/manifests/init.pp - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / manifests / init.pp @ 8efbdf9a

Historique | Voir | Annoter | Télécharger (3,14 ko)

-ba57c66
+# manage nftables
-            be0b08e1
+class nftables (
   Boolean $in_ssh    = true,
   Boolean $out_ntp   = true,
   Boolean $out_dns   = true,
-            cd664666
+  Boolean $out_http  = true,
-            be0b08e1
+  Boolean $out_https = true,
 ) {
-ba57c66
+  package{'nftables':
     ensure => installed,
   } -> file_line{
     'enable_nftables':
       line   => 'include "/etc/nftables/puppet.nft"',
       path   => '/etc/sysconfig/nftables.conf',
       notify => Service['nftables'],
   } -> file{
     default:
-            e140adff
+      owner => 'root',
       group => 'root',
       mode  => '0640';
-ba57c66
+    '/etc/nftables/puppet.nft':
-acb554a
+      ensure => file,
-ba57c66
+      source => 'puppet:///modules/nftables/config/puppet.nft';
     '/etc/nftables/puppet':
       ensure  => directory,
-acb554a
+      mode    => '0750',
-ba57c66
+      purge   => true,
       force   => true,
       recurse => true;
   } ~> service{'nftables':
-            e140adff
+    ensure => running,
     enable => true,
-ba57c66
+            mh
   nftables::config{
     'filter':
       source => 'puppet:///modules/nftables/config/puppet-filter.nft';
-ab8e
+    'ip-nat':
       source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft';
-ba57c66
+            mh
-efbdf9a
+  nftables::chain{
-ba57c66
+            mh
-efbdf9a
+      'INPUT',
       'OUTPUT',
       'FORWARD',
-ba57c66
+    ]:;
+  }
-            be0b08e1
+            tr
-efbdf9a
+  nftables::chain{
     'default_in':
       inject => '10-INPUT';
     'default_out':
       inject => '10-OUTPUT';
     'default_fwd':
       inject => '10-FORWARD';
+  }
   # filter-chain-INPUT
   nftables::rule{
     'INPUT-type':
       order   => '01',
       content => 'type filter hook input priority 0';
     'INPUT-policy':
       order   => '02',
       content => 'policy drop';
     'INPUT-lo':
       order   => '03',
       content => 'iifname lo accept';
     'INPUT-jump_global':
       order   => '04',
       content => 'jump global';
     'INPUT-log_rejected':
       order   => '98',
       content => 'log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable';
+  }
   # filter-chain-OUTPUT
   nftables::rule{
     'OUTPUT-type':
       order   => '01',
       content => 'type filter hook output priority 0';
     'OUTPUT-policy':
       order   => '02',
       content => 'policy drop';
     'OUTPUT-lo':
       order   => '03',
       content => 'oifname lo accept';
     'OUTPUT-jump_global':
       order   => '04',
       content => 'jump global';
     'OUTPUT-log_rejected':
       order   => '98',
       content => 'log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable';
+  }
   # filter-chain-FORWARD
   nftables::rule{
     'FORWARD-type':
       order   => '01',
       content => 'type filter hook forward priority 0';
     'FORWARD-policy':
       order   => '02',
       content => 'policy drop';
     'FORWARD-jump_global':
       order   => '03',
       content => 'jump global';
     'FORWARD-log_rejected':
       order   => '98',
       content => 'log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable';
+  }
-            be0b08e1
+  # basic ingoing rules
   if $in_ssh {
     include nftables::rules::ssh
+  }
-ba57c66
+  # basic outgoing rules
-            be0b08e1
+  if $out_ntp {
-e569f
+    include nftables::rules::out::chrony
-            be0b08e1
+            tr
   if $out_dns {
     include nftables::rules::out::dns
+  }
-            cd664666
+  if $out_http {
     include nftables::rules::out::http
+  }
-            be0b08e1
+  if $out_https {
     include nftables::rules::out::https
-ba57c66
+            mh
+}

Projet

Général

Profil

puppet nftables

root / manifests / init.pp @ 8efbdf9a