root / manifests / init.pp @ 24a5a2a7
Historique | Voir | Annoter | Télécharger (4,89 ko)
| 1 | e17693e3 | Steve Traylen | # @summary Configure nftables |
|---|---|---|---|
| 2 | # |
||
| 3 | # @example |
||
| 4 | # class{'nftables:
|
||
| 5 | # out_ntp = false, |
||
| 6 | # out_dns = true, |
||
| 7 | b3a7a6dd | tr | # } |
| 8 | e17693e3 | Steve Traylen | # |
| 9 | b3a7a6dd | tr | # @param out_all |
| 10 | e17693e3 | Steve Traylen | # Allow all outbound connections. If `true` then all other |
| 11 | # out parameters `out_ntp`, `out_dns`, ... will be assuemed |
||
| 12 | # false. |
||
| 13 | # |
||
| 14 | # @param out_ntp |
||
| 15 | # Allow outbound to ntp servers. |
||
| 16 | # |
||
| 17 | # @param out_http |
||
| 18 | # Allow outbound to http servers. |
||
| 19 | # |
||
| 20 | # @param out_https |
||
| 21 | # Allow outbound to https servers. |
||
| 22 | # |
||
| 23 | # @param out_https |
||
| 24 | # Allow outbound to https servers. |
||
| 25 | # |
||
| 26 | 79e9a23f | Nacho Barrientos | # @param out_icmp |
| 27 | # Allow outbound ICMPv4/v6 traffic. |
||
| 28 | # |
||
| 29 | e17693e3 | Steve Traylen | # @param in_ssh |
| 30 | # Allow inbound to ssh servers. |
||
| 31 | # |
||
| 32 | 79e9a23f | Nacho Barrientos | # @param in_icmp |
| 33 | # Allow inbound ICMPv4/v6 traffic. |
||
| 34 | # |
||
| 35 | 82d10659 | Nacho Barrientos | # @param nat |
| 36 | # Add default tables and chains to process NAT traffic. |
||
| 37 | # |
||
| 38 | 802d80d1 | Nacho Barrientos | # @param sets |
| 39 | # Allows sourcing set definitions directly from Hiera. |
||
| 40 | # |
||
| 41 | ac0af4aa | Nacho Barrientos | # @param log_prefix |
| 42 | # String that will be used as prefix when logging packets. It can contain |
||
| 43 | # two variables using standard sprintf() string-formatting: |
||
| 44 | # * chain: Will be replaced by the name of the chain. |
||
| 45 | # * comment: Allows chains to add extra comments. |
||
| 46 | # |
||
| 47 | b10c6216 | Nacho Barrientos | # @param log_limit |
| 48 | # String with the content of a limit statement to be applied |
||
| 49 | # to the rules that log discarded traffic. Set to false to |
||
| 50 | # disable rate limiting. |
||
| 51 | # |
||
| 52 | 70727742 | Nacho Barrientos | # @param reject_with |
| 53 | # How to discard packets not matching any rule. If `false`, the |
||
| 54 | # fate of the packet will be defined by the chain policy (normally |
||
| 55 | # drop), otherwise the packet will be rejected with the REJECT_WITH |
||
| 56 | # policy indicated by the value of this parameter. |
||
| 57 | # |
||
| 58 | ea96d5db | Nacho Barrientos | # @param in_out_conntrack |
| 59 | # Adds INPUT and OUTPUT rules to allow traffic that's part of an |
||
| 60 | # established connection and also to drop invalid packets. |
||
| 61 | # |
||
| 62 | 24a5a2a7 | tr | # @param fwd_conntrack |
| 63 | # Adds FORWARD rules to allow traffic that's part of an |
||
| 64 | # established connection and also to drop invalid packets. |
||
| 65 | # |
||
| 66 | ae9872e2 | Nacho Barrientos | # @param firewalld_enable |
| 67 | # Configures how the firewalld systemd service unit is enabled. It might be |
||
| 68 | # useful to set this to false if you're externaly removing firewalld from |
||
| 69 | # the system completely. |
||
| 70 | # |
||
| 71 | be0b08e1 | tr | class nftables ( |
| 72 | 70727742 | Nacho Barrientos | Boolean $in_ssh = true, |
| 73 | 79e9a23f | Nacho Barrientos | Boolean $in_icmp = true, |
| 74 | 70727742 | Nacho Barrientos | Boolean $out_ntp = true, |
| 75 | Boolean $out_dns = true, |
||
| 76 | Boolean $out_http = true, |
||
| 77 | Boolean $out_https = true, |
||
| 78 | 79e9a23f | Nacho Barrientos | Boolean $out_icmp = true, |
| 79 | 70727742 | Nacho Barrientos | Boolean $out_all = false, |
