Révision 8efbdf9a
Refactoring
| files/config/puppet-filter.nft | ||
|---|---|---|
| 1 | 1 |
table inet filter {
|
| 2 |
include "/etc/nftables/puppet/filter-chains-*.nft"
|
|
| 2 |
include "/etc/nftables/puppet/filter-chain-*.nft" |
|
| 3 | 3 |
|
| 4 | 4 |
# something we want for all |
| 5 | 5 |
chain global {
|
| ... | ... | |
| 11 | 11 |
ip protocol icmp icmp type echo-request limit rate 4/second accept |
| 12 | 12 |
ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate 4/second accept |
| 13 | 13 |
} |
| 14 |
|
|
| 15 |
chain INPUT {
|
|
| 16 |
type filter hook input priority 0 |
|
| 17 |
policy drop |
|
| 18 |
|
|
| 19 |
jump global |
|
| 20 |
|
|
| 21 |
iifname lo accept |
|
| 22 |
|
|
| 23 |
include "/etc/nftables/puppet/filter-input-chains-*.nft" |
|
| 24 |
|
|
| 25 |
log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable |
|
| 26 |
} |
|
| 27 |
|
|
| 28 |
chain FORWARD {
|
|
| 29 |
type filter hook forward priority 0 |
|
| 30 |
policy drop |
|
| 31 |
|
|
| 32 |
jump global |
|
| 33 |
|
|
| 34 |
include "/etc/nftables/puppet/filter-forward-chains-*.nft" |
|
| 35 |
|
|
| 36 |
log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable |
|
| 37 |
} |
|
| 38 |
|
|
| 39 |
chain OUTPUT {
|
|
| 40 |
type filter hook output priority 0 |
|
| 41 |
policy drop |
|
| 42 |
|
|
| 43 |
jump global |
|
| 44 |
|
|
| 45 |
oifname lo accept |
|
| 46 |
|
|
| 47 |
include "/etc/nftables/puppet/filter-output-chains-*.nft" |
|
| 48 |
|
|
| 49 |
log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable |
|
| 50 |
} |
|
| 51 | 14 |
} |
| manifests/chain.pp | ||
|---|---|---|
| 1 |
# manage a chain |
|
| 2 |
define nftables::chain( |
|
| 3 |
String[1] |
|
| 4 |
$table = 'filter', |
|
| 5 |
Pattern[/^[a-zA-Z0-9_]+$/] |
|
| 6 |
$chain = $title, |
|
| 7 |
Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] |
|
| 8 |
$inject = undef, |
|
| 9 |
){
|
|
| 10 |
$concat_name = "nftables-${table}-chain-${chain}"
|
|
| 11 |
|
|
| 12 |
concat{
|
|
| 13 |
$concat_name: |
|
| 14 |
path => "/etc/nftables/puppet/${table}-chain-${chain}.nft",
|
|
| 15 |
owner => root, |
|
| 16 |
group => root, |
|
| 17 |
mode => '0640', |
|
| 18 |
ensure_newline => true, |
|
| 19 |
require => Package['nftables'], |
|
| 20 |
notify => Service['nftables'], |
|
| 21 |
} |
|
| 22 |
|
|
| 23 |
concat::fragment{
|
|
| 24 |
default: |
|
| 25 |
target => $concat_name; |
|
| 26 |
"${concat_name}-header":
|
|
| 27 |
order => '00', |
|
| 28 |
content => "chain ${chain} {";
|
|
| 29 |
"${concat_name}-footer":
|
|
| 30 |
order => '99', |
|
| 31 |
content => '}'; |
|
| 32 |
} |
|
| 33 |
|
|
| 34 |
if $inject {
|
|
| 35 |
$data = split($inject, '-') |
|
| 36 |
nftables::rule{ "${data[1]}-jump_${chain}":
|
|
| 37 |
order => $data[0], |
|
| 38 |
content => "jump ${chain}",
|
|
| 39 |
} |
|
| 40 |
} |
|
| 41 |
} |
|
| manifests/chain_file.pp | ||
|---|---|---|
| 1 |
# manage a chain file |
|
| 2 |
# chain must be: |
|
| 3 |
# TABLE@chain_name |
|
| 4 |
define nftables::chain_file( |
|
| 5 |
Pattern[/^[a-z0-9]+@[a-z0-9_]+$/] $chain = $title, |
|
| 6 |
){
|
|
| 7 |
