Projet

Général

Profil

Révision 31b17627

ID31b1762780ddf211709dab2e3abbeba499ab9f30
Parent 59c1ddf4
Enfant 5b4c71bc

Ajouté par Steve Traylen il y a plus de 4 ans

Use single line for each parameter definition

Voir les différences:

manifests/bridges.pp
1 1 
# allow forwarding traffic on bridges
2 2 
class nftables::bridges (
3 
  Enum['present','absent']
4 
  $ensure = 'present',
5 
  Regexp
6 
  $bridgenames = /^br.+/
3 
  Enum['present','absent'] $ensure = 'present',
4 
  Regexp $bridgenames = /^br.+/
7 5 
) {
8 6 
  if $ensure == 'present' {
9 7 
    $interfaces = keys($facts['networking']['interfaces'])
manifests/chain.pp
1 1 
# manage a chain
2 2 
define nftables::chain (
3 
  Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]
4 
  $table = 'inet-filter',
5 
  Pattern[/^[a-zA-Z0-9_]+$/]
6 
  $chain = $title,
7 
  Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]
8 
  $inject = undef,
9 
  Optional[String]
10 
  $inject_iif = undef,
11 
  Optional[String]
12 
  $inject_oif = undef,
3 
  Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/] $table = 'inet-filter',
4 
  Pattern[/^[a-zA-Z0-9_]+$/] $chain = $title,
5 
  Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] $inject = undef,
6 
  Optional[String] $inject_iif = undef,
7 
  Optional[String] $inject_oif = undef,
13 8 
) {
14 9 
  $concat_name = "nftables-${table}-chain-${chain}"
15 10 

  		












  

    
      manifests/config.pp
    
  





  1
  1
  
    
# manage a config snippet


  		




  2
  2
  
    
define nftables::config (


  		




  3
  
  
    
  Optional[String]


  		




  4
  
  
    
  $content = undef,


  		




  5
  
  
    
  Optional[Variant[String,Array[String,1]]]


  		




  6
  
  
    
  $source = undef,


  		




  
  3
  
    
  Optional[String] $content = undef,


  		




  
  4
  
    
  Optional[Variant[String,Array[String,1]]] $source = undef,


  		




  7
  5
  
    
) {


  		




  8
  6
  
    
  $concat_name = "nftables-${name}"


  		




  9
  7
  
    

  		












  

    
      manifests/init.pp
    
  





  80
  80
  
    
#   If left unset all tables will be flushed via a `flush ruleset`


  		




  81
  81
  
    
#


  		




  82
  82
  
    
class nftables (


  		




  83
  
  
    
  Boolean $in_ssh                = true,


  		




  84
  
  
    
  Boolean $in_icmp               = true,


  		




  85
  
  
    
  Boolean $out_ntp               = true,


  		




  86
  
  
    
  Boolean $out_dns               = true,


  		




  87
  
  
    
  Boolean $out_http              = true,


  		




  88
  
  
    
  Boolean $out_https             = true,


  		




  89
  
  
    
  Boolean $out_icmp              = true,


  		




  90
  
  
    
  Boolean $out_all               = false,


  		




  91
  
  
    
  Boolean $in_out_conntrack      = true,


  		




  92
  
  
    
  Boolean $fwd_conntrack         = false,


  		




  93
  
  
    
  Boolean $nat                   = true,


  		




  94
  
  
    
  Hash $rules                    = {},


  		




  95
  
  
    
  Hash $sets                     = {},


  		




  96
  
  
    
  String $log_prefix             = '[nftables] %<chain>s %<comment>s',


  		




  97
  
  
    
  Variant[Boolean[false], String]


  		




  98
  
  
    
  $log_limit                   = '3/minute burst 5 packets',


  		




  99
  
  
    
  Variant[Boolean[false], Pattern[


  		




  100
  
  
    
  /icmp(v6|x)? type .+|tcp reset/]]


  		




  101
  
  
    
  $reject_with                 = 'icmpx type port-unreachable',


  		




  102
  
  
    
  Variant[Boolean[false], Enum['mask']]


  		




  103
  
  
    
  $firewalld_enable            = 'mask',


  		




  104
  
  
    
  Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]]


  		




  105
  
  
    
  $noflush_tables = undef,


  		




  
  83
  
    
  Boolean $in_ssh = true,


  		




  
  84
  
    
  Boolean $in_icmp = true,


  		




