Projet

Général

Profil

Révision 7b9d6ffc

ID7b9d6ffc726f8d33668bffce41384cc2375efb4f
Parent 4937bed5
Enfant 65b4f2f3

Ajouté par Nacho Barrientos il y a presque 4 ans

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept
enabled by default.

Fixes #95.

Voir les différences:

manifests/init.pp
37 37 
# @param in_icmp
38 38 
#   Allow inbound ICMPv4/v6 traffic.
39 39 
#
40 
# @param inet_filter
41 
#   Add default tables, chains and rules to process traffic.
42 
#
40 43 
# @param nat
41 44 
#   Add default tables and chains to process NAT traffic.
42 45 
#
......
91 94 
  Boolean $out_all = false,
92 95 
  Boolean $in_out_conntrack = true,
93 96 
  Boolean $fwd_conntrack = false,
97 
  Boolean $inet_filter = true,
94 98 
  Boolean $nat = true,
95 99 
  Hash $rules = {},
96 100 
  Hash $sets = {},
......
120 124 
      recurse => true;
121 125 
    '/etc/nftables/puppet-preflight.nft':
122 126 
      ensure  => file,
123 
      content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
127 
      content => epp('nftables/config/puppet.nft.epp', {
128 
          'inet_filter' => $inet_filter,
129 
          'nat'         => $nat,
130 
          'noflush'     => $noflush_tables
131 
        }
132 
      );
124 133 
  } ~> exec {
125 134 
    'nft validate':
126 135 
      refreshonly => true,
......
132 141 
      mode  => '0640';
133 142 
    '/etc/nftables/puppet.nft':
134 143 
      ensure  => file,
135 
      content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
144 
      content => epp('nftables/config/puppet.nft.epp', {
145 
          'inet_filter' => $inet_filter,
146 
          'nat'         => $nat,
147 
          'noflush'     => $noflush_tables
148 
        }
149 
      );
136 150 
    '/etc/nftables/puppet':
137 151 
      ensure  => directory,
138 152 
      mode    => '0750',
......
160 174 
    enable => $firewalld_enable,
161 175 
  }
162 176 

  		




  163
  
  
    
  include nftables::inet_filter


  		




  
  177
  
    
  if $inet_filter {


  		




  
  178
  
    
    include nftables::inet_filter


  		




  
  179
  
    
  }


  		




  
  180
  
    

  		




  164
  181
  
    
  if $nat {


  		




  165
  182
  
    
    include nftables::ip_nat


  		




  166
  183
  
    
  }


  		












Formats disponibles :  Unified diff