Révision 83382bb5
Add nftables::simplerule
| manifests/simplerule.pp | ||
|---|---|---|
| 1 |
# This class is meant to be useful to ease the migration from the Firewall type |
|
| 2 |
# for simple use cases. The coverage of all the casuistry is rather low so for |
|
| 3 |
# any case not covered by nftables::simplerule please just use nftables::rule. |
|
| 4 |
define nftables::simplerule( |
|
| 5 |
Enum['present','absent'] |
|
| 6 |
$ensure = 'present', |
|
| 7 |
Pattern[/^[-a-zA-Z0-9_]+$/] |
|
| 8 |
$setname = $title, |
|
| 9 |
Pattern[/^\d\d$/] |
|
| 10 |
$order = '50', |
|
| 11 |
String |
|
| 12 |
$chain = 'default_in', |
|
| 13 |
Optional[String] |
|
| 14 |
$table = 'inet-filter', |
|
| 15 |
Enum['accept', 'drop'] |
|
| 16 |
$action = 'accept', |
|
| 17 |
Optional[String] |
|
| 18 |
$comment = undef, |
|
| 19 |
Optional[Integer[1, 65535]] |
|
| 20 |
$dport = undef, |
|
| 21 |
Optional[Enum['tcp', 'udp']] |
|
| 22 |
$proto = undef, |
|
| 23 |
){
|
|
| 24 |
|
|
| 25 |
if $ensure == 'present' {
|
|
| 26 |
nftables::rule{"${chain}-${title}":
|
|
| 27 |
content => epp('nftables/simplerule.epp',
|
|
| 28 |
{
|
|
| 29 |
'action' => $action, |
|
| 30 |
'comment' => $comment, |
|
| 31 |
'dport' => $dport, |
|
| 32 |
'proto' => $proto, |
|
| 33 |
} |
|
| 34 |
), |
|
| 35 |
order => $order, |
|
| 36 |
table => $table, |
|
| 37 |
} |
|
| 38 |
} |
|
| 39 |
} |
|
| spec/defines/simplerule_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::simplerule' do |
|
| 4 |
let(:pre_condition) { 'include nftables' }
|
|
| 5 |
|
|
| 6 |
let(:title) { 'my_default_rule_name' }
|
|
| 7 |
|
|
| 8 |
on_supported_os.each do |os, os_facts| |
|
| 9 |
context "on #{os}" do
|
|
| 10 |
let(:facts) { os_facts }
|
|
| 11 |
|
|
| 12 |
describe 'minimum instantiation' do |
|
| 13 |
it { is_expected.to compile }
|
|
| 14 |
it {
|
|
| 15 |
is_expected.to contain_nftables__rule('default_in-my_default_rule_name').with(
|
|
| 16 |
content: 'accept', |
|
| 17 |
order: 50, |
|
| 18 |
) |
|
| 19 |
} |
|
| 20 |
end |
|
| 21 |
|
|
| 22 |
describe 'all parameters provided' do |
|
| 23 |
let(:title) { 'my_big_rule' }
|
|
| 24 |
let(:params) do |
|
| 25 |
{
|
|
| 26 |
action: 'accept', |
|
| 27 |
comment: 'this is my rule', |
|
| 28 |
dport: 333, |
|
| 29 |
proto: 'udp', |
|
| 30 |
chain: 'default_out', |
|
| 31 |
} |
|
| 32 |
end |
|
| 33 |
|
|
| 34 |
it { is_expected.to compile }
|
|
| 35 |
it {
|
|
| 36 |
is_expected.to contain_nftables__rule('default_out-my_big_rule').with(
|
|
| 37 |
content: 'udp dport 333 comment "this is my rule" accept', |
|
| 38 |
order: 50, |
|
| 39 |
) |
|
| 40 |
} |
|
| 41 |
end |
|
| 42 |
end |
|
| 43 |
end |
|
| 44 |
end |
|
| templates/simplerule.epp | ||
|---|---|---|
| 1 |
<%- | String $action, |
|
| 2 |
Optional[String] $comment, |
|
| 3 |
Optional[Integer] $dport, |
|
| 4 |
Optional[String] $proto, |
|
| 5 |
| -%> |
|
| 6 |
<%- if $proto and $dport {
|
|
| 7 |
$_destination = "${proto} dport ${dport}"
|
|
| 8 |
} else {
|
|
| 9 |
$_destination = undef |
|
| 10 |
} -%> |
|
| 11 |
<%- if $comment {
|
|
| 12 |
$_comment = "comment \"${comment}\""
|
|
| 13 |
} else {
|
|
| 14 |
$_comment = undef |
|
| 15 |
} -%> |
|
| 16 |
<%= strip([$_destination, $_comment, $action].join(' ')) -%>
|
|
Formats disponibles : Unified diff