/manifests/init.pp - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / manifests / init.pp @ 79e9a23f

Historique | Voir | Annoter | Télécharger (2,86 ko)

1	e17693e3	Steve Traylen	# @summary Configure nftables
2			#
3			# @example
4			# class{'nftables:
5			# out_ntp = false,
6			# out_dns = true,
7	b3a7a6dd	tr	# }
8	e17693e3	Steve Traylen	#
9	b3a7a6dd	tr	# @param out_all
10	e17693e3	Steve Traylen	# Allow all outbound connections. If `true` then all other
11			# out parameters `out_ntp`, `out_dns`, ... will be assuemed
12			# false.
13			#
14			# @param out_ntp
15			# Allow outbound to ntp servers.
16			#
17			# @param out_http
18			# Allow outbound to http servers.
19			#
20			# @param out_https
21			# Allow outbound to https servers.
22			#
23			# @param out_https
24			# Allow outbound to https servers.
25			#
26	79e9a23f	Nacho Barrientos	# @param out_icmp
27			# Allow outbound ICMPv4/v6 traffic.
28			#
29	e17693e3	Steve Traylen	# @param in_ssh
30			# Allow inbound to ssh servers.
31			#
32	79e9a23f	Nacho Barrientos	# @param in_icmp
33			# Allow inbound ICMPv4/v6 traffic.
34			#
35	ac0af4aa	Nacho Barrientos	# @param log_prefix
36			# String that will be used as prefix when logging packets. It can contain
37			# two variables using standard sprintf() string-formatting:
38			# * chain: Will be replaced by the name of the chain.
39			# * comment: Allows chains to add extra comments.
40			#
41	70727742	Nacho Barrientos	# @param reject_with
42			# How to discard packets not matching any rule. If `false`, the
43			# fate of the packet will be defined by the chain policy (normally
44			# drop), otherwise the packet will be rejected with the REJECT_WITH
45			# policy indicated by the value of this parameter.
46			#
47	ea96d5db	Nacho Barrientos	# @param in_out_conntrack
48			# Adds INPUT and OUTPUT rules to allow traffic that's part of an
49			# established connection and also to drop invalid packets.
50			#
51	be0b08e1	tr	class nftables (
52	70727742	Nacho Barrientos	Boolean $in_ssh = true,
53	79e9a23f	Nacho Barrientos	Boolean $in_icmp = true,
54	70727742	Nacho Barrientos	Boolean $out_ntp = true,
55			Boolean $out_dns = true,
56			Boolean $out_http = true,
57			Boolean $out_https = true,
58	79e9a23f	Nacho Barrientos	Boolean $out_icmp = true,
59	70727742	Nacho Barrientos	Boolean $out_all = false,
60	ea96d5db	Nacho Barrientos	Boolean $in_out_conntrack = true,
61	70727742	Nacho Barrientos	Hash $rules = {},
62	ac0af4aa	Nacho Barrientos	String $log_prefix = '[nftables] %<chain>s %<comment>s',
63	70727742	Nacho Barrientos	Variant[Boolean[false], Pattern[
64			/icmp(v6\|x)? type .+\|tcp reset/]]
65			$reject_with = 'icmpx type port-unreachable',
66	be0b08e1	tr	) {
67
68	0ba57c66	mh	package{'nftables':
69			ensure => installed,
70			} -> file_line{
71			'enable_nftables':
72			line => 'include "/etc/nftables/puppet.nft"',
73			path => '/etc/sysconfig/nftables.conf',
74			notify => Service['nftables'],
75			} -> file{
76			default:
77	e140adff	tr	owner => 'root',
78			group => 'root',
79			mode => '0640';
80	0ba57c66	mh	'/etc/nftables/puppet.nft':
81	5acb554a	tr	ensure => file,
82	0ba57c66	mh	source => 'puppet:///modules/nftables/config/puppet.nft';
83			'/etc/nftables/puppet':
84			ensure => directory,
85	5acb554a	tr	mode => '0750',
86	0ba57c66	mh	purge => true,
87			force => true,
88			recurse => true;
89			} ~> service{'nftables':
90	e140adff	tr	ensure => running,
91			enable => true,
92	0ba57c66	mh	}
93
94	f02562f2	tr	service{'firewalld':
95			ensure => stopped,
96			enable => mask,
97			}
98
99	c8092701	tr	include nftables::inet_filter
100			include nftables::ip_nat
101	b3a7a6dd	tr
102			# inject custom rules e.g. from hiera
103	66ed7f61	mh	$rules.each \|$n,$v\| {
104			nftables::rule{
105			$n:
106			* => $v
107			}
108			}
109	0ba57c66	mh	}

Projet

Général

Profil

puppet nftables

root / manifests / init.pp @ 79e9a23f