Projet

Général

Profil

Révision 7b9d6ffc

ID7b9d6ffc726f8d33668bffce41384cc2375efb4f
Parent 4937bed5
Enfant 65b4f2f3

Ajouté par Nacho Barrientos il y a presque 4 ans

Allow creating a totally empty firewall

By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.

The default skeleton for inet-filter, ip-nat and ip6-nat is kept
enabled by default.

Fixes #95.

Voir les différences:

spec/classes/nftables_spec.rb
83 83 
          enable: 'mask',
84 84 
        )
85 85 
      }
86 
      it { is_expected.to contain_class('nftables::inet_filter') }
87 
      it { is_expected.to contain_class('nftables::ip_nat') }
86 88 
      it { is_expected.to contain_class('nftables::rules::out::http') }
87 89 
      it { is_expected.to contain_class('nftables::rules::out::https') }
88 90 
      it { is_expected.to contain_class('nftables::rules::out::dns') }
......
174 176 
        }
175 177 
      end
176 178 

  		




  
  179
  
    
      context 'with no default filtering rules' do


  		




  
  180
  
    
        let(:params) do


  		




  
  181
  
    
          {


  		




  
  182
  
    
            'inet_filter' => false,


  		




  
  183
  
    
          }


  		




  
  184
  
    
        end


  		




  
  185
  
    

  		




  
  186
  
    
        it { is_expected.to contain_class('nftables::ip_nat') }


  		




  
  187
  
    
        it { is_expected.not_to contain_class('nftables::inet_filter') }


  		




  
  188
  
    
      end


  		




  
  189
  
    

  		




  
  190
  
    
      context 'with no default tables, chains or rules' do


  		




  
  191
  
    
        let(:params) do


  		




  
  192
  
    
          {


  		




  
  193
  
    
            'inet_filter' => false,


  		




  
  194
  
    
            'nat' => false,


  		




  
  195
  
    
          }


  		




  
  196
  
    
        end


  		




  
  197
  
    

  		




  
  198
  
    
        it { is_expected.not_to contain_class('nftables::ip_nat') }


  		




  
  199
  
    
        it { is_expected.not_to contain_class('nftables::inet_filter') }


  		




  
  200
  
    
        it { is_expected.to have_nftables__config_resource_count(0) }


  		




  
  201
  
    
        it { is_expected.to have_nftables__chain_resource_count(0) }


  		




  
  202
  
    
        it { is_expected.to have_nftables__rule_resource_count(0) }


  		




  
  203
  
    
        it { is_expected.to have_nftables__set_resource_count(0) }


  		




  
  204
  
    
      end


  		




  
  205
  
    

  		




  177
  206
  
    
      context 'with with noflush_tables parameter' do


  		




  178
  207
  
    
        let(:params) do


  		




  179
  208
  
    
          {


  		












Formats disponibles :  Unified diff