Révision 20b96360
Add support for named sets
| README.md | ||
|---|---|---|
| 71 | 71 |
`CHAIN_NAME`. |
| 72 | 72 |
|
| 73 | 73 |
You can define the order by using the `order` param. |
| 74 |
|
|
| 75 |
## nftsables::set |
|
| 76 |
|
|
| 77 |
Adds a named set to a given table. It allows composing the |
|
| 78 |
set using individual parameters but also takes raw input |
|
| 79 |
via the content and source parameters. |
|
| manifests/set.pp | ||
|---|---|---|
| 1 |
# manage a named set |
|
| 2 |
define nftables::set( |
|
| 3 |
Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark'] |
|
| 4 |
$type, |
|
| 5 |
Enum['present','absent'] |
|
| 6 |
$ensure = 'present', |
|
| 7 |
Pattern[/^[a-zA-Z0-9_]+$/] |
|
| 8 |
$setname = $title, |
|
| 9 |
Pattern[/^\d\d$/] |
|
| 10 |
$order = '10', |
|
| 11 |
String |
|
| 12 |
$table = 'inet-filter', |
|
| 13 |
Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4] |
|
| 14 |
$flags = [], |
|
| 15 |
Optional[Integer] |
|
| 16 |
$timeout = undef, |
|
| 17 |
Optional[Integer] |
|
| 18 |
$gc_interval = undef, |
|
| 19 |
Optional[Array[String]] |
|
| 20 |
$elements = undef, |
|
| 21 |
Optional[Integer] |
|
| 22 |
$size = undef, |
|
| 23 |
Optional[Enum['performance', 'memory']] |
|
| 24 |
$policy = undef, |
|
| 25 |
Boolean |
|
| 26 |
$auto_merge = false, |
|
| 27 |
Optional[String] |
|
| 28 |
$content = undef, |
|
| 29 |
Optional[Variant[String,Array[String,1]]] |
|
| 30 |
$source = undef, |
|
| 31 |
){
|
|
| 32 |
|
|
| 33 |
if $size and $elements {
|
|
| 34 |
if length($elements) > $size {
|
|
| 35 |
fail("Max size of set ${setname} of ${size} is not being respected")
|
|
| 36 |
} |
|
| 37 |
} |
|
| 38 |
|
|
| 39 |
if $ensure == 'present' {
|
|
| 40 |
concat::fragment{
|
|
| 41 |
"nftables-${table}-set-${setname}":
|
|
| 42 |
order => $order, |
|
| 43 |
target => "nftables-${table}",
|
|
| 44 |
} |
|
| 45 |
|
|
| 46 |
if $content {
|
|
| 47 |
Concat::Fragment["nftables-${table}-set-${setname}"]{
|
|
| 48 |
content => " ${content}",
|
|
| 49 |
} |
|
| 50 |
} elsif $source {
|
|
| 51 |
Concat::Fragment["nftables-${table}-set-${setname}"]{
|
|
| 52 |
source => $source, |
|
| 53 |
} |
|
| 54 |
} else {
|
|
| 55 |
Concat::Fragment["nftables-${table}-set-${setname}"]{
|
|
| 56 |
content => epp('nftables/set.epp',
|
|
| 57 |
{
|
|
| 58 |
'name' => $setname, |
|
| 59 |
'type' => $type, |
|
| 60 |
'flags' => $flags, |
|
| 61 |
'timeout' => $timeout, |
|
| 62 |
'gc_interval' => $gc_interval, |
|
| 63 |
'elements' => $elements, |
|
| 64 |
'size' => $size, |
|
| 65 |
'policy' => $policy, |
|
| 66 |
'auto_merge' => $auto_merge, |
|
| 67 |
} |
|
| 68 |
) |
|
| 69 |
} |
|
| 70 |
} |
|
| 71 |
} |
|
| 72 |
} |
|
| spec/defines/set_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::set' do |
|
| 4 |
let(:pre_condition) { 'include nftables' }
|
|
| 5 |
|
|
| 6 |
let(:title) { 'my_set' }
|
|
| 7 |
|
|
| 8 |
on_supported_os.each do |os, os_facts| |
|
| 9 |
context "on #{os}" do
|
|
| 10 |
let(:facts) { os_facts }
|
|
| 11 |
|
|
| 12 |
describe 'minimum instantiation' do |
|
| 13 |
let(:params) do |
|
| 14 |
{
|
|
| 15 |
type: 'ipv4_addr', |
|
| 16 |
} |
|
| 17 |
end |
|
| 18 |
|
|
| 19 |
it { is_expected.to compile }
|
|
| 20 |
it {
|
|
| 21 |
is_expected.to contain_concat__fragment('nftables-inet-filter-set-my_set').with(
|
|
| 22 |
target: 'nftables-inet-filter', |
|
| 23 |
content: %r{^ set my_set \{\n type ipv4_addr\n \}$}m,
|
|
| 24 |
order: '10', |
|
| 25 |
) |
|
| 26 |
} |
|
| 27 |
end |
|
| 28 |
|
|
| 29 |
describe 'max size exceeding the prepopulated elements' do |
|
| 30 |
let(:params) do |
|
| 31 |
{
|
|
| 32 |
type: 'ipv6_addr', |
|
| 33 |
elements: ['2001:1458::/32', '2001:1458:1::/48'], |
|
| 34 |