$data = split($chain,'@') |
|
| 8 |
$concat_name = "nftables-chain-${data[0]}-${data[1]}"
|
|
| 9 |
concat{
|
|
| 10 |
$concat_name: |
|
| 11 |
path => "/etc/nftables/puppet/${data[0]}-chains-${data[1]}.nft",
|
|
| 12 |
owner => root, |
|
| 13 |
group => root, |
|
| 14 |
mode => '0644', |
|
| 15 |
ensure_newline => true, |
|
| 16 |
require => Package['nftables'], |
|
| 17 |
notify => Service['nftables'], |
|
| 18 |
} |
|
| 19 |
concat::fragment{
|
|
| 20 |
default: |
|
| 21 |
target => $concat_name; |
|
| 22 |
"${chain}-header":
|
|
| 23 |
order => '00', |
|
| 24 |
content => "chain ${data[1]} {";
|
|
| 25 |
"${chain}-footer":
|
|
| 26 |
order => '99', |
|
| 27 |
content => '}'; |
|
| 28 |
} |
|
| 29 |
} |
|
| manifests/filter/chain.pp | ||
|---|---|---|
| 1 |
# register a filter chain |
|
| 2 |
# Name should match the following pattern: |
|
| 3 |
# |
|
| 4 |
# MASTERCHAIN-new_chain_name |
|
| 5 |
define nftables::filter::chain( |
|
| 6 |
Pattern[/^[a-z0-9]+\-[a-z0-9_]+$/] |
|
| 7 |
$chain_name = $title, |
|
| 8 |
Pattern[/^\d{2}$/]
|
|
| 9 |
$order = '50', |
|
| 10 |
){
|
|
| 11 |
$data = split($chain_name,'-') |
|
| 12 |
nftables::config{
|
|
| 13 |
"filter-${data[0]}-chains-${order}-${data[1]}":
|
|
| 14 |
content => "jump ${data[1]}\n",
|
|
| 15 |
} |
|
| 16 |
nftables::chain_file{
|
|
| 17 |
"filter@${data[1]}":;
|
|
| 18 |
} |
|
| 19 |
} |
|
| manifests/init.pp | ||
|---|---|---|
| 40 | 40 |
source => 'puppet:///modules/nftables/config/puppet-ip-nat.nft'; |
| 41 | 41 |
} |
| 42 | 42 |
|
| 43 |
nftables::filter::chain{
|
|
| 43 |
nftables::chain{
|
|
| 44 | 44 |
[ |
| 45 |
'forward-default_fwd',
|
|
| 46 |
'output-default_out',
|
|
| 47 |
'input-default_in',
|
|
| 45 |
'INPUT',
|
|
| 46 |
'OUTPUT',
|
|
| 47 |
'FORWARD',
|
|
| 48 | 48 |
]:; |
| 49 | 49 |
} |
| 50 | 50 |
|
| 51 |
nftables::chain{
|
|
| 52 |
'default_in': |
|
| 53 |
inject => '10-INPUT'; |
|
| 54 |
'default_out': |
|
| 55 |
inject => '10-OUTPUT'; |
|
| 56 |
'default_fwd': |
|
| 57 |
inject => '10-FORWARD'; |
|
| 58 |
} |
|
| 59 |
|
|
| 60 |
# filter-chain-INPUT |
|
| 61 |
nftables::rule{
|
|
| 62 |
'INPUT-type': |
|
| 63 |
order => '01', |
|
| 64 |
content => 'type filter hook input priority 0'; |
|
| 65 |
'INPUT-policy': |
|
| 66 |
order => '02', |
|
| 67 |
content => 'policy drop'; |
|
| 68 |
'INPUT-lo': |
|
| 69 |
order => '03', |
|
| 70 |
content => 'iifname lo accept'; |
|
| 71 |
'INPUT-jump_global': |
|
| 72 |
order => '04', |
|
| 73 |
content => 'jump global'; |
|
| 74 |
'INPUT-log_rejected': |
|
| 75 |
order => '98', |
|
| 76 |
content => 'log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 77 |
} |
|
| 78 |
|
|
| 79 |
# filter-chain-OUTPUT |
|
| 80 |
nftables::rule{
|
|
| 81 |
'OUTPUT-type': |
|
| 82 |
order => '01', |
|
| 83 |
content => 'type filter hook output priority 0'; |
|
| 84 |
'OUTPUT-policy': |
|
| 85 |
order => '02', |
|
| 86 |
content => 'policy drop'; |
|
| 87 |
'OUTPUT-lo': |
|
| 88 |
order => '03', |
|
| 89 |
content => 'oifname lo accept'; |
|
| 90 |
'OUTPUT-jump_global': |
|
| 91 |
order => '04', |
|
| 92 |
content => 'jump global'; |
