Révision 7b9d6ffc
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept
enabled by default.
Fixes #95.
| README.md | ||
|---|---|---|
| 47 | 47 |
INPUT and OUTPUT to the loopback device is allowed by |
| 48 | 48 |
default, though you could restrict it later. |
| 49 | 49 |
|
| 50 |
On the other hand, if you don't want any of the default tables, chains |
|
| 51 |
and rules created by the module, you can set `nftables::inet_filter` |
|
| 52 |
and/or `nftables::nat` to `false` and build your whole nftables |
|
| 53 |
configuration from scratch by using the building blocks provided by |
|
| 54 |
this module. Looking at `nftables::inet_filter` for inspiration might |
|
| 55 |
be a good idea. |
|
| 56 |
|
|
| 50 | 57 |
## Rules Validation |
| 51 | 58 |
|
| 52 | 59 |
Initially puppet deploys all configuration to |
| REFERENCE.md | ||
|---|---|---|
| 131 | 131 |
* [`out_icmp`](#out_icmp) |
| 132 | 132 |
* [`in_ssh`](#in_ssh) |
| 133 | 133 |
* [`in_icmp`](#in_icmp) |
| 134 |
* [`inet_filter`](#inet_filter) |
|
| 134 | 135 |
* [`nat`](#nat) |
| 135 | 136 |
* [`sets`](#sets) |
| 136 | 137 |
* [`log_prefix`](#log_prefix) |
| ... | ... | |
| 208 | 209 |
|
| 209 | 210 |
Default value: ``true`` |
| 210 | 211 |
|
| 212 |
##### <a name="inet_filter"></a>`inet_filter` |
|
| 213 |
|
|
| 214 |
Data type: `Boolean` |
|
| 215 |
|
|
| 216 |
Add default tables, chains and rules to process traffic. |
|
| 217 |
|
|
| 218 |
Default value: ``true`` |
|
| 219 |
|
|
| 211 | 220 |
##### <a name="nat"></a>`nat` |
| 212 | 221 |
|
| 213 | 222 |
Data type: `Boolean` |
| manifests/init.pp | ||
|---|---|---|
| 37 | 37 |
# @param in_icmp |
| 38 | 38 |
# Allow inbound ICMPv4/v6 traffic. |
| 39 | 39 |
# |
| 40 |
# @param inet_filter |
|
| 41 |
# Add default tables, chains and rules to process traffic. |
|
| 42 |
# |
|
| 40 | 43 |
# @param nat |
| 41 | 44 |
# Add default tables and chains to process NAT traffic. |
| 42 | 45 |
# |
| ... | ... | |
| 91 | 94 |
Boolean $out_all = false, |
| 92 | 95 |
Boolean $in_out_conntrack = true, |
| 93 | 96 |
Boolean $fwd_conntrack = false, |
| 97 |
Boolean $inet_filter = true, |
|
| 94 | 98 |
Boolean $nat = true, |
| 95 | 99 |
Hash $rules = {},
|
| 96 | 100 |
Hash $sets = {},
|
| ... | ... | |
| 120 | 124 |
recurse => true; |
| 121 | 125 |
'/etc/nftables/puppet-preflight.nft': |
| 122 | 126 |
ensure => file, |
| 123 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
|
| 127 |
content => epp('nftables/config/puppet.nft.epp', {
|
|
| 128 |
'inet_filter' => $inet_filter, |
|
| 129 |
'nat' => $nat, |
|
| 130 |
'noflush' => $noflush_tables |
|
| 131 |
} |
|
| 132 |
); |
|
| 124 | 133 |
} ~> exec {
|
| 125 | 134 |
'nft validate': |
| 126 | 135 |
refreshonly => true, |
| ... | ... | |
| 132 | 141 |
mode => '0640'; |
| 133 | 142 |
'/etc/nftables/puppet.nft': |
| 134 | 143 |
ensure => file, |
| 135 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
|
| 144 |
content => epp('nftables/config/puppet.nft.epp', {
|
|
| 145 |
'inet_filter' => $inet_filter, |
|
| 146 |
'nat' => $nat, |
|
| 147 |
'noflush' => $noflush_tables |
|
| 148 |
} |
|
| 149 |
); |
|
| 136 | 150 |
'/etc/nftables/puppet': |
| 137 | 151 |
ensure => directory, |
| 138 | 152 |
mode => '0750', |
| ... | ... | |
| 160 | 174 |
enable => $firewalld_enable, |
| 161 | 175 |
} |
| 162 | 176 |
|
| 163 |
include nftables::inet_filter |
|
| 177 |
if $inet_filter {
|
|
| 178 |
include nftables::inet_filter |
|
| 179 |
} |
|
| 180 |
|
|
| 164 | 181 |
if $nat {
|
