 | 30462da1 | Steve Traylen | path => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
| 16 | 8efbdf9a | tr | owner => root, |
| 17 | group => root, |
||
| 18 | 0b7bcb5d | mh | mode => $nftables::default_config_mode, |
| 19 | 8efbdf9a | tr | ensure_newline => true, |
| 20 | require => Package['nftables'], |
||
| 21 | 11bf7237 | Steve Traylen | } ~> Exec['nft validate'] -> file {
|
| 22 | 30462da1 | Steve Traylen | "/etc/nftables/puppet/${table}-chain-${chain}.nft":
|
| 23 | 11bf7237 | Steve Traylen | ensure => file, |
| 24 | source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
||
| 25 | owner => root, |
||
| 26 | group => root, |
||
| 27 | 0b7bcb5d | mh | mode => $nftables::default_config_mode, |
| 28 | 30462da1 | Steve Traylen | } ~> Service['nftables'] |
| 29 | 8efbdf9a | tr | |
| 30 | 11bf7237 | Steve Traylen | concat::fragment {
|
| 31 | 8efbdf9a | tr | default: |
| 32 | target => $concat_name; |
||
| 33 | "${concat_name}-header":
|
||
| 34 | order => '00', |
||
| 35 | e53053ce | Steve Traylen | content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";
|
| 36 | 8efbdf9a | tr | "${concat_name}-footer":
|
| 37 | order => '99', |
||
| 38 | e53053ce | Steve Traylen | content => "# Start of fragment order:99 ${chain} footer\n}";
|
| 39 | 8efbdf9a | tr | } |
| 40 | |||
| 41 | if $inject {
|
||
| 42 | $data = split($inject, '-') |
||
| 43 | af544fea | tr | $iif = $inject_iif ? {
|
| 44 | undef => '', |
||
| 45 | default => "iifname ${inject_iif} ",
|
||
| 46 | } |
||
| 47 | $oif = $inject_oif ? {
|
||
| 48 | undef => '', |
||
| 49 | default => "oifname ${inject_oif} ",
|
||
| 50 | } |
||
| 51 | 11bf7237 | Steve Traylen | nftables::rule { "${data[1]}-jump_${chain}":
|
| 52 | 8efbdf9a | tr | order => $data[0], |
| 53 | af544fea | tr | content => "${iif}${oif}jump ${chain}",
|
| 54 | 8efbdf9a | tr | } |
| 55 | } |
||
| 56 | } |