|
| 93 |
'OUTPUT-log_rejected': |
|
| 94 |
order => '98', |
|
| 95 |
content => 'log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 96 |
} |
|
| 97 |
|
|
| 98 |
# filter-chain-FORWARD |
|
| 99 |
nftables::rule{
|
|
| 100 |
'FORWARD-type': |
|
| 101 |
order => '01', |
|
| 102 |
content => 'type filter hook forward priority 0'; |
|
| 103 |
'FORWARD-policy': |
|
| 104 |
order => '02', |
|
| 105 |
content => 'policy drop'; |
|
| 106 |
'FORWARD-jump_global': |
|
| 107 |
order => '03', |
|
| 108 |
content => 'jump global'; |
|
| 109 |
'FORWARD-log_rejected': |
|
| 110 |
order => '98', |
|
| 111 |
content => 'log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable'; |
|
| 112 |
} |
|
| 113 |
|
|
| 51 | 114 |
# basic ingoing rules |
| 52 | 115 |
if $in_ssh {
|
| 53 | 116 |
include nftables::rules::ssh |
| manifests/rule.pp | ||
|---|---|---|
| 1 |
# manage a filter chain rule
|
|
| 1 |
# manage a chain rule |
|
| 2 | 2 |
# Name should be: |
| 3 | 3 |
# CHAIN_NAME-rulename |
| 4 |
define nftables::filter::chain::rule(
|
|
| 4 |
define nftables::rule( |
|
| 5 | 5 |
Enum['present','absent'] |
| 6 | 6 |
$ensure = 'present', |
| 7 |
Pattern[/^[a-z0-9_]+\-[0-9a-z]+$/]
|
|
| 7 |
Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+$/]
|
|
| 8 | 8 |
$rulename = $title, |
| 9 | 9 |
Pattern[/^\d\d$/] |
| 10 | 10 |
$order = '50', |
| 11 | 11 |
Optional[String] |
| 12 |
$table = 'filter', |
|
| 13 |
Optional[String] |
|
| 12 | 14 |
$content = undef, |
| 13 | 15 |
Optional[Variant[String,Array[String,1]]] |
| 14 | 16 |
$source = undef, |
| 15 | 17 |
){
|
| 18 |
|
|
| 16 | 19 |
if $ensure == 'present' {
|
| 17 |
$data = split($rulename,'-') |
|
| 20 |
$data = split($rulename, '-') |
|
| 21 |
|
|
| 18 | 22 |
concat::fragment{
|
| 19 |
"nftables-filter-chain-rule-${rulename}":
|
|
| 23 |
"nftables-${table}-chain-${data[0]}-rule-${data[1]}":
|
|
| 20 | 24 |
order => $order, |
| 21 |
target => "nftables-chain-filter-${data[0]}",
|
|
| 25 |
target => "nftables-${table}-chain-${data[0]}",
|
|
| 22 | 26 |
} |
| 23 | 27 |
|
| 24 | 28 |
if $content {
|
| 25 |
Concat::Fragment["nftables-filter-chain-rule-${rulename}"]{
|
|
| 29 |
Concat::Fragment["nftables-${table}-chain-${data[0]}-rule-${data[1]}"]{
|
|
| 26 | 30 |
content => " ${content}",
|
| 27 | 31 |
} |
| 28 | 32 |
} else {
|
| 29 |
Concat::Fragment["nftables-filter-chain-rule-${rulename}"]{
|
|
| 33 |
Concat::Fragment["nftables-${table}-chain-${data[0]}-rule-${data[1]}"]{
|
|
| 30 | 34 |
source => $source, |
| 31 | 35 |
} |
| 32 | 36 |
} |
| manifests/rules/icinga2.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [5665], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_in-icinga2': |
| 8 | 8 |
content => "tcp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| manifests/rules/out/chrony.pp | ||
|---|---|---|
| 1 | 1 |
# manage out chrony |
| 2 | 2 |
class nftables::rules::out::chrony {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-chrony': |
| 5 | 5 |
content => 'udp dport 123 accept', |
| 6 | 6 |
} |
| manifests/rules/out/dhcp.pp | ||
|---|---|---|
| 1 | 1 |
