Révision 1a4f336e
start declaring the 'global' chain with module resources
the 'global' chain is a vestigial piece of early development on this
module, but it can be useful for creating fast short-circuits like
blocking traffic that match a certain set of IPs.
in the current state we can't inject rules inside the 'global' chain
since it's unknown to puppet. so let's remove the hard-coded definition
and use a puppet resource to declare it.
| files/config/puppet-inet-filter.nft | ||
|---|---|---|
| 1 | 1 |
include "inet-filter-chain-*.nft" |
| 2 |
|
|
| 3 |
# something we want for all |
|
| 4 |
chain global {
|
|
| 5 |
} |
|
| manifests/inet_filter.pp | ||
|---|---|---|
| 18 | 18 |
'INPUT', |
| 19 | 19 |
'OUTPUT', |
| 20 | 20 |
'FORWARD', |
| 21 |
'global', |
|
| 21 | 22 |
]:; |
| 22 | 23 |
} |
| 23 | 24 |
|
Formats disponibles : Unified diff