Révision 194e05d5
Add class for outgoing PXP connections
| REFERENCE.md | ||
|---|---|---|
| 53 | 53 |
* [`nftables::rules::out::pop3`](#nftablesrulesoutpop3): allow outgoing pop3 |
| 54 | 54 |
* [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres |
| 55 | 55 |
* [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet |
| 56 |
* [`nftables::rules::out::pxp_agent`](#nftablesrulesoutpxp_agent): manage outgoing pxp-agent |
|
| 56 | 57 |
* [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): allow outgoing smtp |
| 57 | 58 |
* [`nftables::rules::out::smtp_client`](#nftablesrulesoutsmtp_client): allow outgoing smtp client |
| 58 | 59 |
* [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh |
| ... | ... | |
| 829 | 830 |
|
| 830 | 831 |
Default value: `8140` |
| 831 | 832 |
|
| 833 |
### <a name="nftablesrulesoutpxp_agent"></a>`nftables::rules::out::pxp_agent` |
|
| 834 |
|
|
| 835 |
manage outgoing pxp-agent |
|
| 836 |
|
|
| 837 |
* **See also** |
|
| 838 |
* also |
|
| 839 |
* take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver |
|
| 840 |
|
|
| 841 |
#### Parameters |
|
| 842 |
|
|
| 843 |
The following parameters are available in the `nftables::rules::out::pxp_agent` class: |
|
| 844 |
|
|
| 845 |
* [`broker`](#broker) |
|
| 846 |
* [`broker_port`](#broker_port) |
|
| 847 |
|
|
| 848 |
##### <a name="broker"></a>`broker` |
|
| 849 |
|
|
| 850 |
Data type: `Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]]` |
|
| 851 |
|
|
| 852 |
PXP broker IP(s) |
|
| 853 |
|
|
| 854 |
##### <a name="broker_port"></a>`broker_port` |
|
| 855 |
|
|
| 856 |
Data type: `Stdlib::Port` |
|
| 857 |
|
|
| 858 |
PXP broker port |
|
| 859 |
|
|
| 860 |
Default value: `8142` |
|
| 861 |
|
|
| 832 | 862 |
### <a name="nftablesrulesoutsmtp"></a>`nftables::rules::out::smtp` |
| 833 | 863 |
|
| 834 | 864 |
allow outgoing smtp |
| manifests/rules/out/pxp_agent.pp | ||
|---|---|---|
| 1 |
# @summary manage outgoing pxp-agent |
|
| 2 |
# |
|
| 3 |
# @param broker PXP broker IP(s) |
|
| 4 |
# @param broker_port PXP broker port |
|
| 5 |
# |
|
| 6 |
# @see also take a look at nftables::rules::out::puppet, because the PXP agent also connects to a Puppetserver |
|
| 7 |
# |
|
| 8 |
class nftables::rules::out::pxp_agent ( |
|
| 9 |
Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]] $broker, |
|
| 10 |
Stdlib::Port $broker_port = 8142, |
|
| 11 |
) {
|
|
| 12 |
Array($broker, true).each |$index,$ps| {
|
|
| 13 |
nftables::rule {
|
|
| 14 |
"default_out-pxpagent-${index}":
|
|
| 15 |
} |
|
| 16 |
if $ps =~ Stdlib::IP::Address::V6 {
|
|
| 17 |
Nftables::Rule["default_out-pxpagent-${index}"] {
|
|
| 18 |
content => "ip6 daddr ${ps} tcp dport ${broker_port} accept",
|
|
| 19 |
} |
|
| 20 |
} else {
|
|
| 21 |
Nftables::Rule["default_out-pxpagent-${index}"] {
|
|
| 22 |
content => "ip daddr ${ps} tcp dport ${broker_port} accept",
|
|
| 23 |
} |
|
| 24 |
} |
|
| 25 |
} |
|
| 26 |
} |
|
| spec/acceptance/all_rules_spec.rb | ||
|---|---|---|
| 57 | 57 |
class{'nftables::rules::out::puppet':
|
| 58 | 58 |
puppetserver => '127.0.0.1', |
| 59 | 59 |
} |
| 60 |
class{'nftables::rules::out::pxp_agent':
|
|
| 61 |
broker => '127.0.0.1', |
|
| 62 |
} |
|
| 60 | 63 |
include nftables::rules::out::all |
| 61 | 64 |
include nftables::rules::out::tor |
| 62 | 65 |
include nftables::rules::out::ospf3 |
| spec/classes/rules/out/pxp_agent_spec.rb | ||
|---|---|---|
| 1 |
# frozen_string_literal: true |
|
| 2 |
|
|
| 3 |
require 'spec_helper' |
|
| 4 |
|
|
| 5 |
describe 'nftables::rules::out::pxp_agent' do |
|
| 6 |
on_supported_os.each do |os, os_facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:facts) { os_facts }
|
|
| 9 |
let(:params) do |
|
| 10 |
{ broker: '1.2.3.4' }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'default options' do |
|
| 14 |
it { is_expected.to compile.with_all_deps }
|
|
| 15 |
it { is_expected.to contain_nftables__rule('default_out-pxpagent-0').with_content('ip daddr 1.2.3.4 tcp dport 8142 accept') }
|
|
| 16 |
end |
|
| 17 |
|
|
| 18 |
context 'with different port' do |
|
| 19 |
let(:params) do |
|
| 20 |
super().merge({ broker_port: 8141 })
|
|
| 21 |
end |
|
| 22 |
|
|
| 23 |
it { is_expected.to compile.with_all_deps }
|
|
| 24 |
it { is_expected.to contain_nftables__rule('default_out-pxpagent-0').with_content('ip daddr 1.2.3.4 tcp dport 8141 accept') }
|
|
| 25 |
end |
|
| 26 |
|
|
| 27 |
context 'with ipv6 address' do |
|
| 28 |
let(:params) do |
|
| 29 |
{ broker: 'fe80::1' }
|
|
| 30 |
end |
|
| 31 |
|
|
| 32 |
it { is_expected.to compile.with_all_deps }
|
|
| 33 |
it { is_expected.to contain_nftables__rule('default_out-pxpagent-0').with_content('ip6 daddr fe80::1 tcp dport 8142 accept') }
|
|
| 34 |
end |
|
| 35 |
|
|
| 36 |
context 'with ipv6 & ipv4 address' do |
|
| 37 |
let(:params) do |
|
| 38 |
{ broker: ['fe80::1', '1.2.3.4'] }
|
|
| 39 |
end |
|
| 40 |
|
|
| 41 |
it { is_expected.to compile.with_all_deps }
|
|
| 42 |
it { is_expected.to contain_nftables__rule('default_out-pxpagent-0').with_content('ip6 daddr fe80::1 tcp dport 8142 accept') }
|
|
| 43 |
it { is_expected.to contain_nftables__rule('default_out-pxpagent-1').with_content('ip daddr 1.2.3.4 tcp dport 8142 accept') }
|
|
| 44 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-pxpagent-0') }
|
|
| 45 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-pxpagent-0_header') }
|
|
| 46 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-pxpagent-1') }
|
|
| 47 |
it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_out-rule-pxpagent-1_header') }
|
|
| 48 |
end |
|
| 49 |
end |
|
| 50 |
end |
|
| 51 |
end |
|
Formats disponibles : Unified diff