# manage out dhcp |
| 2 | 2 |
class nftables::rules::out::dhcp {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-dhcpc': |
| 5 | 5 |
content => 'udp sport {67, 68} udp dport {67, 68} accept';
|
| 6 | 6 |
} |
| manifests/rules/out/dns.pp | ||
|---|---|---|
| 6 | 6 |
if $dns_server {
|
| 7 | 7 |
any2array($dns_server).each |$index,$dns| {
|
| 8 | 8 |
|
| 9 |
nftables::filter::chain::rule{
|
|
| 9 |
nftables::rule{
|
|
| 10 | 10 |
"default_out-dnsudp-${index}":
|
| 11 | 11 |
} |
| 12 | 12 |
if $dns =~ /:/ {
|
| 13 |
Nftables::Filter::Chain::Rule["default_out-dnsudp-${index}"]{
|
|
| 13 |
Nftables::Rule["default_out-dnsudp-${index}"]{
|
|
| 14 | 14 |
content => "ip6 daddr ${dns} udp dport 53 accept",
|
| 15 | 15 |
} |
| 16 | 16 |
} else {
|
| 17 |
Nftables::Filter::Chain::Rule["default_out-dnsudp-${index}"]{
|
|
| 17 |
Nftables::Rule["default_out-dnsudp-${index}"]{
|
|
| 18 | 18 |
content => "ip daddr ${dns} udp dport 53 accept",
|
| 19 | 19 |
} |
| 20 | 20 |
} |
| 21 | 21 |
|
| 22 |
nftables::filter::chain::rule{
|
|
| 22 |
nftables::rule{
|
|
| 23 | 23 |
"default_out-dnstcp-${index}":
|
| 24 | 24 |
} |
| 25 | 25 |
if $dns =~ /:/ {
|
| 26 |
Nftables::Filter::Chain::Rule["default_out-dnstcp-${index}"]{
|
|
| 26 |
Nftables::Rule["default_out-dnstcp-${index}"]{
|
|
| 27 | 27 |
content => "ip6 daddr ${dns} tcp dport 53 accept",
|
| 28 | 28 |
} |
| 29 | 29 |
} else {
|
| 30 |
Nftables::Filter::Chain::Rule["default_out-dnstcp-${index}"]{
|
|
| 30 |
Nftables::Rule["default_out-dnstcp-${index}"]{
|
|
| 31 | 31 |
content => "ip daddr ${dns} tcp dport 53 accept",
|
| 32 | 32 |
} |
| 33 | 33 |
} |
| 34 | 34 |
} |
| 35 | 35 |
} else {
|
| 36 |
nftables::filter::chain::rule{
|
|
| 36 |
nftables::rule{
|
|
| 37 | 37 |
'default_out-dnsudp': |
| 38 | 38 |
content => 'udp dport 53 accept'; |
| 39 | 39 |
'default_out-dnstcp': |
| manifests/rules/out/http.pp | ||
|---|---|---|
| 1 | 1 |
# manage out http |
| 2 | 2 |
class nftables::rules::out::http {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-http': |
| 5 | 5 |
content => 'tcp dport 80 accept'; |
| 6 | 6 |
} |
| manifests/rules/out/https.pp | ||
|---|---|---|
| 1 | 1 |
# manage out https |
| 2 | 2 |
class nftables::rules::out::https {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-https': |
| 5 | 5 |
content => 'tcp dport 443 accept'; |
| 6 | 6 |
} |
| manifests/rules/out/puppet.pp | ||
|---|---|---|
| 6 | 6 |
$puppetserver_port = 8140, |
| 7 | 7 |
) {
|
| 8 | 8 |
any2array($puppetmaster).each |$index,$pm| {
|
| 9 |
nftables::filter::chain::rule{
|
|
| 9 |
nftables::rule{
|
|
| 10 | 10 |
"default_out-puppet-${index}":
|
| 11 | 11 |
} |
| 12 | 12 |
if $pm =~ /:/ {
|
| 13 |
Nftables::Filter::Chain::Rule["default_out-puppet-${index}"]{
|
|
| 13 |
nftables::rule["default_out-puppet-${index}"]{
|
|
| 14 | 14 |
content => "ip6 daddr ${pm} tcp dport ${puppetserver_port} accept",
|
| 15 | 15 |
} |
| 16 | 16 |
} else {
|
| 17 |
Nftables::Filter::Chain::Rule["default_out-puppet-${index}"]{
|
|
| 17 |
nftables::rule["default_out-puppet-${index}"]{
|
|
| 18 | 18 |
