root / manifests / chain.pp @ 11bf7237
Historique | Voir | Annoter | Télécharger (1,59 ko)
| 1 | 8efbdf9a | tr | # manage a chain |
|---|---|---|---|
| 2 | 11bf7237 | Steve Traylen | define nftables::chain ( |
| 3 | 5df9303f | tr | Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/] |
| 4 | 11bf7237 | Steve Traylen | $table = 'inet-filter', |
| 5 | 8efbdf9a | tr | Pattern[/^[a-zA-Z0-9_]+$/] |
| 6 | 11bf7237 | Steve Traylen | $chain = $title, |
| 7 | 8efbdf9a | tr | Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] |
| 8 | 11bf7237 | Steve Traylen | $inject = undef, |
| 9 | af544fea | tr | Optional[String] |
| 10 | 11bf7237 | Steve Traylen | $inject_iif = undef, |
| 11 | af544fea | tr | Optional[String] |
| 12 | 11bf7237 | Steve Traylen | $inject_oif = undef, |
| 13 | ) {
|
||
| 14 | 8efbdf9a | tr | $concat_name = "nftables-${table}-chain-${chain}"
|
| 15 | |||
| 16 | 11bf7237 | Steve Traylen | concat {
|
| 17 | 8efbdf9a | tr | $concat_name: |
| 18 | 30462da1 | Steve Traylen | path => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
| 19 | 8efbdf9a | tr | owner => root, |
| 20 | group => root, |
||
| 21 | mode => '0640', |
||
| 22 | ensure_newline => true, |
||
| 23 | require => Package['nftables'], |
||
| 24 | 11bf7237 | Steve Traylen | } ~> Exec['nft validate'] -> file {
|
| 25 | 30462da1 | Steve Traylen | "/etc/nftables/puppet/${table}-chain-${chain}.nft":
|
| 26 | 11bf7237 | Steve Traylen | ensure => file, |
| 27 | source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",
|
||
| 28 | owner => root, |
||
| 29 | group => root, |
||
| 30 | mode => '0640', |
||
| 31 | 30462da1 | Steve Traylen | } ~> Service['nftables'] |
| 32 | 8efbdf9a | tr | |
| 33 | 11bf7237 | Steve Traylen | concat::fragment {
|
| 34 | 8efbdf9a | tr | default: |
| 35 | target => $concat_name; |
||
| 36 | "${concat_name}-header":
|
||
| 37 | order => '00', |
||
| 38 | e53053ce | Steve Traylen | content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";
|
| 39 | 8efbdf9a | tr | "${concat_name}-footer":
|
| 40 | order => '99', |
||
| 41 | e53053ce | Steve Traylen | content => "# Start of fragment order:99 ${chain} footer\n}";
|
| 42 | 8efbdf9a | tr | } |
| 43 | |||
| 44 | if $inject {
|
||
| 45 | $data = split($inject, '-') |
||
| 46 | af544fea | tr | $iif = $inject_iif ? {
|
| 47 | undef => '', |
||
| 48 | default => "iifname ${inject_iif} ",
|
||
| 49 | } |
||
| 50 | $oif = $inject_oif ? {
|
||
| 51 | undef => '', |
||
| 52 | default => "oifname ${inject_oif} ",
|
||
| 53 | } |
||
| 54 | 11bf7237 | Steve Traylen | nftables::rule { "${data[1]}-jump_${chain}":
|
| 55 | 8efbdf9a | tr | order => $data[0], |
| 56 | af544fea | tr | content => "${iif}${oif}jump ${chain}",
|
| 57 | 8efbdf9a | tr | } |
| 58 | } |
||
| 59 | } |