Révision 0c9bc308
Add support for Arch Linux
Arch Linux stores the configuration in a different path and does not
provide firewalld without explicit installation.
This basically the same as #66 – I've reused their code since it hasn't
been merged in a while.
| data/common.yaml | ||
|---|---|---|
| 1 |
--- {}
|
|
| 1 |
--- |
|
| 2 |
|
|
| 3 |
nftables::configuration_path: '/etc/sysconfig/nftables.conf' |
|
| data/os/Archlinux.yaml | ||
|---|---|---|
| 1 |
--- |
|
| 2 |
|
|
| 3 |
# firewalld is not installed by default in Arch Linux |
|
| 4 |
nftables::firewalld_enable: false |
|
| 5 |
|
|
| 6 |
nftables::configuration_path: /etc/nftables.conf |
|
| files/systemd/puppet_nft.conf | ||
|---|---|---|
| 1 |
# Puppet Deployed |
|
| 2 |
[Service] |
|
| 3 |
RemainAfterExit=yes |
|
| 4 |
ExecStart= |
|
| 5 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 6 |
ExecReload= |
|
| 7 |
ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf |
|
| 8 |
|
|
| manifests/init.pp | ||
|---|---|---|
| 86 | 86 |
# @param rules |
| 87 | 87 |
# Specify hashes of `nftables::rule`s via hiera |
| 88 | 88 |
# |
| 89 |
# @param configuration_path |
|
| 90 |
# The absolute path to the principal nftables configuration file. The default |
|
| 91 |
# varies depending on the system, and is set in the module's data. |
|
| 92 |
# |
|
| 89 | 93 |
class nftables ( |
| 90 | 94 |
Boolean $in_ssh = true, |
| 91 | 95 |
Boolean $in_icmp = true, |
| ... | ... | |
| 107 | 111 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| 108 | 112 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
| 109 | 113 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef, |
| 114 |
Stdlib::Unixpath $configuration_path, |
|
| 110 | 115 |
) {
|
| 111 | 116 |
package { 'nftables':
|
| 112 | 117 |
ensure => installed, |
| 113 | 118 |
} -> file_line {
|
| 114 | 119 |
'enable_nftables': |
| 115 | 120 |
line => 'include "/etc/nftables/puppet.nft"', |
| 116 |
path => '/etc/sysconfig/nftables.conf',
|
|
| 121 |
path => $configuration_path,
|
|
| 117 | 122 |
notify => Service['nftables'], |
| 118 | 123 |
} -> file {
|
| 119 | 124 |
default: |
| 120 | 125 |
owner => 'root', |
| 121 | 126 |
group => 'root', |
| 122 | 127 |
mode => '0640'; |
| 128 |
'/etc/nftables': |
|
| 129 |
ensure => directory, |
|
| 130 |
mode => '0750'; |
|
| 123 | 131 |
'/etc/nftables/puppet-preflight': |
| 124 | 132 |
ensure => directory, |
| 125 | 133 |
mode => '0750', |
| ... | ... | |
| 167 | 175 |
systemd::dropin_file { 'puppet_nft.conf':
|
| 168 | 176 |
ensure => present, |
| 169 | 177 |
unit => 'nftables.service', |
| 170 |
content => file('nftables/systemd/puppet_nft.conf'),
|
|
| 178 |
content => epp('nftables/systemd/puppet_nft.conf.epp', {
|
|
| 179 |
'configuration_path' => $configuration_path, |
|
| 180 |
}), |
|
| 171 | 181 |
notify => Service['nftables'], |
| 172 | 182 |
} |
| 173 | 183 |
|
| metadata.json | ||
|---|---|---|
| 48 | 48 |
"8", |
| 49 | 49 |
"9" |
| 50 | 50 |
] |
| 51 |
}, |
|
| 52 |
{
|
|
| 53 |
"operatingsystem": "Archlinux" |
|
| 51 | 54 |
} |
| 52 | 55 |
], |
| 53 | 56 |
"requirements": [ |
| spec/acceptance/all_rules_spec.rb | ||
|---|---|---|
| 78 | 78 |
elements => ['192.168.0.1', '10.0.0.2'], |
| 79 | 79 |
table => ['inet-filter', 'ip-nat'], |
| 80 | 80 |
} |
| 81 |
$config_path = case $facts['os']['family'] {
|
|
| 82 |
'Archlinux': {
|
|
| 83 |
'/etc/nftables.conf' |
|
| 84 |
} |
|
| 85 |
default: {
|
|
| 86 |
'/etc/sysconfig/nftables.conf' |
