Révision 7b9d6ffc
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept
enabled by default.
Fixes #95.
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 81 | 81 |
it { is_expected.to be_enabled }
|
| 82 | 82 |
end |
| 83 | 83 |
end |
| 84 |
context 'with totally empty firewall' do |
|
| 85 |
it 'no rules validate okay' do |
|
| 86 |
pp = <<-EOS |
|
| 87 |
class{'nftables':
|
|
| 88 |
firewalld_enable => false, |
|
| 89 |
inet_filter => false, |
|
| 90 |
nat => false, |
|
| 91 |
} |
|
| 92 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 93 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 94 |
ensure => present, |
|
| 95 |
unit => "nftables.service", |
|
| 96 |
content => [ |
|
| 97 |
"[Service]", |
|
| 98 |
"ExecStart=", |
|
| 99 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 100 |
"ExecReload=", |
|
| 101 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 102 |
"", |
|
| 103 |
].join("\n"),
|
|
| 104 |
notify => Service["nftables"], |
|
| 105 |
} |
|
| 106 |
EOS |
|
| 107 |
apply_manifest(pp, catch_failures: true) |
|
| 108 |
end |
|
| 109 |
describe service('nftables') do
|
|
| 110 |
it { is_expected.to be_running }
|
|
| 111 |
it { is_expected.to be_enabled }
|
|
| 112 |
end |
|
| 113 |
end |
|
| 84 | 114 |
end |
Formats disponibles : Unified diff