| 165 | 182 |
include nftables::ip_nat |
| 166 | 183 |
} |
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 81 | 81 |
it { is_expected.to be_enabled }
|
| 82 | 82 |
end |
| 83 | 83 |
end |
| 84 |
context 'with totally empty firewall' do |
|
| 85 |
it 'no rules validate okay' do |
|
| 86 |
pp = <<-EOS |
|
| 87 |
class{'nftables':
|
|
| 88 |
firewalld_enable => false, |
|
| 89 |
inet_filter => false, |
|
| 90 |
nat => false, |
|
| 91 |
} |
|
| 92 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 93 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 94 |
ensure => present, |
|
| 95 |
unit => "nftables.service", |
|
| 96 |
content => [ |
|
| 97 |
"[Service]", |
|
| 98 |
"ExecStart=", |
|
| 99 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 100 |
"ExecReload=", |
|
| 101 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 102 |
"", |
|
| 103 |
].join("\n"),
|
|
| 104 |
notify => Service["nftables"], |
|
| 105 |
} |
|
| 106 |
EOS |
|
| 107 |
apply_manifest(pp, catch_failures: true) |
|
| 108 |
end |
|
| 109 |
describe service('nftables') do
|
|
| 110 |
it { is_expected.to be_running }
|
|
| 111 |
it { is_expected.to be_enabled }
|
|
| 112 |
end |
|
| 113 |
end |
|
| 84 | 114 |
end |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 83 | 83 |
enable: 'mask', |
| 84 | 84 |
) |
| 85 | 85 |
} |
| 86 |
it { is_expected.to contain_class('nftables::inet_filter') }
|
|
| 87 |
it { is_expected.to contain_class('nftables::ip_nat') }
|
|
| 86 | 88 |
it { is_expected.to contain_class('nftables::rules::out::http') }
|
| 87 | 89 |
it { is_expected.to contain_class('nftables::rules::out::https') }
|
| 88 | 90 |
it { is_expected.to contain_class('nftables::rules::out::dns') }
|
| ... | ... | |
| 174 | 176 |
} |
| 175 | 177 |
end |
| 176 | 178 |
|
| 179 |
context 'with no default filtering rules' do |
|
| 180 |
let(:params) do |
|
| 181 |
{
|
|
| 182 |
'inet_filter' => false, |
|
| 183 |
} |
|
| 184 |
end |
|
| 185 |
|
|
| 186 |
it { is_expected.to contain_class('nftables::ip_nat') }
|
|
| 187 |
it { is_expected.not_to contain_class('nftables::inet_filter') }
|
|
| 188 |
end |
|
| 189 |
|
|
| 190 |
context 'with no default tables, chains or rules' do |
|
| 191 |
let(:params) do |
|
| 192 |
{
|
|
| 193 |
'inet_filter' => false, |
|
| 194 |
'nat' => false, |
|
| 195 |
} |
|
| 196 |
end |
|
| 197 |
|
|
| 198 |
it { is_expected.not_to contain_class('nftables::ip_nat') }
|
|
| 199 |
it { is_expected.not_to contain_class('nftables::inet_filter') }
|
|
| 200 |
it { is_expected.to have_nftables__config_resource_count(0) }
|
|
| 201 |
it { is_expected.to have_nftables__chain_resource_count(0) }
|
|
| 202 |
it { is_expected.to have_nftables__rule_resource_count(0) }
|
|
| 203 |
it { is_expected.to have_nftables__set_resource_count(0) }
|
|
| 204 |
end |
|
| 205 |
|
|
| 177 | 206 |
context 'with with noflush_tables parameter' do |
| 178 | 207 |
let(:params) do |
| 179 | 208 |
{
|
| templates/config/puppet.nft.epp | ||
|---|---|---|
| 1 | 1 |
<%- | |
| 2 |
Boolean $inet_filter, |
|
| 2 | 3 |
Boolean $nat, |
| 3 | 4 |
Optional[Array[String[1],1]] $noflush = undef, |
| 4 | 5 |
|-%> |
| ... | ... | |
| 21 | 22 |
<%= $_flush_command.join("\n") %>
|
| 22 | 23 |
|
| 23 | 24 |
include "custom-*.nft" |
| 25 |
<% if $inet_filter { -%>
|
|
| 24 | 26 |
include "inet-filter.nft" |
| 27 |
<% } -%> |
|
| 25 | 28 |
<% if $nat { -%>
|
| 26 | 29 |
include "ip-nat.nft" |
| 27 | 30 |
include "ip6-nat.nft" |
Formats disponibles : Unified diff