Révision 67cdcf15
Support input interface specification to dns server
Useful when you want to allow docker/podman containers
access to a hosts dns stub resolver.
```puppet
class{'nftables::rules::dns':
iifname => ['docker0'],
}
```
| REFERENCE.md | ||
|---|---|---|
| 526 | 526 |
|
| 527 | 527 |
manage in dns |
| 528 | 528 |
|
| 529 |
#### Examples |
|
| 530 |
|
|
| 531 |
##### Allow access to stub dns resolver from docker containers |
|
| 532 |
|
|
| 533 |
```puppet |
|
| 534 |
class { 'nftables::rules::dns':
|
|
| 535 |
iifname => ['docker0'], |
|
| 536 |
} |
|
| 537 |
``` |
|
| 538 |
|
|
| 529 | 539 |
#### Parameters |
| 530 | 540 |
|
| 531 | 541 |
The following parameters are available in the `nftables::rules::dns` class: |
| 532 | 542 |
|
| 533 | 543 |
* [`ports`](#-nftables--rules--dns--ports) |
| 544 |
* [`iifname`](#-nftables--rules--dns--iifname) |
|
| 534 | 545 |
|
| 535 | 546 |
##### <a name="-nftables--rules--dns--ports"></a>`ports` |
| 536 | 547 |
|
| ... | ... | |
| 540 | 551 |
|
| 541 | 552 |
Default value: `[53]` |
| 542 | 553 |
|
| 554 |
##### <a name="-nftables--rules--dns--iifname"></a>`iifname` |
|
| 555 |
|
|
| 556 |
Data type: `Optional[Array[String[1],1]]` |
|
| 557 |
|
|
| 558 |
Specify input interface names. |
|
| 559 |
|
|
| 560 |
Default value: `undef` |
|
| 561 |
|
|
| 543 | 562 |
### <a name="nftables--rules--docker_ce"></a>`nftables::rules::docker_ce` |
| 544 | 563 |
|
| 545 | 564 |
The configuration distributed in this class represents the default firewall |
| manifests/rules/dns.pp | ||
|---|---|---|
| 1 | 1 |
# @summary manage in dns |
| 2 | 2 |
# @param ports Specify ports for dns. |
| 3 |
# @param iifname Specify input interface names. |
|
| 4 |
# |
|
| 5 |
# @example Allow access to stub dns resolver from docker containers |
|
| 6 |
# class { 'nftables::rules::dns':
|
|
| 7 |
# iifname => ['docker0'], |
|
| 8 |
# } |
|
| 9 |
# |
|
| 3 | 10 |
class nftables::rules::dns ( |
| 4 | 11 |
Array[Stdlib::Port,1] $ports = [53], |
| 12 |
Optional[Array[String[1],1]] $iifname = undef, |
|
| 5 | 13 |
) {
|
| 14 |
$_iifname = $iifname ? {
|
|
| 15 |
Undef => '', |
|
| 16 |
default => "iifname {${join($iifname, ', ')}} ",
|
|
| 17 |
} |
|
| 18 |
|
|
| 6 | 19 |
nftables::rule {
|
| 7 | 20 |
'default_in-dns_tcp': |
| 8 |
content => "tcp dport {${join($ports,', ')}} accept";
|
|
| 21 |
content => "${_iifname}tcp dport {${join($ports,', ')}} accept";
|
|
| 9 | 22 |
'default_in-dns_udp': |
| 10 |
content => "udp dport {${join($ports,', ')}} accept";
|
|
| 23 |
content => "${_iifname}udp dport {${join($ports,', ')}} accept";
|
|
| 11 | 24 |
} |
| 12 | 25 |
} |
| spec/classes/rules/dns_spec.rb | ||
|---|---|---|
| 24 | 24 |
it { is_expected.to contain_nftables__rule('default_in-dns_tcp').with_content('tcp dport {55, 60} accept') }
|
| 25 | 25 |
it { is_expected.to contain_nftables__rule('default_in-dns_udp').with_content('udp dport {55, 60} accept') }
|
| 26 | 26 |
end |
| 27 |
|
|
| 28 |
context 'with input interfaces set' do |
|
| 29 |
let(:params) do |
|
| 30 |
{
|
|
| 31 |
iifname: %w[docker0 eth0], |
|
| 32 |
} |
|
| 33 |
end |
|
| 34 |
|
|
| 35 |
it { is_expected.to compile }
|
|
| 36 |
it { is_expected.to contain_nftables__rule('default_in-dns_tcp').with_content('iifname {docker0, eth0} tcp dport {53} accept') }
|
|
| 37 |
it { is_expected.to contain_nftables__rule('default_in-dns_udp').with_content('iifname {docker0, eth0} udp dport {53} accept') }
|
|
| 38 |
end |
|
| 27 | 39 |
end |
| 28 | 40 |
end |
| 29 | 41 |
end |
Formats disponibles : Unified diff