Projet

Général

Profil

Paste
Télécharger au format
Statistiques
| Branche: | Révision:

root / manifests / chain.pp @ 11bf7237

Historique | Voir | Annoter | Télécharger (1,59 ko)

1 
# manage a chain
2 
define nftables::chain (
3 
  Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
4 
  $table = 'inet-filter',
5 
  Pattern[/^[a-zA-Z0-9_]+$/]
6 
  $chain = $title,
7 
  Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
8 
  $inject = undef,
9 
  Optional[String]
10 
  $inject_iif = undef,
11 
  Optional[String]
12 
  $inject_oif = undef,
13 
) {
14 
  $concat_name = "nftables-${table}-chain-${chain}"
15 

    		
  

  

    
      16
    
    
      
  concat {


    		
  

  

    
      17
    
    
      
    $concat_name:


    		
  

  

    
      18
    
    
      
      path           => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


    		
  

  

    
      19
    
    
      
      owner          => root,


    		
  

  

    
      20
    
    
      
      group          => root,


    		
  

  

    
      21
    
    
      
      mode           => '0640',


    		
  

  

    
      22
    
    
      
      ensure_newline => true,


    		
  

  

    
      23
    
    
      
      require        => Package['nftables'],


    		
  

  

    
      24
    
    
      
  } ~> Exec['nft validate'] -> file {


    		
  

  

    
      25
    
    
      
    "/etc/nftables/puppet/${table}-chain-${chain}.nft":


    		
  

  

    
      26
    
    
      
      ensure => file,


    		
  

  

    
      27
    
    
      
      source => "/etc/nftables/puppet-preflight/${table}-chain-${chain}.nft",


    		
  

  

    
      28
    
    
      
      owner  => root,


    		
  

  

    
      29
    
    
      
      group  => root,


    		
  

  

    
      30
    
    
      
      mode   => '0640',


    		
  

  

    
      31
    
    
      
  } ~> Service['nftables']


    		
  

  

    
      32
    
    
      

    		
  

  

    
      33
    
    
      
  concat::fragment {


    		
  

  

    
      34
    
    
      
    default:


    		
  

  

    
      35
    
    
      
      target => $concat_name;


    		
  

  

    
      36
    
    
      
    "${concat_name}-header":


    		
  

  

    
      37
    
    
      
      order   => '00',


    		
  

  

    
      38
    
    
      
      content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";


    		
  

  

    
      39
    
    
      
    "${concat_name}-footer":


    		
  

  

    
      40
    
    
      
      order   => '99',


    		
  

  

    
      41
    
    
      
      content => "# Start of fragment order:99 ${chain} footer\n}";


    		
  

  

    
      42
    
    
      
  }


    		
  

  

    
      43
    
    
      

    		
  

  

    
      44
    
    
      
  if $inject {


    		
  

  

    
      45
    
    
      
    $data = split($inject, '-')


    		
  

  

    
      46
    
    
      
    $iif = $inject_iif ? {


    		
  

  

    
      47
    
    
      
      undef => '',


    		
  

  

    
      48
    
    
      
      default => "iifname ${inject_iif} ",


    		
  

  

    
      49
    
    
      
    }


    		
  

  

    
      50
    
    
      
    $oif = $inject_oif ? {


    		
  

  

    
      51
    
    
      
      undef => '',


    		
  

  

    
      52
    
    
      
      default => "oifname ${inject_oif} ",


    		
  

  

    
      53
    
    
      
    }


    		
  

  

    
      54
    
    
      
    nftables::rule { "${data[1]}-jump_${chain}":


    		
  

  

    
      55
    
    
      
      order   => $data[0],


    		
  

  

    
      56
    
    
      
      content => "${iif}${oif}jump ${chain}",


    		
  

  

    
      57
    
    
      
    }


    		
  

  

    
      58
    
    
      
  }


    		
  

  

    
      59
    
    
      
}