Révision 7b9d6ffc
Allow creating a totally empty firewall
By setting `nftables::inet_filter` and `nftables::nat` to `false`
users can now start off from a totally empty firewall and add the
tables, chains and rules they'd like.
The default skeleton for inet-filter, ip-nat and ip6-nat is kept
enabled by default.
Fixes #95.
| templates/config/puppet.nft.epp | ||
|---|---|---|
| 1 | 1 |
<%- | |
| 2 |
Boolean $inet_filter, |
|
| 2 | 3 |
Boolean $nat, |
| 3 | 4 |
Optional[Array[String[1],1]] $noflush = undef, |
| 4 | 5 |
|-%> |
| ... | ... | |
| 21 | 22 |
<%= $_flush_command.join("\n") %>
|
| 22 | 23 |
|
| 23 | 24 |
include "custom-*.nft" |
| 25 |
<% if $inet_filter { -%>
|
|
| 24 | 26 |
include "inet-filter.nft" |
| 27 |
<% } -%> |
|
| 25 | 28 |
<% if $nat { -%>
|
| 26 | 29 |
include "ip-nat.nft" |
| 27 | 30 |
include "ip6-nat.nft" |
Formats disponibles : Unified diff