Révision 38a67c59
Rewrite ip-nat to concat
| files/config/puppet-ip-nat.nft | ||
|---|---|---|
| 1 | 1 |
table ip nat {
|
| 2 |
include "/etc/nftables/puppet/ip-nat-chains-*.nft" |
|
| 3 |
|
|
| 4 |
chain PREROUTING {
|
|
| 5 |
type nat hook prerouting priority 0 |
|
| 6 |
policy accept |
|
| 7 |
|
|
| 8 |
include "/etc/nftables/puppet/ip-nat-chain-prerouting-*.nft" |
|
| 9 |
} |
|
| 10 |
chain INPUT {
|
|
| 11 |
type nat hook input priority 100 |
|
| 12 |
policy accept |
|
| 13 |
|
|
| 14 |
include "/etc/nftables/puppet/ip-nat-chain-input-*.nft" |
|
| 15 |
} |
|
| 16 |
chain OUTPUT {
|
|
| 17 |
type nat hook output priority 0 |
|
| 18 |
policy accept |
|
| 19 |
|
|
| 20 |
include "/etc/nftables/puppet/ip-nat-chain-output-*.nft" |
|
| 21 |
} |
|
| 22 |
|
|
| 23 |
chain POSTROUTING {
|
|
| 24 |
type nat hook postrouting priority 100 |
|
| 25 |
policy accept |
|
| 26 |
|
|
| 27 |
include "/etc/nftables/puppet/ip-nat-chain-postrouting-*.nft" |
|
| 28 |
} |
|
| 2 |
include "/etc/nftables/puppet/ip-nat-chain-*.nft" |
|
| 29 | 3 |
} |
| manifests/init.pp | ||
|---|---|---|
| 49 | 49 |
} |
| 50 | 50 |
|
| 51 | 51 |
nftables::chain{
|
| 52 |
[ |
|
| 53 |
'PREROUTING', |
|
| 54 |
'POSTROUTING', |
|
| 55 |
]: |
|
| 56 |
table => 'ip-nat'; |
|
| 57 |
} |
|
| 58 |
|
|
| 59 |
nftables::chain{
|
|
| 52 | 60 |
'default_in': |
| 53 | 61 |
inject => '10-INPUT'; |
| 54 | 62 |
'default_out': |
| ... | ... | |
| 57 | 65 |
inject => '10-FORWARD'; |
| 58 | 66 |
} |
| 59 | 67 |
|
| 60 |
# filter-chain-INPUT |
|
| 68 |
# inet-filter-chain-INPUT
|
|
| 61 | 69 |
nftables::rule{
|
| 62 | 70 |
'INPUT-type': |
| 63 | 71 |
order => '01', |
| ... | ... | |
| 76 | 84 |
content => 'log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
| 77 | 85 |
} |
| 78 | 86 |
|
| 79 |
# filter-chain-OUTPUT |
|
| 87 |
# inet-filter-chain-OUTPUT
|
|
| 80 | 88 |
nftables::rule{
|
| 81 | 89 |
'OUTPUT-type': |
| 82 | 90 |
order => '01', |
| ... | ... | |
| 95 | 103 |
content => 'log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
| 96 | 104 |
} |
| 97 | 105 |
|
| 98 |
# filter-chain-FORWARD |
|
| 106 |
# inet-filter-chain-FORWARD
|
|
| 99 | 107 |
nftables::rule{
|
| 100 | 108 |
'FORWARD-type': |
| 101 | 109 |
order => '01', |
| ... | ... | |
| 111 | 119 |
content => 'log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable'; |
| 112 | 120 |
} |
| 113 | 121 |
|
| 122 |
# ip-nat-chain-PREROUTING |
|
| 123 |
nftables::rule{
|
|
| 124 |
'PREROUTING-type': |
|
| 125 |
table => 'ip-nat', |
|
| 126 |
order => '01', |
|
| 127 |
content => 'type nat hook prerouting priority -100'; |
|
| 128 |
'PREROUTING-policy': |
|
| 129 |
table => 'ip-nat', |
|
| 130 |
order => '02', |
|
| 131 |
content => 'policy accept'; |
|
| 132 |
} |
|
| 133 |
|
|
| 134 |
# ip-nat-chain-POSTROUTING |
|
| 135 |
nftables::rule{
|
|
| 136 |
'POSTROUTING-type': |
|
| 137 |
table => 'ip-nat', |
|
| 138 |
order => '01', |
|
| 139 |
content => 'type nat hook postrouting priority 100'; |
|
| 140 |
'POSTROUTING-policy': |
|
| 141 |
table => 'ip-nat', |
|
| 142 |
order => '02', |
|
| 143 |
content => 'policy accept'; |
|
| 144 |
} |
|
| 145 |
|
|
| 114 | 146 |
# basic ingoing rules |
| 115 | 147 |
if $in_ssh {
|
| 116 | 148 |
include nftables::rules::ssh |
Formats disponibles : Unified diff