  
  85
  
    
  Boolean $out_ntp = true,


  		




  
  86
  
    
  Boolean $out_dns = true,


  		




  
  87
  
    
  Boolean $out_http = true,


  		




  
  88
  
    
  Boolean $out_https = true,


  		




  
  89
  
    
  Boolean $out_icmp = true,


  		




  
  90
  
    
  Boolean $out_all = false,


  		




  
  91
  
    
  Boolean $in_out_conntrack = true,


  		




  
  92
  
    
  Boolean $fwd_conntrack = false,


  		




  
  93
  
    
  Boolean $nat = true,


  		




  
  94
  
    
  Hash $rules = {},


  		




  
  95
  
    
  Hash $sets = {},


  		




  
  96
  
    
  String $log_prefix = '[nftables] %<chain>s %<comment>s',


  		




  
  97
  
    
  Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets',


  		




  
  98
  
    
  Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable',


  		




  
  99
  
    
  Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask',


  		




  
  100
  
    
  Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef,


  		




  106
  101
  
    
) {


  		




  107
  102
  
    
  package { 'nftables':


  		




  108
  103
  
    
    ensure => installed,


  		












  

    
      manifests/rule.pp
    
  





  2
  2
  
    
# Name should be:


  		




  3
  3
  
    
#   CHAIN_NAME-rulename


  		




  4
  4
  
    
define nftables::rule (


  		




  5
  
  
    
  Enum['present','absent']


  		




  6
  
  
    
  $ensure = 'present',


  		




  7
  
  
    
  Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]


  		




  8
  
  
    
  $rulename = $title,


  		




  9
  
  
    
  Pattern[/^\d\d$/]


  		




  10
  
  
    
  $order = '50',


  		




  11
  
  
    
  Optional[String]


  		




  12
  
  
    
  $table = 'inet-filter',


  		




  13
  
  
    
  Optional[String]


  		




  14
  
  
    
  $content = undef,


  		




  15
  
  
    
  Optional[Variant[String,Array[String,1]]]


  		




  16
  
  
    
  $source = undef,


  		




  
  5
  
    
  Enum['present','absent'] $ensure = 'present',


  		




  
  6
  
    
  Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/] $rulename = $title,


  		




  
  7
  
    
  Pattern[/^\d\d$/] $order = '50',


  		




  
  8
  
    
  Optional[String] $table = 'inet-filter',


  		




  
  9
  
    
  Optional[String] $content = undef,


  		




  
  10
  
    
  Optional[Variant[String,Array[String,1]]] $source = undef,


  		




  17
  11
  
    
) {


  		




  18
  12
  
    
  if $ensure == 'present' {


  		




  19
  13
  
    
    $data = split($rulename, '-')


  		












  

    
      manifests/rules/dnat4.pp
    
  





  1
  1
  
    
# manage a ipv4 dnat rule


  		




  2
  2
  
    
define nftables::rules::dnat4 (


  		




  3
  
  
    
  Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]


  		




  4
  
  
    
  $daddr,


  		




  5
  
  
    
  Variant[String,Integer[1,65535]]


  		




  6
  
  
    
  $port,


  		




  7
  
  
    
  Pattern[/^[a-zA-Z0-9_]+$/]


  		




  8
  
  
    
  $rulename = $title,


  		




  9
  
  
    
  Pattern[/^\d\d$/]


  		




  10
  
  
    
  $order = '50',


  		




  11
  
  
    
  String[1]


  		




  12
  
  
    
  $chain = 'default_fwd',


  		




  13
  
  
    
  Optional[String[1]]


  		




  14
  
  
    
  $iif = undef,


  		




  15
  
  
    
  Enum['tcp','udp']


  		




  16
  
  
    
  $proto = 'tcp',


  		




  17
  
  
    
  Optional[Variant[String,Integer[1,65535]]]


  		




  18
  
  
    
  $dport = '',


  		




  19
  
  
    
  Enum['present','absent']


  		




  20
  
  
    
  $ensure = 'present',


  		




  
  3
  
    
  Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/] $daddr,


  		




  
  4
  
    
  Variant[String,Integer[1,65535]] $port,


  		




  
  5
  
    
  Pattern[/^[a-zA-Z0-9_]+$/] $rulename = $title,


  		




  
  6
  
    
  Pattern[/^\d\d$/] $order = '50',


  		




