Révision 215aee13
Add kerberos out and openafs_client out
| manifests/rules/out/kerberos.pp | ||
|---|---|---|
| 1 |
# @summary allows outbound access for kerberos |
|
| 2 |
class nftables::rules::out::kerberos {
|
|
| 3 |
|
|
| 4 |
nftables::rule{
|
|
| 5 |
'default_out-kerberos_udp': |
|
| 6 |
content => 'udp dport 88 accept'; |
|
| 7 |
'default_out-kerberos_tcp': |
|
| 8 |
content => 'tcp dport 88 accept'; |
|
| 9 |
} |
|
| 10 |
|
|
| 11 |
} |
|
| manifests/rules/out/openafs_client.pp | ||
|---|---|---|
| 1 |
# @summary allows outbound access for afs clients |
|
| 2 |
# 7000 - afs3-fileserver |
|
| 3 |
# 7002 - afs3-ptserver |
|
| 4 |
# 7003 - vlserver |
|
| 5 |
# |
|
| 6 |
# @see https://wiki.openafs.org/devel/AFSServicePorts/ AFS Service Ports |
|
| 7 |
# |
|
| 8 |
class nftables::rules::out::openafs_client( |
|
| 9 |
Array[Integer,1] $ports = [7000, 7002, 7003], |
|
| 10 |
){
|
|
| 11 |
|
|
| 12 |
include nftables::rules::out::kerberos |
|
| 13 |
|
|
| 14 |
nftables::rule{'default_out-openafs_client':
|
|
| 15 |
content => "udp dport {${$ports.join(', ')}} accept";
|
|
| 16 |
} |
|
| 17 |
|
|
| 18 |
} |
|
| manifests/services/openafs_client.pp | ||
|---|---|---|
| 1 |
class nftables::services::openafs_client inherits nftables {
|
|
| 2 |
if $nftables::out_all {
|
|
| 3 |
fail('All outgoing traffic is allowed, you might want to use only nftables::rules::afs3_callback')
|
|
| 4 |
} |
|
| 5 |
|
|
| 6 |
include nftables::rules::afs3_callback |
|
| 7 |
include nftables::rules::out::openafs_client |
|
| 8 |
} |
|
| spec/classes/rules/out/kerberos_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::out::kerberos' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_out-kerberos_udp').with_content('udp dport 88 accept') }
|
|
| 11 |
it { is_expected.to contain_nftables__rule('default_out-kerberos_tcp').with_content('tcp dport 88 accept') }
|
|
| 12 |
end |
|
| 13 |
end |
|
| 14 |
end |
|
| 15 |
end |
|
| spec/classes/rules/out/openafs_client_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::out::openafs_client' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_out-openafs_client').with_content('udp dport {7000, 7002, 7003} accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with ports set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
ports: [7000, 7002], |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_out-openafs_client').with_content('udp dport {7000, 7002} accept') }
|
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| 25 |
end |
|
| spec/classes/services/openafs_client_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::services::openafs_client' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'normal behaviour' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_class('nftables::rules::afs3_callback') }
|
|
| 11 |
it { is_expected.to contain_class('nftables::rules::out::openafs_client') }
|
|
| 12 |
end |
|
| 13 |
|
|
| 14 |
context 'out_all enabled' do |
|
| 15 |
let(:pre_condition) { 'class{\'nftables\': out_all => true}' }
|
|
| 16 |
|
|
| 17 |
it { is_expected.not_to compile }
|
|
| 18 |
end |
|
| 19 |
end |
|
| 20 |
end |
|
| 21 |
end |
|
Formats disponibles : Unified diff