|
| 87 |
} |
|
| 88 |
} |
|
| 81 | 89 |
# nftables cannot be started in docker so replace service with a validation only. |
| 82 | 90 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 83 | 91 |
ensure => present, |
| ... | ... | |
| 85 | 93 |
content => [ |
| 86 | 94 |
"[Service]", |
| 87 | 95 |
"ExecStart=", |
| 88 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 96 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 89 | 97 |
"ExecReload=", |
| 90 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 98 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 91 | 99 |
"", |
| 92 | 100 |
].join("\n"),
|
| 93 | 101 |
notify => Service["nftables"], |
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 11 | 11 |
class { 'nftables':
|
| 12 | 12 |
firewalld_enable => false, |
| 13 | 13 |
} |
| 14 |
$config_path = case $facts['os']['family'] {
|
|
| 15 |
'Archlinux': {
|
|
| 16 |
'/etc/nftables.conf' |
|
| 17 |
} |
|
| 18 |
default: {
|
|
| 19 |
'/etc/sysconfig/nftables.conf' |
|
| 20 |
} |
|
| 21 |
} |
|
| 14 | 22 |
# nftables cannot be started in docker so replace service with a validation only. |
| 15 | 23 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 16 | 24 |
ensure => present, |
| ... | ... | |
| 18 | 26 |
content => [ |
| 19 | 27 |
"[Service]", |
| 20 | 28 |
"ExecStart=", |
| 21 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 29 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 22 | 30 |
"ExecReload=", |
| 23 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 31 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 24 | 32 |
"", |
| 25 | 33 |
].join("\n"),
|
| 26 | 34 |
notify => Service["nftables"], |
| ... | ... | |
| 58 | 66 |
nftables::rule{'default_out-junk':
|
| 59 | 67 |
content => 'A load of junk', |
| 60 | 68 |
} |
| 69 |
$config_path = case $facts['os']['family'] {
|
|
| 70 |
'Archlinux': {
|
|
| 71 |
'/etc/nftables.conf' |
|
| 72 |
} |
|
| 73 |
default: {
|
|
| 74 |
'/etc/sysconfig/nftables.conf' |
|
| 75 |
} |
|
| 76 |
} |
|
| 61 | 77 |
# nftables cannot be started in docker so replace service with a validation only. |
| 62 | 78 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 63 | 79 |
ensure => present, |
| ... | ... | |
| 65 | 81 |
content => [ |
| 66 | 82 |
"[Service]", |
| 67 | 83 |
"ExecStart=", |
| 68 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 84 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 69 | 85 |
"ExecReload=", |
| 70 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 86 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 71 | 87 |
"", |
| 72 | 88 |
].join("\n"),
|
| 73 | 89 |
notify => Service["nftables"], |
| ... | ... | |
| 90 | 106 |
inet_filter => false, |
| 91 | 107 |
nat => false, |
| 92 | 108 |
} |
| 109 |
$config_path = case $facts['os']['family'] {
|
|
| 110 |
'Archlinux': {
|
|
| 111 |
'/etc/nftables.conf' |
|
| 112 |
} |
|
| 113 |
default: {
|
|
| 114 |
'/etc/sysconfig/nftables.conf' |
|
| 115 |
} |
|
| 116 |
} |
|
| 93 | 117 |
# nftables cannot be started in docker so replace service with a validation only. |
| 94 | 118 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 95 | 119 |
ensure => present, |
| ... | ... | |
| 97 | 121 |
content => [ |
| 98 | 122 |
"[Service]", |
| 99 | 123 |
"ExecStart=", |
| 100 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 124 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 101 | 125 |
"ExecReload=", |