  
  7
  
    
  String[1] $chain = 'default_fwd',


  		




  
  8
  
    
  Optional[String[1]] $iif = undef,


  		




  
  9
  
    
  Enum['tcp','udp'] $proto = 'tcp',


  		




  
  10
  
    
  Optional[Variant[String,Integer[1,65535]]] $dport = '',


  		




  
  11
  
    
  Enum['present','absent'] $ensure = 'present',


  		




  21
  12
  
    
) {


  		




  22
  13
  
    
  $iifname = $iif ? {


  		




  23
  14
  
    
    undef   => '',


  		












  

    
      manifests/rules/dns.pp
    
  





  1
  1
  
    
# manage in dns


  		




  2
  2
  
    
class nftables::rules::dns (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [53],


  		




  
  3
  
    
  Array[Integer,1] $ports = [53],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-dns_tcp':


  		












  

    
      manifests/rules/icinga2.pp
    
  





  1
  1
  
    
# manage in icinga2


  		




  2
  2
  
    
class nftables::rules::icinga2 (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [5665],


  		




  
  3
  
    
  Array[Integer,1] $ports = [5665],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-icinga2':


  		












  

    
      manifests/rules/masquerade.pp
    
  





  1
  1
  
    
# masquerade all outgoing traffic


  		




  2
  2
  
    
define nftables::rules::masquerade (


  		




  3
  
  
    
  Pattern[/^[a-zA-Z0-9_]+$/]


  		




  4
  
  
    
  $rulename = $title,


  		




  5
  
  
    
  Pattern[/^\d\d$/]


  		




  6
  
  
    
  $order = '70',


  		




  7
  
  
    
  String[1]


  		




  8
  
  
    
  $chain = 'POSTROUTING',


  		




  9
  
  
    
  Optional[String[1]]


  		




  10
  
  
    
  $oif = undef,


  		




  11
  
  
    
  Optional[String[1]]


  		




  12
  
  
    
  $saddr = undef,


  		




  13
  
  
    
  Optional[String[1]]


  		




  14
  
  
    
  $daddr = undef,


  		




  15
  
  
    
  Optional[Enum['tcp','udp']]


  		




  16
  
  
    
  $proto = undef,


  		




  17
  
  
    
  Optional[Variant[String,Integer[1,65535]]]


  		




  18
  
  
    
  $dport = undef,


  		




  19
  
  
    
  Enum['present','absent']


  		




  20
  
  
    
  $ensure = 'present',


  		




  
  3
  
    
  Pattern[/^[a-zA-Z0-9_]+$/] $rulename = $title,


  		




  
  4
  
    
  Pattern[/^\d\d$/] $order = '70',


  		




  
  5
  
    
  String[1] $chain = 'POSTROUTING',


  		




  
  6
  
    
  Optional[String[1]] $oif = undef,


  		




  
  7
  
    
  Optional[String[1]] $saddr = undef,


  		




  
  8
  
    
  Optional[String[1]] $daddr = undef,


  		




  
  9
  
    
  Optional[Enum['tcp','udp']] $proto = undef,


  		




  
  10
  
    
  Optional[Variant[String,Integer[1,65535]]] $dport = undef,


  		




  
  11
  
    
  Enum['present','absent'] $ensure = 'present',


  		




  21
  12
  
    
) {


  		




  22
  13
  
    
  $oifname = $oif ? {


  		




  23
  14
  
    
    undef   => '',


  		












  

    
      manifests/rules/node_exporter.pp
    
  





  1
  1
  
    
# manage in node exporter


  		




  2
  2
  
    
class nftables::rules::node_exporter (


  		




  3
  
  
    
  Optional[Variant[String,Array[String,1]]]


  		




  4
  
  
    
  $prometheus_server = undef,


  		




  5
  
  
    
  Integer


  		




  6
  
  
    
  $port = 9100,


  		




  
  3
  
    
  Optional[Variant[String,Array[String,1]]] $prometheus_server = undef,


  		




  
  4
  
    
  Integer $port = 9100,


  		




  7
  5
  
    
) {


  		




  8
  6
  
    
  if $prometheus_server {


  		




  9
  7
  
    
    any2array($prometheus_server).each |$index,$prom| {


  		












  

    
      manifests/rules/out/dns.pp
    
  





  1
  1
  
    
# manage out dns


  		




