Révision 25b3f3f4
simplerule: Add support for incoming interface filtering
| REFERENCE.md | ||
|---|---|---|
| 2264 | 2264 |
* [`sport`](#-nftables--simplerule--sport) |
| 2265 | 2265 |
* [`saddr`](#-nftables--simplerule--saddr) |
| 2266 | 2266 |
* [`counter`](#-nftables--simplerule--counter) |
| 2267 |
* [`iifname`](#-nftables--simplerule--iifname) |
|
| 2267 | 2268 |
|
| 2268 | 2269 |
##### <a name="-nftables--simplerule--ensure"></a>`ensure` |
| 2269 | 2270 |
|
| ... | ... | |
| 2378 | 2379 |
|
| 2379 | 2380 |
Default value: `false` |
| 2380 | 2381 |
|
| 2382 |
##### <a name="-nftables--simplerule--iifname"></a>`iifname` |
|
| 2383 |
|
|
| 2384 |
Data type: `Optional[String[1]]` |
|
| 2385 |
|
|
| 2386 |
Optional filter for the incoming interface |
|
| 2387 |
|
|
| 2388 |
Default value: `undef` |
|
| 2389 |
|
|
| 2381 | 2390 |
## Data types |
| 2382 | 2391 |
|
| 2383 | 2392 |
### <a name="Nftables--Addr"></a>`Nftables::Addr` |
| manifests/simplerule.pp | ||
|---|---|---|
| 52 | 52 |
# |
| 53 | 53 |
# @param counter |
| 54 | 54 |
# Enable traffic counters for the matched traffic. |
| 55 |
# |
|
| 56 |
# @param iifname |
|
| 57 |
# Optional filter for the incoming interface |
|
| 55 | 58 |
define nftables::simplerule ( |
| 56 | 59 |
Enum['present','absent'] $ensure = 'present', |
| 57 | 60 |
Nftables::SimpleRuleName $rulename = $title, |
| ... | ... | |
| 67 | 70 |
Optional[Nftables::Port] $sport = undef, |
| 68 | 71 |
Optional[Nftables::Addr] $saddr = undef, |
| 69 | 72 |
Boolean $counter = false, |
| 73 |
Optional[String[1]] $iifname = undef, |
|
| 70 | 74 |
) {
|
| 71 | 75 |
if $dport and !$proto {
|
| 72 | 76 |
fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
|
| ... | ... | |
| 89 | 93 |
'saddr' => $saddr, |
| 90 | 94 |
'set_type' => $set_type, |
| 91 | 95 |
'sport' => $sport, |
| 96 |
'iifname' => $iifname, |
|
| 92 | 97 |
} |
| 93 | 98 |
), |
| 94 | 99 |
order => $order, |
| spec/acceptance/simple_rule_iifname_spec.rb | ||
|---|---|---|
| 1 |
# frozen_string_literal: true |
|
| 2 |
|
|
| 3 |
require 'spec_helper_acceptance' |
|
| 4 |
|
|
| 5 |
describe 'nftables class' do |
|
| 6 |
context 'configure a simple rule with input interface' do |
|
| 7 |
it_behaves_like 'an idempotent resource' do |
|
| 8 |
let(:manifest) do |
|
| 9 |
<<-EOS |
|
| 10 |
# default mask of firewalld service fails if service is not installed. |
|
| 11 |
# https://tickets.puppetlabs.com/browse/PUP-10814 |
|
| 12 |
# Disable all default rules and include below explicitly |
|
| 13 |
class { 'nftables':
|
|
| 14 |
firewalld_enable => false, |
|
| 15 |
out_ntp => false, |
|
| 16 |
out_http => false, |
|
| 17 |
out_https => false, |
|
| 18 |
out_icmp => false, |
|
| 19 |
in_ssh => false, |
|
| 20 |
in_icmp => false, |
|
| 21 |
} |
|
| 22 |
nftables::simplerule { 'dummyrule_in':
|
|
| 23 |
action => 'accept', |
|
| 24 |
iifname => $facts['networking']['primary'], |
|
| 25 |
comment => 'allow some multicast stuff', |
|
| 26 |
daddr => 'ff02::fb', |
|
| 27 |
} |
|
| 28 |
include nftables::rules::ssh |
|
| 29 |
include nftables::rules::out::dns |
|
| 30 |
include nftables::rules::out::ssh |
|
| 31 |
$config_path = $facts['os']['family'] ? {
|
|
| 32 |
'Archlinux' => '/etc/nftables.conf', |
|
| 33 |
'Debian' => '/etc/nftables.conf', |
|
| 34 |
default => '/etc/sysconfig/nftables.conf', |
|
| 35 |
} |
|
| 36 |
$nft_path = $facts['os']['family'] ? {
|
|
| 37 |
'Archlinux' => '/usr/bin/nft', |
|
| 38 |
default => '/usr/sbin/nft', |
|
| 39 |
} |
|
| 40 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 41 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 42 |
ensure => present, |
|
| 43 |
unit => "nftables.service", |
|
| 44 |
content => [ |
|
| 45 |
"[Service]", |
|
| 46 |
"ExecStart=", |
|
| 47 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 48 |
"ExecReload=", |
|
| 49 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 50 |
"", |
|
| 51 |
].join("\n"),
|
|
| 52 |
notify => Service["nftables"], |
|
| 53 |
} |
|
| 54 |
EOS |
|
| 55 |
end |
|
| 56 |
end |
|
| 57 |
end |
|
| 58 |
end |
|
| templates/simplerule.epp | ||
|---|---|---|
| 7 | 7 |
Optional[Nftables::Addr] $saddr, |
| 8 | 8 |
String $set_type, |
| 9 | 9 |
Optional[Nftables::Port] $sport, |
| 10 |
Optional[String[1]] $iifname, |
|
| 10 | 11 |
| -%> |
| 11 | 12 |
<%- if $proto {
|
| 12 | 13 |
$_proto = $proto ? {
|
| ... | ... | |
| 69 | 70 |
} else {
|
| 70 | 71 |
$_counter = undef |
| 71 | 72 |
} -%> |
| 72 |
<%= regsubst(strip([$_ip_version_filter, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
|
|
| 73 |
<%- if $iifname {
|
|
| 74 |
$_iifname = "iifname \"${iifname}\""
|
|
| 75 |
} else {
|
|
| 76 |
$_iifname = undef |
|
| 77 |
} -%> |
|
| 78 |
<%= regsubst(strip([$_ip_version_filter, $_iifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
|
|
Formats disponibles : Unified diff