Projet

Général

Profil

Révision 351a88fb

ID351a88fb7cbb8ab1f63f43bb02914eda0d2581ba
Parent af544fea
Enfant ba5e15bd

Ajouté par tr il y a plus de 4 ans

Add a define for ipv4 dnat

Voir les différences:

manifests/rules/dnat4.pp
1 
# manage a ipv4 dnat rule
2 
define nftables::rules::dnat4(
3 
  Enum['present','absent']
4 
    $ensure = 'present',
5 
  Pattern[/^[a-zA-Z0-9_]+$/]
6 
    $rulename = $title,
7 
  Pattern[/^\d\d$/]
8 
    $order = '50',
9 
  String[1]
10 
    $chain = 'default_fwd',
11 
  Optional[String[1]]
12 
    $iif = undef,
13 
  Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]
14 
    $daddr,
15 
  Pattern[/^(tcp|udp)$/]
16 
    $proto = 'tcp',
17 
  Variant[String,Integer[1,65535]]
18 
    $port,
19 
  Optional[Variant[String,Integer[1,65535]]]
20 
    $dport = '',
21 
) {
22 

  		




  
  23
  
    
  $iifname = $iif ? {


  		




  
  24
  
    
    undef   => '',


  		




  
  25
  
    
    default => "iifname ${iif} ",


  		




  
  26
  
    
  }


  		




  
  27
  
    
  $filter_port = $dport ? {


  		




  
  28
  
    
    ''      => $port,


  		




  
  29
  
    
    default => $dport,


  		




  
  30
  
    
  }


  		




  
  31
  
    
  $nat_port = $dport ? {


  		




  
  32
  
    
    ''      => '',


  		




  
  33
  
    
    default => ":${dport}",


  		




  
  34
  
    
  }


  		




  
  35
  
    

  		




  
  36
  
    
  nftables::rule{


  		




  
  37
  
    
    default:


  		




  
  38
  
    
      ensure => $ensure,


  		




  
  39
  
    
      order  => $order;


  		




  
  40
  
    
    "${chain}-${rulename}":


  		




  
  41
  
    
      content => "${iifname}ip daddr ${daddr} ${proto} dport ${filter_port} accept";


  		




  
  42
  
    
    "PREROUTING-${rulename}":


  		




  
  43
  
    
      table   => 'ip-nat',


  		




  
  44
  
    
      content => "${iifname}${proto} dport ${port} dnat to ${daddr}${nat_port}";


  		




  
  45
  
    
  }


  		




  
  46
  
    
}


  		












  

    
      spec/classes/router_spec.rb
    
  





  18
  18
  
    
          }


  		




  19
  19
  
    

  		




  20
  20
  
    
          # inet-filter-chain-default_fwd


  		




  
  21
  
    
          nftables::rules::dnat4{


  		




  
  22
  
    
            'http':


  		




  
  23
  
    
              order => '10',


  		




  
  24
  
    
              chain => 'ingoing',


  		




  
  25
  
    
              daddr => '192.0.2.2',


  		




  
  26
  
    
              port  => 'http';


  		




  
  27
  
    
            'https':


  		




  
  28
  
    
              order => '10',


  		




  
  29
  
    
              chain => 'ingoing',


  		




  
  30
  
    
              daddr => '192.0.2.2',


  		




  
  31
  
    
              port  => 'https';


  		




  
  32
  
    
            'http_alt':


  		




  
  33
  
    
              order => '10',


  		




  
  34
  
    
              chain => 'ingoing',


  		




  
  35
  
    
              iif   => 'eth0',


  		




  
  36
  
    
              daddr => '192.0.2.2',


  		




  
  37
  
    
              proto => 'tcp',


  		




  
  38
  
    
              port  => 8080,


  		




  
  39
  
    
              dport => 80;


  		




  
  40
  
    
            'wireguard':


  		




  
  41
  
    
              order => '10',


  		




  
  42
  
    
              chain => 'ingoing',


  		




  
  43
  
    
              iif   => 'eth0',


  		




  
  44
  
    
              daddr => '192.0.2.3',


  		




  
  45
  
    
              proto => 'udp',


  		




  
  46
  
    
              port  => '51820';


  		




  
  47
  
    
          }


  		




  
  48
  
    

  		




  
  49
  
    
          # inet-filter-chain-default_fwd


  		




  21
  50
  
    
          nftables::rule{


  		




  22
  51
  
    
            'default_fwd-out':


  		




  23
  52
  
    
              order   => '20',


  		




  ......