| 102 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 126 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 103 | 127 |
"", |
| 104 | 128 |
].join("\n"),
|
| 105 | 129 |
notify => Service["nftables"], |
| ... | ... | |
| 122 | 146 |
nat => true, |
| 123 | 147 |
nat_table_name => 'mycustomtablename', |
| 124 | 148 |
} |
| 149 |
$config_path = case $facts['os']['family'] {
|
|
| 150 |
'Archlinux': {
|
|
| 151 |
'/etc/nftables.conf' |
|
| 152 |
} |
|
| 153 |
default: {
|
|
| 154 |
'/etc/sysconfig/nftables.conf' |
|
| 155 |
} |
|
| 156 |
} |
|
| 125 | 157 |
# nftables cannot be started in docker so replace service with a validation only. |
| 126 | 158 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 127 | 159 |
ensure => present, |
| ... | ... | |
| 129 | 161 |
content => [ |
| 130 | 162 |
"[Service]", |
| 131 | 163 |
"ExecStart=", |
| 132 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 164 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 133 | 165 |
"ExecReload=", |
| 134 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf",
|
|
| 166 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 135 | 167 |
"", |
| 136 | 168 |
].join("\n"),
|
| 137 | 169 |
notify => Service["nftables"], |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 14 | 14 |
it { is_expected.to contain_package('nftables') }
|
| 15 | 15 |
|
| 16 | 16 |
it {
|
| 17 |
is_expected.to contain_file('/etc/nftables').with(
|
|
| 18 |
ensure: 'directory', |
|
| 19 |
owner: 'root', |
|
| 20 |
group: 'root', |
|
| 21 |
mode: '0750' |
|
| 22 |
) |
|
| 23 |
} |
|
| 24 |
|
|
| 25 |
it {
|
|
| 17 | 26 |
expect(subject).to contain_file('/etc/nftables/puppet.nft').with(
|
| 18 | 27 |
ensure: 'file', |
| 19 | 28 |
owner: 'root', |
| ... | ... | |
| 73 | 82 |
) |
| 74 | 83 |
} |
| 75 | 84 |
|
| 76 |
it {
|
|
| 77 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 78 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
|
|
| 79 |
) |
|
| 80 |
} |
|
| 85 |
if os_facts[:os]['family'] == 'Archlinux' |
|
| 86 |
it {
|
|
| 87 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 88 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/nftables.conf$}
|
|
| 89 |
) |
|
| 90 |
} |
|
| 81 | 91 |
|
| 82 |
it {
|
|
| 83 |
expect(subject).to contain_service('firewalld').with(
|
|
| 84 |
ensure: 'stopped', |
|
| 85 |
enable: 'mask' |
|
| 86 |
) |
|
| 87 |
} |
|
| 92 |
it {
|
|
| 93 |
expect(subject).to contain_service('firewalld').with(
|
|
| 94 |
ensure: 'stopped', |
|
| 95 |
enable: false |
|
| 96 |
) |
|
| 97 |
} |
|
| 98 |
else |
|
| 99 |
it {
|
|
| 100 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
|
| 101 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
|
|
| 102 |
) |
|
| 103 |
} |
|
| 104 |
|
|
| 105 |
it {
|
|
| 106 |
expect(subject).to contain_service('firewalld').with(
|
|
| 107 |
ensure: 'stopped', |
|
| 108 |
enable: 'mask' |
|
| 109 |
) |
|
| 110 |
} |
|
| 111 |
end |
|
| 88 | 112 |
|
| 89 | 113 |
it { is_expected.to contain_class('nftables::inet_filter') }
|
| 90 | 114 |
it { is_expected.to contain_class('nftables::ip_nat') }
|
| templates/systemd/puppet_nft.conf.epp | ||
|---|---|---|
| 1 |
# Puppet Deployed |
|
| 2 |
[Service] |
|
| 3 |
RemainAfterExit=yes |
|
| 4 |
ExecStart= |
|
| 5 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f <%= $configuration_path %> |
|
| 6 |
ExecReload= |
|
| 7 |
ExecReload=/sbin/nft -I /etc/nftables/puppet -f <%= $configuration_path %> |
|
Formats disponibles : Unified diff