content => "ip daddr ${pm} tcp dport ${puppetserver_port} accept",
|
| 19 | 19 |
} |
| 20 | 20 |
} |
| manifests/rules/out/smtp.pp | ||
|---|---|---|
| 1 | 1 |
# manage out smtp |
| 2 | 2 |
class nftables::rules::out::smtp {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-smtp': |
| 5 | 5 |
content => 'tcp dport 25 accept', |
| 6 | 6 |
} |
| manifests/rules/out/ssh.pp | ||
|---|---|---|
| 1 | 1 |
# manage out ssh |
| 2 | 2 |
class nftables::rules::out::ssh {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-ssh': |
| 5 | 5 |
content => 'tcp dport 22 accept', |
| 6 | 6 |
} |
| manifests/rules/out/ssh/remove.pp | ||
|---|---|---|
| 1 | 1 |
# disable outgoing ssh |
| 2 | 2 |
class nftables::rules::out::ssh::remove inherits nftables::rules::out::ssh {
|
| 3 |
Nftables::Filter::Chain::Rule['default_out-ssh']{
|
|
| 3 |
Nftables::Rule['default_out-ssh']{
|
|
| 4 | 4 |
ensure => absent, |
| 5 | 5 |
} |
| 6 | 6 |
} |
| manifests/rules/out/tor.pp | ||
|---|---|---|
| 1 | 1 |
# manage out tor |
| 2 | 2 |
class nftables::rules::out::tor {
|
| 3 |
nftables::filter::chain::rule{
|
|
| 3 |
nftables::rule{
|
|
| 4 | 4 |
'default_out-tor': |
| 5 | 5 |
content => 'tcp dport 9001 accept', |
| 6 | 6 |
} |
| manifests/rules/out/wireguard.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [51820], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_out-wireguard': |
| 8 | 8 |
content => "udp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| manifests/rules/puppet.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [8140], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_in-puppet': |
| 8 | 8 |
content => "tcp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| manifests/rules/ssh.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [22], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_in-ssh': |
| 8 | 8 |
content => "tcp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| manifests/rules/tor.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [9001], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_in-tor': |
| 8 | 8 |
content => "tcp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| manifests/rules/wireguard.pp | ||
|---|---|---|
| 3 | 3 |
Array[Integer,1] |
| 4 | 4 |
$ports = [51820], |
| 5 | 5 |
) {
|
| 6 |
nftables::filter::chain::rule{
|
|
| 6 |
nftables::rule{
|
|
| 7 | 7 |
'default_in-wireguard': |
| 8 | 8 |
content => "udp dport {${join($ports,', ')}} accept",
|
| 9 | 9 |
} |
| spec/classes/filter_spec.rb | ||
|---|---|---|
| 17 | 17 |
)} |
| 18 | 18 |
|
| 19 | 19 |
context 'chain input' do |
| 20 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-input-chains-50-default_in.nft').with(
|
|
| 21 |
:ensure => 'file', |
|
| 22 |
:owner => 'root', |
|
| 23 |
:group => 'root', |
|
| 24 |
:mode => '0640', |
|
| 20 |
it { is_expected.to contain_concat('nftables-filter-chain-INPUT').with(
|
|
| 21 |
:path => '/etc/nftables/puppet/filter-chain-INPUT.nft', |
|
| 22 |
:owner => 'root', |
|
| 23 |
:group => 'root', |
|
| 24 |
:mode => '0640', |
|
| 25 |
:ensure_newline => true, |
|
| 25 | 26 |
)} |