  26
  55
  
    
              order   => '90',


  		




  27
  56
  
    
              content => 'iifname eth0 drop';


  		




  28
  57
  
    

  		




  29
  
  
    
            'ingoing-web':


  		




  30
  
  
    
              order   => '10',


  		




  31
  
  
    
              content => 'ip daddr 192.0.2.2 tcp dport { http, https } accept';


  		




  32
  
  
    
            'PREROUTING-web':


  		




  33
  
  
    
              table   => 'ip-nat',


  		




  34
  
  
    
              order   => '30',


  		




  35
  
  
    
              content => 'iifname eth0 tcp dport { http, https } dnat to 192.0.2.2';


  		




  36
  58
  
    
            'POSTROUTING-masquerade':


  		




  37
  59
  
    
              table   => 'ip-nat',


  		




  38
  60
  
    
              order   => '20',


  		




  ......




  81
  103
  
    
          :content => /^chain ingoing {$/,


  		




  82
  104
  
    
          :order   => '00',


  		




  83
  105
  
    
        )}


  		




  84
  
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-web').with(


  		




  
  106
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http').with(


  		




  
  107
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  108
  
    
          :content => /^  ip daddr 192.0.2.2 tcp dport http accept$/,


  		




  
  109
  
    
          :order   => '10',


  		




  
  110
  
    
        )}


  		




  
  111
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-https').with(


  		




  
  112
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  113
  
    
          :content => /^  ip daddr 192.0.2.2 tcp dport https accept$/,


  		




  
  114
  
    
          :order   => '10',


  		




  
  115
  
    
        )}


  		




  
  116
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-http_alt').with(


  		




  85
  117
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  86
  
  
    
          :content => /^  ip daddr 192.0.2.2 tcp dport \{ http, https \} accept$/,


  		




  
  118
  
    
          :content => /^  iifname eth0 ip daddr 192.0.2.2 tcp dport 80 accept$/,


  		




  
  119
  
    
          :order   => '10',


  		




  
  120
  
    
        )}


  		




  
  121
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-wireguard').with(


  		




  
  122
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  123
  
    
          :content => /^  iifname eth0 ip daddr 192.0.2.3 udp dport 51820 accept$/,


  		




  87
  124
  
    
          :order   => '10',


  		




  88
  125
  
    
        )}


  		




  89
  126
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(


  		




  ......




  114
  151
  
    
          :content => /^  policy accept$/,


  		




  115
  152
  
    
          :order   => '02',


  		




  116
  153
  
    
        )}


  		




  117
  
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-web').with(


  		




  
  154
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http').with(


  		




  
  155
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		




  
  156
  
    
          :content => /^  tcp dport http dnat to 192.0.2.2$/,


  		




  
  157
  
    
          :order   => '10',


  		




  
  158
  
    
        )}


  		




  
  159
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-https').with(


  		




  118
  160
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		




  119
  
  
    
          :content => /^  iifname eth0 tcp dport \{ http, https \} dnat to 192.0.2.2$/,


  		




  120
  
  
    
          :order   => '30',


  		




  
  161
  
    
          :content => /^  tcp dport https dnat to 192.0.2.2$/,


  		




  
  162
  
    
          :order   => '10',


  		




  
  163
  
    
        )}


  		




  
  164
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-http_alt').with(


  		




  
  165
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		




  
  166
  
    
          :content => /^  iifname eth0 tcp dport 8080 dnat to 192.0.2.2:80$/,


  		




  
  167
  
    
          :order   => '10',


  		




  
  168
  
    
        )}


  		




  
  169
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-wireguard').with(


  		




  
  170
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		




  
  171
  
    
          :content => /^  iifname eth0 udp dport 51820 dnat to 192.0.2.3$/,


  		




  
  172
  
    
          :order   => '10',


  		




  121
  173
  
    
        )}


  		




  122
  174
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-footer').with(


  		




  123
  175
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		












Formats disponibles :  Unified diff