Révision 82d10659
Allow disabling default NAT tables and chains
| manifests/init.pp | ||
|---|---|---|
| 32 | 32 |
# @param in_icmp |
| 33 | 33 |
# Allow inbound ICMPv4/v6 traffic. |
| 34 | 34 |
# |
| 35 |
# @param nat |
|
| 36 |
# Add default tables and chains to process NAT traffic. |
|
| 37 |
# |
|
| 35 | 38 |
# @param log_prefix |
| 36 | 39 |
# String that will be used as prefix when logging packets. It can contain |
| 37 | 40 |
# two variables using standard sprintf() string-formatting: |
| ... | ... | |
| 63 | 66 |
Boolean $out_icmp = true, |
| 64 | 67 |
Boolean $out_all = false, |
| 65 | 68 |
Boolean $in_out_conntrack = true, |
| 69 |
Boolean $nat = true, |
|
| 66 | 70 |
Hash $rules = {},
|
| 67 | 71 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 68 | 72 |
Variant[Boolean[false], Pattern[ |
| ... | ... | |
| 91 | 95 |
force => true, |
| 92 | 96 |
recurse => true; |
| 93 | 97 |
'/etc/nftables/puppet-preflight.nft': |
| 94 |
ensure => file, |
|
| 95 |
source => 'puppet:///modules/nftables/config/puppet.nft';
|
|
| 98 |
ensure => file,
|
|
| 99 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 96 | 100 |
} ~> exec{
|
| 97 | 101 |
'nft validate': |
| 98 | 102 |
refreshonly => true, |
| ... | ... | |
| 103 | 107 |
group => 'root', |
| 104 | 108 |
mode => '0640'; |
| 105 | 109 |
'/etc/nftables/puppet.nft': |
| 106 |
ensure => file, |
|
| 107 |
source => 'puppet:///modules/nftables/config/puppet.nft';
|
|
| 110 |
ensure => file,
|
|
| 111 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat });
|
|
| 108 | 112 |
'/etc/nftables/puppet': |
| 109 | 113 |
ensure => directory, |
| 110 | 114 |
mode => '0750', |
| ... | ... | |
| 131 | 135 |
} |
| 132 | 136 |
|
| 133 | 137 |
include nftables::inet_filter |
| 134 |
include nftables::ip_nat |
|
| 138 |
if $nat {
|
|
| 139 |
include nftables::ip_nat |
|
| 140 |
} |
|
| 135 | 141 |
|
| 136 | 142 |
# inject custom rules e.g. from hiera |
| 137 | 143 |
$rules.each |$n,$v| {
|
Formats disponibles : Unified diff