root / templates / config / puppet.nft.epp @ 2ad7193b
Historique | Voir | Annoter | Télécharger (1,08 ko)
| 1 | 03d9e7da | Steve Traylen | <%- | |
|---|---|---|---|
| 2 | 7b9d6ffc | Nacho Barrientos | Boolean $inet_filter, |
| 3 | 03d9e7da | Steve Traylen | Boolean $nat, |
| 4 | Optional[Array[String[1],1]] $noflush = undef, |
||
| 5 | |-%> |
||
| 6 | <%- |
||
| 7 | if $noflush and $facts['nftables'] and $facts['nftables']['tables'] {
|
||
| 8 | $_flush_command = $facts['nftables']['tables'].filter |$_tab| { ! ($_tab in $noflush) }.map |$_table| {
|
||
| 9 | 92e0fcb6 | duritong | [ "table ${regsubst($_table,'-',' ')} {}", "flush table ${regsubst($_table,'-',' ')}" ]
|
| 10 | }.flatten |
||
| 11 | 03d9e7da | Steve Traylen | } else {
|
| 12 | $_flush_command = ['flush ruleset'] |
||
| 13 | } |
||
| 14 | -%> |
||
| 15 | 30462da1 | Steve Traylen | # puppet-preflight.nft is only used by puppet for validating new configs |
| 16 | # puppet.nft is real configuration that the nftables services uses. |
||
| 17 | # To process either the -I flag must be specified. |
||
| 18 | # nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft |
||
| 19 | # nft -c -I /etc/nftables/puppet-preflight -f /etc/nftables/puppet-preflight.nft |
||
| 20 | |||
| 21 | 92e0fcb6 | duritong | # drop any existing nftables ruleset, ensure tables are initialized |
| 22 | <%= $_flush_command.join("\n") %>
|
||
| 23 | 0ba57c66 | mh | |
| 24 | 331b8d85 | Steve Traylen | include "file-*.nft" |
| 25 | 30462da1 | Steve Traylen | include "custom-*.nft" |
| 26 | 7b9d6ffc | Nacho Barrientos | <% if $inet_filter { -%>
|
| 27 | 30462da1 | Steve Traylen | include "inet-filter.nft" |
| 28 | 7b9d6ffc | Nacho Barrientos | <% } -%> |
| 29 | 82d10659 | Nacho Barrientos | <% if $nat { -%>
|
| 30 | fcb79d73 | Ben Morrice | include "ip-<%= $nftables::nat_table_name %>.nft" |
| 31 | include "ip6-<%= $nftables::nat_table_name %>.nft" |
||
| 32 | 82d10659 | Nacho Barrientos | <% } -%> |