| 80 | ea96d5db | Nacho Barrientos | Boolean $in_out_conntrack = true, |
| 81 | 24a5a2a7 | tr | Boolean $fwd_conntrack = false, |
| 82 | 82d10659 | Nacho Barrientos | Boolean $nat = true, |
| 83 | 70727742 | Nacho Barrientos | Hash $rules = {},
|
| 84 | 802d80d1 | Nacho Barrientos | Hash $sets = {},
|
| 85 | ac0af4aa | Nacho Barrientos | String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 86 | b10c6216 | Nacho Barrientos | Variant[Boolean[false], String] |
| 87 | $log_limit = '3/minute burst 5 packets', |
||
| 88 | 70727742 | Nacho Barrientos | Variant[Boolean[false], Pattern[ |
| 89 | /icmp(v6|x)? type .+|tcp reset/]] |
||
| 90 | $reject_with = 'icmpx type port-unreachable', |
||
| 91 | ae9872e2 | Nacho Barrientos | Variant[Boolean[false], Enum['mask']] |
| 92 | $firewalld_enable = 'mask', |
||
| 93 | be0b08e1 | tr | ) {
|
| 94 | |||
| 95 | 0ba57c66 | mh | package{'nftables':
|
| 96 | ensure => installed, |
||
| 97 | } -> file_line{
|
||
| 98 | 'enable_nftables': |
||
| 99 | line => 'include "/etc/nftables/puppet.nft"', |
||
| 100 | path => '/etc/sysconfig/nftables.conf', |
||
| 101 | notify => Service['nftables'], |
||
| 102 | } -> file{
|
||
| 103 | default: |
||
| 104 | e140adff | tr | owner => 'root', |
| 105 | group => 'root', |
||
| 106 | mode => '0640'; |
||
| 107 | 30462da1 | Steve Traylen | '/etc/nftables/puppet-preflight': |
| 108 | ensure => directory, |
||
| 109 | mode => '0750', |
||
| 110 | purge => true, |
||
| 111 | force => true, |
||
| 112 | recurse => true; |
||
| 113 | '/etc/nftables/puppet-preflight.nft': |
||
| 114 | 82d10659 | Nacho Barrientos | ensure => file, |
| 115 | content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
||
| 116 | 30462da1 | Steve Traylen | } ~> exec{
|
| 117 | 'nft validate': |
||
| 118 | refreshonly => true, |
||
| 119 | command => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)'; |
||
| 120 | } -> file{
|
||
| 121 | default: |
||
| 122 | owner => 'root', |
||
| 123 | group => 'root', |
||
| 124 | mode => '0640'; |
||
| 125 | 0ba57c66 | mh | '/etc/nftables/puppet.nft': |
| 126 | 82d10659 | Nacho Barrientos | ensure => file, |
| 127 | content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
||
| 128 | 0ba57c66 | mh | '/etc/nftables/puppet': |
| 129 | ensure => directory, |
||
| 130 | 5acb554a | tr | mode => '0750', |
| 131 | 0ba57c66 | mh | purge => true, |
| 132 | force => true, |
||
| 133 | recurse => true; |
||
| 134 | } ~> service{'nftables':
|
||
| 135 | 30462da1 | Steve Traylen | ensure => running, |
| 136 | enable => true, |
||
| 137 | hasrestart => true, |
||
| 138 | restart => '/usr/bin/systemctl reload nftables', |
||
| 139 | } |
||
| 140 | |||
| 141 | systemd::dropin_file{'puppet_nft.conf':
|
||
| 142 | ensure => present, |
||
| 143 | unit => 'nftables.service', |
||
| 144 | source => 'puppet:///modules/nftables/systemd/puppet_nft.conf', |
||
| 145 | notify => Service['nftables'], |
||
| 146 | 0ba57c66 | mh | } |
| 147 | |||
| 148 | f02562f2 | tr | service{'firewalld':
|
| 149 | ensure => stopped, |
||
| 150 | ae9872e2 | Nacho Barrientos | enable => $firewalld_enable, |
| 151 | f02562f2 | tr | } |
| 152 | |||
| 153 | c8092701 | tr | include nftables::inet_filter |
| 154 | 82d10659 | Nacho Barrientos | if $nat {
|
| 155 | include nftables::ip_nat |
||
| 156 | } |
||
| 157 | b3a7a6dd | tr | |
| 158 | # inject custom rules e.g. from hiera |
||
| 159 | 66ed7f61 | mh | $rules.each |$n,$v| {
|
| 160 | nftables::rule{
|
||
| 161 | $n: |
||
| 162 | * => $v |
||
| 163 | } |
||
| 164 | } |
||
| 165 | 802d80d1 | Nacho Barrientos | |
| 166 | # inject custom sets e.g. from hiera |
||
| 167 | $sets.each |$n,$v| {
|
||
| 168 | nftables::set{
|
||
| 169 | $n: |
||
| 170 | * => $v |
||
| 171 | } |
||
| 172 | } |
||
| 173 | 0ba57c66 | mh | } |