  2
  2
  
    
class nftables::rules::out::dns (


  		




  3
  
  
    
  Optional[Variant[String,Array[String,1]]]


  		




  4
  
  
    
  $dns_server = undef,


  		




  
  3
  
    
  Optional[Variant[String,Array[String,1]]] $dns_server = undef,


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  if $dns_server {


  		




  7
  6
  
    
    any2array($dns_server).each |$index,$dns| {


  		












  

    
      manifests/rules/out/icmp.pp
    
  





  1
  1
  
    
class nftables::rules::out::icmp (


  		




  2
  2
  
    
  Optional[Array[String]] $v4_types = undef,


  		




  3
  3
  
    
  Optional[Array[String]] $v6_types = undef,


  		




  4
  
  
    
  String $order                     = '10',


  		




  
  4
  
    
  String $order = '10',


  		




  5
  5
  
    
) {


  		




  6
  6
  
    
  if $v4_types {


  		




  7
  7
  
    
    $v4_types.each | String $icmp_type | {


  		












  

    
      manifests/rules/out/puppet.pp
    
  





  1
  1
  
    
# manage outgoing puppet


  		




  2
  2
  
    
class nftables::rules::out::puppet (


  		




  3
  
  
    
  Variant[String,Array[String,1]]


  		




  4
  
  
    
  $puppetmaster,


  		




  5
  
  
    
  Integer


  		




  6
  
  
    
  $puppetserver_port = 8140,


  		




  
  3
  
    
  Variant[String,Array[String,1]] $puppetmaster,


  		




  
  4
  
    
  Integer $puppetserver_port = 8140,


  		




  7
  5
  
    
) {


  		




  8
  6
  
    
  any2array($puppetmaster).each |$index,$pm| {


  		




  9
  7
  
    
    nftables::rule {


  		












  

    
      manifests/rules/out/wireguard.pp
    
  





  1
  1
  
    
# manage out wireguard


  		




  2
  2
  
    
class nftables::rules::out::wireguard (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [51820],


  		




  
  3
  
    
  Array[Integer,1] $ports = [51820],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_out-wireguard':


  		












  

    
      manifests/rules/puppet.pp
    
  





  1
  1
  
    
# manage in puppet


  		




  2
  2
  
    
class nftables::rules::puppet (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [8140],


  		




  
  3
  
    
  Array[Integer,1] $ports = [8140],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-puppet':


  		












  

    
      manifests/rules/snat4.pp
    
  





  1
  1
  
    
# manage a ipv4 snat rule


  		




  2
  2
  
    
define nftables::rules::snat4 (


  		




  3
  
  
    
  String[1]


  		




  4
  
  
    
  $snat,


  		




  5
  
  
    
  Pattern[/^[a-zA-Z0-9_]+$/]


  		




  6
  
  
    
  $rulename = $title,


  		




  7
  
  
    
  Pattern[/^\d\d$/]


  		




  8
  
  
    
  $order = '70',


  		




  9
  
  
    
  String[1]


  		




  10
  
  
    
  $chain = 'POSTROUTING',


  		




  11
  
  
    
  Optional[String[1]]


  		




  12
  
  
    
  $oif = undef,


  		




  13
  
  
    
  Optional[String[1]]


  		




  14
  
  
    
  $saddr = undef,


  		




  15
  
  
    
  Optional[Enum['tcp','udp']]


  		




  16
  
  
    
  $proto = undef,


  		




  17
  
  
    
  Optional[Variant[String,Integer[1,65535]]]


  		




  18
  
  
    
  $dport = undef,


  		




  19
  
  
    
  Enum['present','absent']


  		




  20
  
  
    
  $ensure = 'present',


  		




  
  3
  
    
  String[1] $snat,


  		




  
  4
  
    
  Pattern[/^[a-zA-Z0-9_]+$/] $rulename = $title,


  		




  
  5
  
    
  Pattern[/^\d\d$/] $order = '70',


  		




  
  6
  
    
  String[1] $chain = 'POSTROUTING',


  		




  
  7
  
    
  Optional[String[1]] $oif = undef,


  		




  
  8
  
    
  Optional[String[1]] $saddr = undef,


  		




  
  9
  
    
  Optional[Enum['tcp','udp']] $proto = undef,


  		




  
  10
  
    
  Optional[Variant[String,Integer[1,65535]]] $dport = undef,


  		




