Révision 82d10659
Allow disabling default NAT tables and chains
| manifests/init.pp | ||
|---|---|---|
| 32 | 32 |
# @param in_icmp |
| 33 | 33 |
# Allow inbound ICMPv4/v6 traffic. |
| 34 | 34 |
# |
| 35 |
# @param nat |
|
| 36 |
# Add default tables and chains to process NAT traffic. |
|
| 37 |
# |
|
| 35 | 38 |
# @param log_prefix |
| 36 | 39 |
# String that will be used as prefix when logging packets. It can contain |
| 37 | 40 |
# two variables using standard sprintf() string-formatting: |
| ... | ... | |
| 63 | 66 |
Boolean $out_icmp = true, |
| 64 | 67 |
Boolean $out_all = false, |
| 65 | 68 |
Boolean $in_out_conntrack = true, |
| 69 |
Boolean $nat = true, |
|
| 66 | 70 |
Hash $rules = {},
|
| 67 | 71 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 68 | 72 |
Variant[Boolean[false], Pattern[ |
| ... | ... | |
| 91 | 95 |
force => true, |
| 92 | 96 |
recurse => true; |
| 93 | 97 |
'/etc/nftables/puppet-preflight.nft': |
| 94 |
ensure => file, |
|
| 95 |
source => 'puppet:///modules/nftables/config/puppet.nft';
|
|
| 98 |
ensure => file,
|
|
| 99 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 96 | 100 |
} ~> exec{
|
| 97 | 101 |
'nft validate': |
| 98 | 102 |
refreshonly => true, |
| ... | ... | |
| 103 | 107 |
group => 'root', |
| 104 | 108 |
mode => '0640'; |
| 105 | 109 |
'/etc/nftables/puppet.nft': |
| 106 |
ensure => file, |
|
| 107 |
source => 'puppet:///modules/nftables/config/puppet.nft';
|
|
| 110 |
ensure => file,
|
|
| 111 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 108 | 112 |
'/etc/nftables/puppet': |
| 109 | 113 |
ensure => directory, |
| 110 | 114 |
mode => '0750', |
| ... | ... | |
| 131 | 135 |
} |
| 132 | 136 |
|
| 133 | 137 |
include nftables::inet_filter |
| 134 |
include nftables::ip_nat |
|
| 138 |
if $nat {
|
|
| 139 |
include nftables::ip_nat |
|
| 140 |
} |
|
| 135 | 141 |
|
| 136 | 142 |
# inject custom rules e.g. from hiera |
| 137 | 143 |
$rules.each |$n,$v| {
|
| spec/classes/ip_nat_spec.rb | ||
|---|---|---|
| 234 | 234 |
) |
| 235 | 235 |
} |
| 236 | 236 |
end |
| 237 |
|
|
| 238 |
context 'all nat tables disabled' do |
|
| 239 |
let(:params) do |
|
| 240 |
{
|
|
| 241 |
'nat' => false, |
|
| 242 |
} |
|
| 243 |
end |
|
| 244 |
|
|
| 245 |
it { is_expected.not_to contain_class('nftables::ip_nat') }
|
|
| 246 |
it { is_expected.not_to contain_nftables__config('ip-nat') }
|
|
| 247 |
it { is_expected.not_to contain_nftables__config('ip6-nat') }
|
|
| 248 |
it { is_expected.not_to contain_nftables__chain('PREROUTING') }
|
|
| 249 |
it { is_expected.not_to contain_nftables__chain('POSTROUTING') }
|
|
| 250 |
it { is_expected.not_to contain_nftables__chain('PREROUTING6') }
|
|
| 251 |
it { is_expected.not_to contain_nftables__chain('POSTROUTING6') }
|
|
| 252 |
end |
|
| 237 | 253 |
end |
| 238 | 254 |
end |
| 239 | 255 |
end |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 17 | 17 |
owner: 'root', |
| 18 | 18 |
group: 'root', |
| 19 | 19 |
mode: '0640', |
| 20 |
source: 'puppet:///modules/nftables/config/puppet.nft',
|
|
| 20 |
content: %r{flush ruleset},
|
|
| 21 | 21 |
) |
| 22 | 22 |
} |
| 23 | 23 |
|
| ... | ... | |
| 39 | 39 |
owner: 'root', |
| 40 | 40 |
group: 'root', |
| 41 | 41 |
mode: '0640', |
| 42 |
source: 'puppet:///modules/nftables/config/puppet.nft',
|
|
| 42 |
content: %r{flush ruleset},
|
|
| 43 | 43 |
) |
| 44 | 44 |
} |
| 45 | 45 |
|
| templates/config/puppet.nft.epp | ||
|---|---|---|
| 9 | 9 |
|
| 10 | 10 |
include "custom-*.nft" |
| 11 | 11 |
include "inet-filter.nft" |
| 12 |
<% if $nat { -%>
|
|
| 12 | 13 |
include "ip-nat.nft" |
| 13 | 14 |
include "ip6-nat.nft" |
| 15 |
<% } -%> |
|
Formats disponibles : Unified diff