size: 1, |
|
| 35 |
} |
|
| 36 |
end |
|
| 37 |
|
|
| 38 |
it { is_expected.not_to compile }
|
|
| 39 |
end |
|
| 40 |
|
|
| 41 |
describe 'invalid type' do |
|
| 42 |
let(:params) do |
|
| 43 |
{
|
|
| 44 |
type: 'foo', |
|
| 45 |
} |
|
| 46 |
end |
|
| 47 |
|
|
| 48 |
it { is_expected.not_to compile }
|
|
| 49 |
end |
|
| 50 |
|
|
| 51 |
describe 'invalid flags' do |
|
| 52 |
let(:params) do |
|
| 53 |
{
|
|
| 54 |
type: 'ipv4_addr', |
|
| 55 |
flags: ['foo'], |
|
| 56 |
} |
|
| 57 |
end |
|
| 58 |
|
|
| 59 |
it { is_expected.not_to compile }
|
|
| 60 |
end |
|
| 61 |
|
|
| 62 |
describe 'ipv6 prepopulated' do |
|
| 63 |
let(:params) do |
|
| 64 |
{
|
|
| 65 |
type: 'ipv6_addr', |
|
| 66 |
elements: ['2001:1458::/32', '2001:1458:1::/48'], |
|
| 67 |
} |
|
| 68 |
end |
|
| 69 |
|
|
| 70 |
it { is_expected.to compile }
|
|
| 71 |
it {
|
|
| 72 |
is_expected.to contain_concat__fragment('nftables-inet-filter-set-my_set').with(
|
|
| 73 |
target: 'nftables-inet-filter', |
|
| 74 |
content: %r{^ set my_set \{\n type ipv6_addr\n elements = \{ 2001:1458::/32, 2001:1458:1::/48 \}\n \}$}m,
|
|
| 75 |
order: '10', |
|
| 76 |
) |
|
| 77 |
} |
|
| 78 |
end |
|
| 79 |
|
|
| 80 |
describe 'using flags and auto-merge' do |
|
| 81 |
let(:params) do |
|
| 82 |
{
|
|
| 83 |
type: 'ipv4_addr', |
|
| 84 |
flags: ['interval', 'timeout'], |
|
| 85 |
elements: ['192.168.0.1/24'], |
|
| 86 |
auto_merge: true, |
|
| 87 |
} |
|
| 88 |
end |
|
| 89 |
|
|
| 90 |
it { is_expected.to compile }
|
|
| 91 |
it {
|
|
| 92 |
is_expected.to contain_concat__fragment('nftables-inet-filter-set-my_set').with(
|
|
| 93 |
target: 'nftables-inet-filter', |
|
| 94 |
content: %r{^ set my_set \{\n type ipv4_addr\n flags interval, timeout\n elements = \{ 192.168.0.1/24 \}\n auto-merge\n \}$}m,
|
|
| 95 |
order: '10', |
|
| 96 |
) |
|
| 97 |
} |
|
| 98 |
end |
|
| 99 |
|
|
| 100 |
describe 'using ether_addr as type and custom policy' do |
|
| 101 |
let(:params) do |
|
| 102 |
{
|
|
| 103 |
type: 'ether_addr', |
|
| 104 |
elements: ['aa:bb:cc:dd:ee:ff'], |
|
| 105 |
policy: 'memory', |
|
| 106 |
} |
|
| 107 |
end |
|
| 108 |
|
|
| 109 |
it { is_expected.to compile }
|
|
| 110 |
it {
|
|
| 111 |
is_expected.to contain_concat__fragment('nftables-inet-filter-set-my_set').with(
|
|
| 112 |
target: 'nftables-inet-filter', |
|
| 113 |
content: %r{^ set my_set \{\n type ether_addr\n elements = \{ aa:bb:cc:dd:ee:ff \}\n policy memory\n \}$}m,
|
|
| 114 |
order: '10', |
|
| 115 |
) |
|
| 116 |
} |
|
| 117 |
end |
|
| 118 |
end |
|
| 119 |
end |
|
| 120 |
end |
|
| templates/set.epp | ||
|---|---|---|
| 1 |
<%- | String $name, |
|
| 2 |
String $type, |
|
| 3 |
Array $flags, |
|
| 4 |
Optional[Integer] $timeout, |
|
| 5 |
Optional[Integer] $gc_interval, |
|
| 6 |
Optional[Array[String]] $elements, |
|
| 7 |
Optional[Integer] $size, |
|
| 8 |
Optional[String] $policy, |
|
| 9 |
Boolean $auto_merge, |
|
| 10 |
| -%> |
|
| 11 |
set <%= $name %> {
|
|
| 12 |
type <%= $type %> |
|
| 13 |
<%- if $flags and length($flags) > 0 { -%>
|
|
| 14 |
flags <%= $flags.join(', ') %>
|
|
| 15 |
<%- } -%> |
|
| 16 |
<%- if $timeout { -%>
|
|
| 17 |
timeout <%= $timeout %> |
|
| 18 |
<%- } -%> |
|
| 19 |
<%- if $gc_interval { -%>
|
|
| 20 |
gc-interval <%= $gc_interval %> |
|
| 21 |
<%- } -%> |
|
| 22 |
<%- if $elements and length($elements) > 0 { -%>
|
|
| 23 |
elements = { <%= $elements.join(', ') %> }
|
|
| 24 |
<%- } -%> |
|
| 25 |
<%- if $size { -%>
|
|
| 26 |
size <%= $size %> |
|
| 27 |
<%- } -%> |
|
| 28 |
<%- if $policy { -%>
|
|
| 29 |
policy <%= $policy %> |
|
| 30 |
<%- } -%> |
|
| 31 |
<%- if $auto_merge { -%>
|
|
| 32 |
auto-merge |
|
| 33 |
<%- } -%> |
|
| 34 |
} |
|
Formats disponibles : Unified diff