Révision 248ef9d5
Add basic ip6 nat chains
| files/config/puppet-ip6-nat.nft | ||
|---|---|---|
| 1 |
table ip6 nat {
|
|
| 2 |
include "/etc/nftables/puppet/ip6-nat-chain-*.nft" |
|
| 3 |
} |
|
| manifests/ip_nat.pp | ||
|---|---|---|
| 4 | 4 |
nftables::config{
|
| 5 | 5 |
'ip-nat': |
| 6 | 6 |
source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft'; |
| 7 |
'ip6-nat': |
|
| 8 |
source => 'puppet:///modules/nftables/config/puppet-ip6-nat.nft'; |
|
| 7 | 9 |
} |
| 8 | 10 |
|
| 9 | 11 |
nftables::chain{
|
| ... | ... | |
| 14 | 16 |
table => 'ip-nat'; |
| 15 | 17 |
} |
| 16 | 18 |
|
| 19 |
nftables::chain{
|
|
| 20 |
[ |
|
| 21 |
'PREROUTING6', |
|
| 22 |
'POSTROUTING6', |
|
| 23 |
]: |
|
| 24 |
table => 'ip6-nat'; |
|
| 25 |
} |
|
| 26 |
|
|
| 17 | 27 |
# ip-nat-chain-PREROUTING |
| 18 | 28 |
nftables::rule{
|
| 19 |
default: |
|
| 20 |
table => 'ip-nat'; |
|
| 21 | 29 |
'PREROUTING-type': |
| 30 |
table => 'ip-nat', |
|
| 22 | 31 |
order => '01', |
| 23 | 32 |
content => 'type nat hook prerouting priority -100'; |
| 24 | 33 |
'PREROUTING-policy': |
| 34 |
table => 'ip-nat', |
|
| 35 |
order => '02', |
|
| 36 |
content => 'policy accept'; |
|
| 37 |
'PREROUTING6-type': |
|
| 38 |
table => 'ip6-nat', |
|
| 39 |
order => '01', |
|
| 40 |
content => 'type nat hook prerouting priority -100'; |
|
| 41 |
'PREROUTING6-policy': |
|
| 42 |
table => 'ip6-nat', |
|
| 25 | 43 |
order => '02', |
| 26 | 44 |
content => 'policy accept'; |
| 27 | 45 |
} |
| 28 | 46 |
|
| 29 | 47 |
# ip-nat-chain-POSTROUTING |
| 30 | 48 |
nftables::rule{
|
| 31 |
default: |
|
| 32 |
table => 'ip-nat'; |
|
| 33 | 49 |
'POSTROUTING-type': |
| 50 |
table => 'ip-nat', |
|
| 34 | 51 |
order => '01', |
| 35 | 52 |
content => 'type nat hook postrouting priority 100'; |
| 36 | 53 |
'POSTROUTING-policy': |
| 54 |
table => 'ip-nat', |
|
| 55 |
order => '02', |
|
| 56 |
content => 'policy accept'; |
|
| 57 |
'POSTROUTING6-type': |
|
| 58 |
table => 'ip6-nat', |
|
| 59 |
order => '01', |
|
| 60 |
content => 'type nat hook postrouting priority 100'; |
|
| 61 |
'POSTROUTING6-policy': |
|
| 62 |
table => 'ip6-nat', |
|
| 37 | 63 |
order => '02', |
| 38 | 64 |
content => 'policy accept'; |
| 39 | 65 |
} |
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 18 | 18 |
) |
| 19 | 19 |
} |
| 20 | 20 |
|
| 21 |
context 'chain prerouting' do |
|
| 21 |
it {
|
|
| 22 |
is_expected.to contain_file('/etc/nftables/puppet/ip6-nat.nft').with(
|
|
| 23 |
ensure: 'file', |
|
| 24 |
owner: 'root', |
|
| 25 |
group: 'root', |
|
| 26 |
mode: '0640', |
|
| 27 |
) |
|
| 28 |
} |
|
| 29 |
|
|
| 30 |
context 'table ip nat chain prerouting' do |
|
| 22 | 31 |
it {
|
| 23 | 32 |
is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(
|
| 24 | 33 |
path: '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft', |
| ... | ... | |
| 58 | 67 |
} |
| 59 | 68 |
end |
| 60 | 69 |
|
| 61 |
context 'chain output' do
|
|
| 70 |
context 'table ip nat chain postrouting' do
|
|
| 62 | 71 |
it {
|
| 63 | 72 |
is_expected.to contain_concat('nftables-ip-nat-chain-POSTROUTING').with(
|
| 64 | 73 |
