Révision 7030bde0
Add bridge as a valid family for chain tables
| REFERENCE.md | ||
|---|---|---|
| 153 | 153 |
* [`configuration_path`](#configuration_path) |
| 154 | 154 |
* [`nft_path`](#nft_path) |
| 155 | 155 |
* [`echo`](#echo) |
| 156 |
* [`default_config_mode`](#default_config_mode) |
|
| 156 | 157 |
|
| 157 | 158 |
##### <a name="out_all"></a>`out_all` |
| 158 | 159 |
|
| ... | ... | |
| 348 | 349 |
|
| 349 | 350 |
Path to the echo binary |
| 350 | 351 |
|
| 352 |
##### <a name="default_config_mode"></a>`default_config_mode` |
|
| 353 |
|
|
| 354 |
Data type: `Stdlib::Filemode` |
|
| 355 |
|
|
| 356 |
The default file & dir mode for configuration files and directories. The |
|
| 357 |
default varies depending on the system, and is set in the module's data. |
|
| 358 |
|
|
| 351 | 359 |
### <a name="nftablesbridges"></a>`nftables::bridges` |
| 352 | 360 |
|
| 353 | 361 |
allow forwarding traffic on bridges |
| ... | ... | |
| 1166 | 1174 |
|
| 1167 | 1175 |
##### <a name="table"></a>`table` |
| 1168 | 1176 |
|
| 1169 |
Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]` |
|
| 1177 |
Data type: `Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/]`
|
|
| 1170 | 1178 |
|
| 1171 | 1179 |
|
| 1172 | 1180 |
|
| manifests/chain.pp | ||
|---|---|---|
| 1 | 1 |
# manage a chain |
| 2 | 2 |
define nftables::chain ( |
| 3 | 3 |
# lint:ignore:parameter_documentation |
| 4 |
Pattern[/^(ip|ip6|inet|netdev)-[a-zA-Z0-9_]+$/] $table = 'inet-filter', |
|
| 4 |
Pattern[/^(ip|ip6|inet|netdev|bridge)-[a-zA-Z0-9_]+$/] $table = 'inet-filter',
|
|
| 5 | 5 |
Pattern[/^[a-zA-Z0-9_]+$/] $chain = $title, |
| 6 | 6 |
Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] $inject = undef, |
| 7 | 7 |
Optional[String] $inject_iif = undef, |
| spec/defines/chain_spec.rb | ||
|---|---|---|
| 61 | 61 |
) |
| 62 | 62 |
} |
| 63 | 63 |
|
| 64 |
context('with table set to ip6-foo') do
|
|
| 65 |
let(:params) do |
|
| 66 |
{
|
|
| 67 |
table: 'ip6-foo', |
|
| 68 |
} |
|
| 69 |
end |
|
| 64 |
%w[ip ip6 inet bridge netdev].each do |family| |
|
| 65 |
context("with table set to #{family}-foo") do
|
|
| 66 |
let(:params) do |
|
| 67 |
{
|
|
| 68 |
table: "#{family}-foo",
|
|
| 69 |
} |
|
| 70 |
end |
|
| 70 | 71 |
|
| 71 |
it {
|
|
| 72 |
expect(subject).to contain_concat('nftables-ip6-foo-chain-MYCHAIN').with(
|
|
| 73 |
path: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft',
|
|
| 74 |
owner: 'root', |
|
| 75 |
group: 'root', |
|
| 76 |
mode: nft_mode, |
|
| 77 |
ensure_newline: true |
|
| 78 |
) |
|
| 79 |
} |
|
| 72 |
it {
|
|
| 73 |
expect(subject).to contain_concat("nftables-#{family}-foo-chain-MYCHAIN").with(
|
|
| 74 |
path: "/etc/nftables/puppet-preflight/#{family}-foo-chain-MYCHAIN.nft",
|
|
| 75 |
owner: 'root',
|
|
| 76 |
group: 'root',
|
|
| 77 |
mode: nft_mode,
|
|
| 78 |
ensure_newline: true
|
|
| 79 |
)
|
|
| 80 |
}
|
|
| 80 | 81 |
|
| 81 |
it {
|
|
| 82 |
expect(subject).to contain_file('/etc/nftables/puppet/ip6-foo-chain-MYCHAIN.nft').with(
|
|
| 83 |
ensure: 'file', |
|
| 84 |
source: '/etc/nftables/puppet-preflight/ip6-foo-chain-MYCHAIN.nft',
|
|
| 85 |
mode: nft_mode, |
|
| 86 |
owner: 'root', |
|
| 87 |
group: 'root' |
|
| 88 |
) |
|
| 89 |
} |
|
| 82 |
it {
|
|
| 83 |
expect(subject).to contain_file("/etc/nftables/puppet/#{family}-foo-chain-MYCHAIN.nft").with(
|
|
| 84 |
ensure: 'file',
|
|
| 85 |
source: "/etc/nftables/puppet-preflight/#{family}-foo-chain-MYCHAIN.nft",
|
|
| 86 |
mode: nft_mode,
|
|
| 87 |
owner: 'root',
|
|
| 88 |
group: 'root'
|
|
| 89 |
)
|
|
| 90 |
}
|
|
| 90 | 91 |
|
| 91 |
it {
|
|
| 92 |
expect(subject).to contain_concat__fragment('nftables-ip6-foo-chain-MYCHAIN-header').with(
|
|
| 93 |
order: '00', |
|
| 94 |
content: "# Start of fragment order:00 MYCHAIN header\nchain MYCHAIN {",
|
|
| 95 |
target: 'nftables-ip6-foo-chain-MYCHAIN'
|
|
| 96 |
) |
|
| 97 |
} |
|
| 92 |
it {
|
|
| 93 |
expect(subject).to contain_concat__fragment("nftables-#{family}-foo-chain-MYCHAIN-header").with(
|
|
| 94 |
order: '00',
|
|
| 95 |
content: "# Start of fragment order:00 MYCHAIN header\nchain MYCHAIN {",
|
|
| 96 |
target: "nftables-#{family}-foo-chain-MYCHAIN"
|
|
| 97 |
)
|
|
| 98 |
}
|
|
| 98 | 99 |
|
| 99 |
it {
|
|
| 100 |
expect(subject).to contain_concat__fragment('nftables-ip6-foo-chain-MYCHAIN-footer').with(
|
|
| 101 |
order: '99', |
|
| 102 |
content: "# Start of fragment order:99 MYCHAIN footer\n}", |
|
| 103 |
target: 'nftables-ip6-foo-chain-MYCHAIN' |
|
| 104 |
) |
|
| 105 |
} |
|
| 100 |
it {
|
|
| 101 |
expect(subject).to contain_concat__fragment("nftables-#{family}-foo-chain-MYCHAIN-footer").with(
|
|
| 102 |
order: '99', |
|
| 103 |
content: "# Start of fragment order:99 MYCHAIN footer\n}", |
|
| 104 |
target: "nftables-#{family}-foo-chain-MYCHAIN"
|
|
| 105 |
) |
|
| 106 |
} |
|
| 107 |
end |
|
| 106 | 108 |
end |
| 107 | 109 |
|
| 108 | 110 |
context 'with inject set to 22-foobar' do |
Formats disponibles : Unified diff