/ - Diff - puppet nftables - Koumbit's Redmine

Révision 1bf717d9

ID	1bf717d906b9b7be0679d63f7489c7edc3ada73c
Parent	9dca9bc3
Enfant	18b211e7

Ajouté par Luis Fernández Álvarez il y a environ 4 ans

Add optional handling of chains

     #   Interface name used by docker.
     # @param docker_prefix
     #   The address space used by docker.
+    #
     # @param manage_docker_chains
     #   Flag to control whether the class should create the docker related chains.
     # @param manage_base_chains
     #   Flag to control whether the class should create the base common chains.
     class nftables::rules::docker_ce (
       String[1]                     $docker_interface = 'docker0',
       Stdlib::IP::Address::V4::CIDR $docker_prefix    = '172.17.0.0/16',
       String[1]                     $docker_interface     = 'docker0',
       Stdlib::IP::Address::V4::CIDR $docker_prefix        = '172.17.0.0/16',
       Boolean                       $manage_docker_chains = true,
       Boolean                       $manage_base_chains   = true,
     ) {
+      #
       # inet-filter
+      #
       nftables::chain {
         'DOCKER': ;
         'DOCKER_ISOLATION_STAGE_1': ;
         'DOCKER_ISOLATION_STAGE_2': ;
         'DOCKER_USER': ;
       if $manage_docker_chains {
         nftables::chain {
           'DOCKER': ;
           'DOCKER_ISOLATION_STAGE_1': ;
           'DOCKER_ISOLATION_STAGE_2': ;
           'DOCKER_USER': ;
+        }
+      }
       nftables::rule {
-...
       # ip-nat
+      #
       nftables::chain {
         'DOCKER-nat':
           table => 'ip-nat',
           chain => 'DOCKER';
         'OUTPUT-nat':
           table => 'ip-nat',
           chain => 'OUTPUT';
         'INPUT-nat':
           table => 'ip-nat',
           chain => 'INPUT';
       if $manage_docker_chains {
         nftables::chain {
           'DOCKER-nat':
             table => 'ip-nat',
             chain => 'DOCKER';
+        }
+      }
       if $manage_base_chains {
         nftables::chain {
           'OUTPUT-nat':
             table => 'ip-nat',
             chain => 'OUTPUT';
           'INPUT-nat':
             table => 'ip-nat',
             chain => 'INPUT';
+        }
+      }
       nftables::rule {

+            }
           end
           context 'with base chain management false' do
             let(:params) do
+              {
                 manage_base_chains: false,
+              }
             end
             it { is_expected.to compile }
             it { is_expected.to contain_nftables__chain('DOCKER') }
             it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_1') }
             it { is_expected.to contain_nftables__chain('DOCKER_ISOLATION_STAGE_2') }
             it { is_expected.to contain_nftables__chain('DOCKER_USER') }
             it { is_expected.to contain_nftables__chain('DOCKER-nat') }
             it { is_expected.not_to contain_nftables__chain('OUTPUT-nat') }
             it { is_expected.not_to contain_nftables__chain('INPUT-nat') }
           end
           context 'with docker chain management false' do
             let(:params) do
+              {
                 manage_docker_chains: false,
+              }
             end
             it { is_expected.to compile }
             it { is_expected.not_to contain_nftables__chain('DOCKER') }
             it { is_expected.not_to contain_nftables__chain('DOCKER_ISOLATION_STAGE_1') }
             it { is_expected.not_to contain_nftables__chain('DOCKER_ISOLATION_STAGE_2') }
             it { is_expected.not_to contain_nftables__chain('DOCKER_USER') }
             it { is_expected.not_to contain_nftables__chain('DOCKER-nat') }
             it { is_expected.to contain_nftables__chain('OUTPUT-nat') }
             it { is_expected.to contain_nftables__chain('INPUT-nat') }
           end
           context 'with custom interface and subnet' do
             let(:params) do
+              {

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision 1bf717d9