path: '/etc/nftables/puppet/ip-nat-chain-POSTROUTING.nft', |
| ... | ... | |
| 97 | 106 |
) |
| 98 | 107 |
} |
| 99 | 108 |
end |
| 109 |
|
|
| 110 |
context 'table ip6 nat chain prerouting' do |
|
| 111 |
it {
|
|
| 112 |
is_expected.to contain_concat('nftables-ip6-nat-chain-PREROUTING6').with(
|
|
| 113 |
path: '/etc/nftables/puppet/ip6-nat-chain-PREROUTING6.nft', |
|
| 114 |
owner: 'root', |
|
| 115 |
group: 'root', |
|
| 116 |
mode: '0640', |
|
| 117 |
ensure_newline: true, |
|
| 118 |
) |
|
| 119 |
} |
|
| 120 |
it {
|
|
| 121 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-header').with(
|
|
| 122 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
|
| 123 |
content: %r{^chain PREROUTING6 \{$},
|
|
| 124 |
order: '00', |
|
| 125 |
) |
|
| 126 |
} |
|
| 127 |
it {
|
|
| 128 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-type').with(
|
|
| 129 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
|
| 130 |
content: %r{^ type nat hook prerouting priority -100$},
|
|
| 131 |
order: '01', |
|
| 132 |
) |
|
| 133 |
} |
|
| 134 |
it {
|
|
| 135 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-rule-policy').with(
|
|
| 136 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
|
| 137 |
content: %r{^ policy accept$},
|
|
| 138 |
order: '02', |
|
| 139 |
) |
|
| 140 |
} |
|
| 141 |
it {
|
|
| 142 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-PREROUTING6-footer').with(
|
|
| 143 |
target: 'nftables-ip6-nat-chain-PREROUTING6', |
|
| 144 |
content: %r{^\}$},
|
|
| 145 |
order: '99', |
|
| 146 |
) |
|
| 147 |
} |
|
| 148 |
end |
|
| 149 |
|
|
| 150 |
context 'table ip nat chain postrouting' do |
|
| 151 |
it {
|
|
| 152 |
is_expected.to contain_concat('nftables-ip6-nat-chain-POSTROUTING6').with(
|
|
| 153 |
path: '/etc/nftables/puppet/ip6-nat-chain-POSTROUTING6.nft', |
|
| 154 |
owner: 'root', |
|
| 155 |
group: 'root', |
|
| 156 |
mode: '0640', |
|
| 157 |
ensure_newline: true, |
|
| 158 |
) |
|
| 159 |
} |
|
| 160 |
it {
|
|
| 161 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-header').with(
|
|
| 162 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
|
| 163 |
content: %r{^chain POSTROUTING6 \{$},
|
|
| 164 |
order: '00', |
|
| 165 |
) |
|
| 166 |
} |
|
| 167 |
it {
|
|
| 168 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-type').with(
|
|
| 169 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
|
| 170 |
content: %r{^ type nat hook postrouting priority 100$},
|
|
| 171 |
order: '01', |
|
| 172 |
) |
|
| 173 |
} |
|
| 174 |
it {
|
|
| 175 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-rule-policy').with(
|
|
| 176 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
|
| 177 |
content: %r{^ policy accept$},
|
|
| 178 |
order: '02', |
|
| 179 |
) |
|
| 180 |
} |
|
| 181 |
it {
|
|
| 182 |
is_expected.to contain_concat__fragment('nftables-ip6-nat-chain-POSTROUTING6-footer').with(
|
|
| 183 |
target: 'nftables-ip6-nat-chain-POSTROUTING6', |
|
| 184 |
content: %r{^\}$},
|
|
| 185 |
order: '99', |
|
| 186 |
) |
|
| 187 |
} |
|
| 188 |
end |
|
| 100 | 189 |
end |
| 101 | 190 |
end |
| 102 | 191 |
end |
Formats disponibles : Unified diff