Révision 8842a597
make path to `nft` binary configureable
| REFERENCE.md | ||
|---|---|---|
| 144 | 144 |
* [`noflush_tables`](#noflush_tables) |
| 145 | 145 |
* [`rules`](#rules) |
| 146 | 146 |
* [`configuration_path`](#configuration_path) |
| 147 |
* [`nft_path`](#nft_path) |
|
| 147 | 148 |
|
| 148 | 149 |
##### <a name="out_all"></a>`out_all` |
| 149 | 150 |
|
| ... | ... | |
| 327 | 328 |
The absolute path to the principal nftables configuration file. The default |
| 328 | 329 |
varies depending on the system, and is set in the module's data. |
| 329 | 330 |
|
| 331 |
##### <a name="nft_path"></a>`nft_path` |
|
| 332 |
|
|
| 333 |
Data type: `Stdlib::Unixpath` |
|
| 334 |
|
|
| 335 |
Path to the nft binary |
|
| 336 |
|
|
| 330 | 337 |
### <a name="nftablesbridges"></a>`nftables::bridges` |
| 331 | 338 |
|
| 332 | 339 |
allow forwarding traffic on bridges |
| data/os/Archlinux.yaml | ||
|---|---|---|
| 4 | 4 |
nftables::firewalld_enable: false |
| 5 | 5 |
|
| 6 | 6 |
nftables::configuration_path: /etc/nftables.conf |
| 7 |
nftables::nft_path: /usr/bin/nft |
|
| data/os/RedHat.yaml | ||
|---|---|---|
| 1 |
--- |
|
| 2 |
nftables::nft_path: /usr/sbin/nft |
|
| manifests/init.pp | ||
|---|---|---|
| 90 | 90 |
# The absolute path to the principal nftables configuration file. The default |
| 91 | 91 |
# varies depending on the system, and is set in the module's data. |
| 92 | 92 |
# |
| 93 |
# @param nft_path |
|
| 94 |
# Path to the nft binary |
|
| 95 |
# |
|
| 93 | 96 |
class nftables ( |
| 94 | 97 |
Boolean $in_ssh = true, |
| 95 | 98 |
Boolean $in_icmp = true, |
| ... | ... | |
| 112 | 115 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
| 113 | 116 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef, |
| 114 | 117 |
Stdlib::Unixpath $configuration_path, |
| 118 |
Stdlib::Unixpath $nft_path, |
|
| 115 | 119 |
) {
|
| 116 | 120 |
package { 'nftables':
|
| 117 | 121 |
ensure => installed, |
| ... | ... | |
| 145 | 149 |
} ~> exec {
|
| 146 | 150 |
'nft validate': |
| 147 | 151 |
refreshonly => true, |
| 148 |
command => '/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo "#CONFIG BROKEN" >> /etc/nftables/puppet-preflight.nft && /bin/false)';
|
|
| 152 |
command => "${nft_path} -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( /usr/bin/echo '#CONFIG BROKEN' >> /etc/nftables/puppet-preflight.nft && /bin/false)";
|
|
| 149 | 153 |
} -> file {
|
| 150 | 154 |
default: |
| 151 | 155 |
owner => 'root', |
| ... | ... | |
| 177 | 181 |
unit => 'nftables.service', |
| 178 | 182 |
content => epp('nftables/systemd/puppet_nft.conf.epp', {
|
| 179 | 183 |
'configuration_path' => $configuration_path, |
| 184 |
'nft_path' => $nft_path, |
|
| 180 | 185 |
}), |
| 181 | 186 |
notify => Service['nftables'], |
| 182 | 187 |
} |
| spec/acceptance/all_rules_spec.rb | ||
|---|---|---|
| 78 | 78 |
elements => ['192.168.0.1', '10.0.0.2'], |
| 79 | 79 |
table => ['inet-filter', 'ip-nat'], |
| 80 | 80 |
} |
| 81 |
$config_path = case $facts['os']['family'] {
|
|
| 82 |
'Archlinux': {
|
|
| 83 |
'/etc/nftables.conf'
|
|
| 84 |
}
|
|
| 85 |
default: {
|
|
| 86 |
'/etc/sysconfig/nftables.conf'
|
|
| 87 |
}
|
|
| 81 |
$config_path = $facts['os']['family'] ? {
|
|
| 82 |
'Archlinux' => '/etc/nftables.conf',
|
|
| 83 |
default => '/etc/sysconfig/nftables.conf',
|
|
| 84 |
} |
|
| 85 |
$nft_path = $facts['os']['family'] ? {
|
|
| 86 |
'Archlinux' => '/usr/bin/nft',
|
|
| 87 |
default => '/usr/sbin/nft',
|
|
| 88 | 88 |
} |
| 89 | 89 |
# nftables cannot be started in docker so replace service with a validation only. |
| 90 | 90 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| ... | ... | |
| 93 | 93 |
content => [ |
| 94 | 94 |
"[Service]", |
| 95 | 95 |
"ExecStart=", |
| 96 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 96 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 97 | 97 |
