Révision 11bf7237
lint_fix results
| manifests/init.pp | ||
|---|---|---|
| 95 | 95 |
Hash $sets = {},
|
| 96 | 96 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 97 | 97 |
Variant[Boolean[false], String] |
| 98 |
$log_limit = '3/minute burst 5 packets',
|
|
| 98 |
$log_limit = '3/minute burst 5 packets', |
|
| 99 | 99 |
Variant[Boolean[false], Pattern[ |
| 100 |
/icmp(v6|x)? type .+|tcp reset/]]
|
|
| 101 |
$reject_with = 'icmpx type port-unreachable',
|
|
| 100 |
/icmp(v6|x)? type .+|tcp reset/]] |
|
| 101 |
$reject_with = 'icmpx type port-unreachable', |
|
| 102 | 102 |
Variant[Boolean[false], Enum['mask']] |
| 103 |
$firewalld_enable = 'mask',
|
|
| 103 |
$firewalld_enable = 'mask', |
|
| 104 | 104 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] |
| 105 |
$noflush_tables = undef,
|
|
| 105 |
$noflush_tables = undef, |
|
| 106 | 106 |
) {
|
| 107 |
|
|
| 108 |
package{'nftables':
|
|
| 107 |
package { 'nftables':
|
|
| 109 | 108 |
ensure => installed, |
| 110 |
} -> file_line{
|
|
| 109 |
} -> file_line {
|
|
| 111 | 110 |
'enable_nftables': |
| 112 | 111 |
line => 'include "/etc/nftables/puppet.nft"', |
| 113 | 112 |
path => '/etc/sysconfig/nftables.conf', |
| 114 | 113 |
notify => Service['nftables'], |
| 115 |
} -> file{
|
|
| 114 |
} -> file {
|
|
| 116 | 115 |
default: |
| 117 | 116 |
owner => 'root', |
| 118 | 117 |
group => 'root', |
| ... | ... | |
| 126 | 125 |
'/etc/nftables/puppet-preflight.nft': |
| 127 | 126 |
ensure => file, |
| 128 | 127 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
| 129 |
} ~> exec{
|
|
| 128 |
} ~> exec {
|
|
| 130 | 129 |
'nft validate': |
| 131 | 130 |
refreshonly => true, |
| 132 | 131 |
command => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)'; |
| 133 |
} -> file{
|
|
| 132 |
} -> file {
|
|
| 134 | 133 |
default: |
| 135 | 134 |
owner => 'root', |
| 136 | 135 |
group => 'root', |
| ... | ... | |
| 144 | 143 |
purge => true, |
| 145 | 144 |
force => true, |
| 146 | 145 |
recurse => true; |
| 147 |
} ~> service{'nftables':
|
|
| 146 |
} ~> service { 'nftables':
|
|
| 148 | 147 |
ensure => running, |
| 149 | 148 |
enable => true, |
| 150 | 149 |
hasrestart => true, |
| 151 | 150 |
restart => '/usr/bin/systemctl reload nftables', |
| 152 | 151 |
} |
| 153 | 152 |
|
| 154 |
systemd::dropin_file{'puppet_nft.conf':
|
|
| 153 |
systemd::dropin_file { 'puppet_nft.conf':
|
|
| 155 | 154 |
ensure => present, |
| 156 | 155 |
unit => 'nftables.service', |
| 157 | 156 |
content => epp('nftables/systemd/puppet_nft.conf.epp', { 'noflush' => $noflush_tables }),
|
| 158 | 157 |
notify => Service['nftables'], |
| 159 | 158 |
} |
| 160 | 159 |
|
| 161 |
service{'firewalld':
|
|
| 160 |
service { 'firewalld':
|
|
| 162 | 161 |
ensure => stopped, |
| 163 | 162 |
enable => $firewalld_enable, |
| 164 | 163 |
} |
| ... | ... | |
| 170 | 169 |
|
| 171 | 170 |
# inject custom rules e.g. from hiera |
| 172 | 171 |
$rules.each |$n,$v| {
|
| 173 |
nftables::rule{
|
|
| 172 |
nftables::rule {
|
|
| 174 | 173 |
$n: |
| 175 |
* => $v |
|
| 174 |
* => $v,
|
|
| 176 | 175 |
} |
| 177 | 176 |
} |
| 178 | 177 |
|
| 179 | 178 |
# inject custom sets e.g. from hiera |
| 180 | 179 |
$sets.each |$n,$v| {
|
| 181 |
nftables::set{
|
|
| 180 |
nftables::set {
|
|
| 182 | 181 |
$n: |
| 183 |
* => $v |
|
| 182 |
* => $v,
|
|
| 184 | 183 |
} |
| 185 | 184 |
} |
| 186 | 185 |
} |
Formats disponibles : Unified diff