Projet

Général

Profil

Révision 1bf717d9

ID1bf717d906b9b7be0679d63f7489c7edc3ada73c
Parent 9dca9bc3
Enfant 18b211e7

Ajouté par Luis Fernández Álvarez il y a environ 4 ans

Add optional handling of chains

Voir les différences:

manifests/rules/docker_ce.pp
12 12 
#   Interface name used by docker.
13 13 
# @param docker_prefix
14 14 
#   The address space used by docker.
15 
#
15 
# @param manage_docker_chains
16 
#   Flag to control whether the class should create the docker related chains.
17 
# @param manage_base_chains
18 
#   Flag to control whether the class should create the base common chains.
16 19 
class nftables::rules::docker_ce (
17 
  String[1]                     $docker_interface = 'docker0',
18 
  Stdlib::IP::Address::V4::CIDR $docker_prefix    = '172.17.0.0/16',
20 
  String[1]                     $docker_interface     = 'docker0',
21 
  Stdlib::IP::Address::V4::CIDR $docker_prefix        = '172.17.0.0/16',
22 
  Boolean                       $manage_docker_chains = true,
23 
  Boolean                       $manage_base_chains   = true,
19 24 
) {
20 25 
  #
21 26 
  # inet-filter
22 27 
  #
23 

  		




  24
  
  
    
  nftables::chain {


  		




  25
  
  
    
    'DOCKER': ;


  		




  26
  
  
    
    'DOCKER_ISOLATION_STAGE_1': ;


  		




  27
  
  
    
    'DOCKER_ISOLATION_STAGE_2': ;


  		




  28
  
  
    
    'DOCKER_USER': ;


  		




  
  28
  
    
  if $manage_docker_chains {


  		




  
  29
  
    
    nftables::chain {


  		




  
  30
  
    
      'DOCKER': ;


  		




  
  31
  
    
      'DOCKER_ISOLATION_STAGE_1': ;


  		




  
  32
  
    
      'DOCKER_ISOLATION_STAGE_2': ;


  		




  
  33
  
    
      'DOCKER_USER': ;


  		




  
  34
  
    
    }


  		




  29
  35
  
    
  }


  		




  30
  36
  
    

  		




  31
  37
  
    
  nftables::rule {


  		




  ......




  71
  77
  
    
  # ip-nat


  		




  72
  78
  
    
  #


  		




  73
  79
  
    

  		




  74
  
  
    
  nftables::chain {


  		




  75
  
  
    
    'DOCKER-nat':


  		




  76
  
  
    
      table => 'ip-nat',


  		




  77
  
  
    
      chain => 'DOCKER';


  		




  78
  
  
    
    'OUTPUT-nat':


  		




  79
  
  
    
      table => 'ip-nat',


  		




  80
  
  
    
      chain => 'OUTPUT';


  		




  81
  
  
    
    'INPUT-nat':


  		




  82
  
  
    
      table => 'ip-nat',


  		




  83
  
  
    
      chain => 'INPUT';


  		




  
  80
  
    
  if $manage_docker_chains {


  		




  
  81
  
    
    nftables::chain {


  		




  
  82
  
    
      'DOCKER-nat':


  		




  
  83
  
    
        table => 'ip-nat',


  		




  
  84
  
    
        chain => 'DOCKER';


  		




  
  85
  
    
    }


  		




  
  86
  
    
  }


  		




  
  87
  
    

  		




  
  88
  
    
  if $manage_base_chains {


  		




  
  89
  
    
    nftables::chain {


  		




  
  90
  
    
      'OUTPUT-nat':


  		




  
  91
  
    
        table => 'ip-nat',


  		




  
  92
  
    
        chain => 'OUTPUT';


  		




  
  93
  
    
      'INPUT-nat':


  		




  
  94
  
    
        table => 'ip-nat',


  		




  
  95
  
    
        chain => 'INPUT';


  		




  
  96
  
    
    }


  		




  84
  97
  
    
  }


  		




  85
  98
  
    

  		




  86
  99
  
    
  nftables::rule {


  		












Formats disponibles :  Unified diff