"ExecReload=", |
| 98 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 98 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 99 | 99 |
"", |
| 100 | 100 |
].join("\n"),
|
| 101 | 101 |
notify => Service["nftables"], |
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 11 | 11 |
class { 'nftables':
|
| 12 | 12 |
firewalld_enable => false, |
| 13 | 13 |
} |
| 14 |
$config_path = case $facts['os']['family'] {
|
|
| 15 |
'Archlinux': {
|
|
| 16 |
'/etc/nftables.conf'
|
|
| 17 |
}
|
|
| 18 |
default: {
|
|
| 19 |
'/etc/sysconfig/nftables.conf'
|
|
| 20 |
}
|
|
| 14 |
$config_path = $facts['os']['family'] ? {
|
|
| 15 |
'Archlinux' => '/etc/nftables.conf',
|
|
| 16 |
default => '/etc/sysconfig/nftables.conf',
|
|
| 17 |
} |
|
| 18 |
$nft_path = $facts['os']['family'] ? {
|
|
| 19 |
'Archlinux' => '/usr/bin/nft',
|
|
| 20 |
default => '/usr/sbin/nft',
|
|
| 21 | 21 |
} |
| 22 | 22 |
# nftables cannot be started in docker so replace service with a validation only. |
| 23 | 23 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| ... | ... | |
| 26 | 26 |
content => [ |
| 27 | 27 |
"[Service]", |
| 28 | 28 |
"ExecStart=", |
| 29 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 29 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 30 | 30 |
"ExecReload=", |
| 31 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 31 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f ${config_path}",
|
|
| 32 | 32 |
"", |
| 33 | 33 |
].join("\n"),
|
| 34 | 34 |
notify => Service["nftables"], |
| ... | ... | |
| 66 | 66 |
nftables::rule{'default_out-junk':
|
| 67 | 67 |
content => 'A load of junk', |
| 68 | 68 |
} |
| 69 |
$config_path = case $facts['os']['family'] {
|
|
| 70 |
'Archlinux': {
|
|
| 71 |
'/etc/nftables.conf'
|
|
| 72 |
}
|
|
| 73 |
default: {
|
|
| 74 |
'/etc/sysconfig/nftables.conf'
|
|
| 75 |
}
|
|
| 69 |
$config_path = $facts['os']['family'] ? {
|
|
| 70 |
'Archlinux' => '/etc/nftables.conf',
|
|
| 71 |
default => '/etc/sysconfig/nftables.conf',
|
|
| 72 |
} |
|
| 73 |
$nft_path = $facts['os']['family'] ? {
|
|
| 74 |
'Archlinux' => '/usr/bin/nft',
|
|
| 75 |
default => '/usr/sbin/nft',
|
|
| 76 | 76 |
} |
| 77 | 77 |
# nftables cannot be started in docker so replace service with a validation only. |
| 78 | 78 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| ... | ... | |
| 81 | 81 |
content => [ |
| 82 | 82 |
"[Service]", |
| 83 | 83 |
"ExecStart=", |
| 84 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 84 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 85 | 85 |
"ExecReload=", |
| 86 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 86 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 87 | 87 |
"", |
| 88 | 88 |
].join("\n"),
|
| 89 | 89 |
notify => Service["nftables"], |
| ... | ... | |
| 106 | 106 |
inet_filter => false, |
| 107 | 107 |
nat => false, |
| 108 | 108 |
} |
| 109 |
$config_path = case $facts['os']['family'] {
|
|
| 110 |
'Archlinux': {
|
|
| 111 |
'/etc/nftables.conf'
|
|
| 112 |
}
|
|
| 113 |
default: {
|
|
| 114 |
'/etc/sysconfig/nftables.conf'
|
|
| 115 |
}
|
|
| 109 |
$config_path = $facts['os']['family'] ? {
|
|
| 110 |
'Archlinux' => '/etc/nftables.conf',
|
|
| 111 |
default => '/etc/sysconfig/nftables.conf',
|
|
| 112 |
} |
|
| 113 |
$nft_path = $facts['os']['family'] ? {
|
|
| 114 |
'Archlinux' => '/usr/bin/nft',
|
|
| 115 |
default => '/usr/sbin/nft',
|
|
| 116 | 116 |
} |
| 117 | 117 |
# nftables cannot be started in docker so replace service with a validation only. |
| 118 | 118 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| ... | ... | |
| 121 | 121 |
content => [ |
| 122 | 122 |
"[Service]", |
| 123 | 123 |
"ExecStart=", |
| 124 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 124 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 125 | 125 |
"ExecReload=", |