  
  11
  
    
  Enum['present','absent'] $ensure = 'present',


  		




  21
  12
  
    
) {


  		




  22
  13
  
    
  $oifname = $oif ? {


  		




  23
  14
  
    
    undef   => '',


  		












  

    
      manifests/rules/ssh.pp
    
  





  1
  1
  
    
# manage in ssh


  		




  2
  2
  
    
class nftables::rules::ssh (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [22],


  		




  
  3
  
    
  Array[Integer,1] $ports = [22],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-ssh':


  		












  

    
      manifests/rules/tor.pp
    
  





  1
  1
  
    
# manage in tor


  		




  2
  2
  
    
class nftables::rules::tor (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [9001],


  		




  
  3
  
    
  Array[Integer,1] $ports = [9001],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-tor':


  		












  

    
      manifests/rules/wireguard.pp
    
  





  1
  1
  
    
# manage in wireguard


  		




  2
  2
  
    
class nftables::rules::wireguard (


  		




  3
  
  
    
  Array[Integer,1]


  		




  4
  
  
    
  $ports = [51820],


  		




  
  3
  
    
  Array[Integer,1] $ports = [51820],


  		




  5
  4
  
    
) {


  		




  6
  5
  
    
  nftables::rule {


  		




  7
  6
  
    
    'default_in-wireguard':


  		












  

    
      manifests/set.pp
    
  





  1
  1
  
    
# manage a named set


  		




  2
  2
  
    
define nftables::set (


  		




  3
  
  
    
  Enum['present','absent']


  		




  4
  
  
    
  $ensure = 'present',


  		




  5
  
  
    
  Pattern[/^[-a-zA-Z0-9_]+$/]


  		




  6
  
  
    
  $setname = $title,


  		




  7
  
  
    
  Pattern[/^\d\d$/]


  		




  8
  
  
    
  $order = '10',


  		




  9
  
  
    
  Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']]


  		




  10
  
  
    
  $type = undef,


  		




  11
  
  
    
  String


  		




  12
  
  
    
  $table = 'inet-filter',


  		




  13
  
  
    
  Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4]


  		




  14
  
  
    
  $flags = [],


  		




  15
  
  
    
  Optional[Integer]


  		




  16
  
  
    
  $timeout = undef,


  		




  17
  
  
    
  Optional[Integer]


  		




  18
  
  
    
  $gc_interval = undef,


  		




  19
  
  
    
  Optional[Array[String]]


  		




  20
  
  
    
  $elements = undef,


  		




  21
  
  
    
  Optional[Integer]


  		




  22
  
  
    
  $size = undef,


  		




  23
  
  
    
  Optional[Enum['performance', 'memory']]


  		




  24
  
  
    
  $policy = undef,


  		




  25
  
  
    
  Boolean


  		




  26
  
  
    
  $auto_merge = false,


  		




  27
  
  
    
  Optional[String]


  		




  28
  
  
    
  $content = undef,


  		




  29
  
  
    
  Optional[Variant[String,Array[String,1]]]


  		




  30
  
  
    
  $source = undef,


  		




  
  3
  
    
  Enum['present','absent'] $ensure = 'present',


  		




  
  4
  
    
  Pattern[/^[-a-zA-Z0-9_]+$/] $setname = $title,


  		




  
  5
  
    
  Pattern[/^\d\d$/] $order = '10',


  		




  
  6
  
    
  Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']] $type = undef,


  		




  
  7
  
    
  String $table = 'inet-filter',


  		




  
  8
  
    
  Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4] $flags = [],


  		




  
  9
  
    
  Optional[Integer] $timeout = undef,


  		




  
  10
  
    
  Optional[Integer] $gc_interval = undef,


  		




  
  11
  
    
  Optional[Array[String]] $elements = undef,


  		




  
  12
  
    
  Optional[Integer] $size = undef,


  		




  
  13
  
    
  Optional[Enum['performance', 'memory']] $policy = undef,


  		




  
  14
  
    
  Boolean $auto_merge = false,


  		




  
  15
  
    
  Optional[String] $content = undef,


  		




  
  16
  
    
  Optional[Variant[String,Array[String,1]]] $source = undef,


  		




  31
  17
  
    
) {


  		




  32
  18
  
    
  if $size and $elements {


  		




  33
  19
  
    
    if length($elements) > $size {


  		












Formats disponibles :  Unified diff