| 126 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 126 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 127 | 127 |
"", |
| 128 | 128 |
].join("\n"),
|
| 129 | 129 |
notify => Service["nftables"], |
| ... | ... | |
| 146 | 146 |
nat => true, |
| 147 | 147 |
nat_table_name => 'mycustomtablename', |
| 148 | 148 |
} |
| 149 |
$config_path = case $facts['os']['family'] {
|
|
| 150 |
'Archlinux': {
|
|
| 151 |
'/etc/nftables.conf'
|
|
| 152 |
}
|
|
| 153 |
default: {
|
|
| 154 |
'/etc/sysconfig/nftables.conf'
|
|
| 155 |
}
|
|
| 149 |
$config_path = $facts['os']['family'] ? {
|
|
| 150 |
'Archlinux' => '/etc/nftables.conf',
|
|
| 151 |
default => '/etc/sysconfig/nftables.conf',
|
|
| 152 |
} |
|
| 153 |
$nft_path = $facts['os']['family'] ? {
|
|
| 154 |
'Archlinux' => '/usr/bin/nft',
|
|
| 155 |
default => '/usr/sbin/nft',
|
|
| 156 | 156 |
} |
| 157 | 157 |
# nftables cannot be started in docker so replace service with a validation only. |
| 158 | 158 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| ... | ... | |
| 161 | 161 |
content => [ |
| 162 | 162 |
"[Service]", |
| 163 | 163 |
"ExecStart=", |
| 164 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 164 |
"ExecStart=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 165 | 165 |
"ExecReload=", |
| 166 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f $config_path",
|
|
| 166 |
"ExecReload=${nft_path} -c -I /etc/nftables/puppet -f $config_path",
|
|
| 167 | 167 |
"", |
| 168 | 168 |
].join("\n"),
|
| 169 | 169 |
notify => Service["nftables"], |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 9 | 9 |
context "on #{os}" do
|
| 10 | 10 |
let(:facts) { os_facts }
|
| 11 | 11 |
|
| 12 |
it { is_expected.to compile }
|
|
| 12 |
nft_path = case os_facts[:os]['family'] |
|
| 13 |
when 'Archlinux' |
|
| 14 |
'/usr/bin/nft' |
|
| 15 |
else |
|
| 16 |
'/usr/sbin/nft' |
|
| 17 |
end |
|
| 18 |
|
|
| 19 |
it { is_expected.to compile.with_all_deps }
|
|
| 13 | 20 |
|
| 14 | 21 |
it { is_expected.to contain_package('nftables') }
|
| 15 | 22 |
|
| ... | ... | |
| 69 | 76 |
it {
|
| 70 | 77 |
expect(subject).to contain_exec('nft validate').with(
|
| 71 | 78 |
refreshonly: true, |
| 72 |
command: %r{^/usr/sbin/nft -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
|
|
| 79 |
command: %r{^#{nft_path} -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft.*}
|
|
| 73 | 80 |
) |
| 74 | 81 |
} |
| 75 | 82 |
|
| ... | ... | |
| 85 | 92 |
if os_facts[:os]['family'] == 'Archlinux' |
| 86 | 93 |
it {
|
| 87 | 94 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
| 88 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/nftables.conf$}
|
|
| 95 |
content: %r{^ExecReload=#{nft_path} -I /etc/nftables/puppet -f /etc/nftables.conf$}
|
|
| 89 | 96 |
) |
| 90 | 97 |
} |
| 91 | 98 |
|
| ... | ... | |
| 98 | 105 |
else |
| 99 | 106 |
it {
|
| 100 | 107 |
expect(subject).to contain_systemd__dropin_file('puppet_nft.conf').with(
|
| 101 |
content: %r{^ExecReload=/sbin/nft -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
|
|
| 108 |
content: %r{^ExecReload=#{nft_path} -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf$}
|
|
| 102 | 109 |
) |
| 103 | 110 |
} |
| 104 | 111 |
|
| templates/systemd/puppet_nft.conf.epp | ||
|---|---|---|
| 1 |
<%- | Stdlib::Unixpath $nft_path, |
|
| 2 |
Stdlib::Unixpath $configuration_path, |
|
| 3 |
| -%> |
|
| 1 | 4 |
# Puppet Deployed |
| 2 | 5 |
[Service] |
| 3 | 6 |
RemainAfterExit=yes |
| 4 | 7 |
ExecStart= |
| 5 |
ExecStart=/sbin/nft -I /etc/nftables/puppet -f <%= $configuration_path %>
|
|
| 8 |
ExecStart=<%= $nft_path %> -I /etc/nftables/puppet -f <%= $configuration_path %>
|
|
| 6 | 9 |
ExecReload= |
| 7 |
ExecReload=/sbin/nft -I /etc/nftables/puppet -f <%= $configuration_path %> |
|
| 10 |
ExecReload=<%= $nft_path %> -I /etc/nftables/puppet -f <%= $configuration_path %> |
|
Formats disponibles : Unified diff