| 26 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-input-chains-50-default_in.nft').with_content(
|
|
| 27 |
/^jump default_in$/, |
|
| 27 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-header').with(
|
|
| 28 |
:target => 'nftables-filter-chain-INPUT', |
|
| 29 |
:content => /^chain INPUT {$/,
|
|
| 30 |
:order => '00', |
|
| 31 |
)} |
|
| 32 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-type').with(
|
|
| 33 |
:target => 'nftables-filter-chain-INPUT', |
|
| 34 |
:content => /^ type filter hook input priority 0$/, |
|
| 35 |
:order => '01', |
|
| 36 |
)} |
|
| 37 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-policy').with(
|
|
| 38 |
:target => 'nftables-filter-chain-INPUT', |
|
| 39 |
:content => /^ policy drop$/, |
|
| 40 |
:order => '02', |
|
| 41 |
)} |
|
| 42 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-lo').with(
|
|
| 43 |
:target => 'nftables-filter-chain-INPUT', |
|
| 44 |
:content => /^ iifname lo accept$/, |
|
| 45 |
:order => '03', |
|
| 46 |
)} |
|
| 47 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-jump_global').with(
|
|
| 48 |
:target => 'nftables-filter-chain-INPUT', |
|
| 49 |
:content => /^ jump global$/, |
|
| 50 |
:order => '04', |
|
| 51 |
)} |
|
| 52 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-jump_default_in').with(
|
|
| 53 |
:target => 'nftables-filter-chain-INPUT', |
|
| 54 |
:content => /^ jump default_in$/, |
|
| 55 |
:order => '10', |
|
| 56 |
)} |
|
| 57 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-rule-log_rejected').with(
|
|
| 58 |
:target => 'nftables-filter-chain-INPUT', |
|
| 59 |
:content => /^ log prefix \"\[nftables\] INPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$/, |
|
| 60 |
:order => '98', |
|
| 61 |
)} |
|
| 62 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-INPUT-footer').with(
|
|
| 63 |
:target => 'nftables-filter-chain-INPUT', |
|
| 64 |
:content => /^}$/, |
|
| 65 |
:order => '99', |
|
| 28 | 66 |
)} |
| 29 | 67 |
|
| 30 |
it { is_expected.to contain_concat('nftables-chain-filter-default_in').with(
|
|
| 31 |
:path => '/etc/nftables/puppet/filter-chains-default_in.nft',
|
|
| 68 |
it { is_expected.to contain_concat('nftables-filter-chain-default_in').with(
|
|
| 69 |
:path => '/etc/nftables/puppet/filter-chain-default_in.nft', |
|
| 32 | 70 |
:owner => 'root', |
| 33 | 71 |
:group => 'root', |
| 34 |
:mode => '0644',
|
|
| 72 |
:mode => '0640',
|
|
| 35 | 73 |
:ensure_newline => true, |
| 36 | 74 |
)} |
| 37 |
it { is_expected.to contain_concat__fragment('filter@default_in-header').with(
|
|
| 38 |
:target => 'nftables-chain-filter-default_in',
|
|
| 75 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_in-header').with(
|
|
| 76 |
:target => 'nftables-filter-chain-default_in',
|
|
| 39 | 77 |
:content => /^chain default_in {$/,
|
| 40 | 78 |
:order => '00', |
| 41 | 79 |
)} |
| 42 |
it { is_expected.to contain_concat__fragment('filter@default_in-footer').with(
|
|
| 43 |
:target => 'nftables-chain-filter-default_in',
|
|
| 80 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_in-footer').with(
|
|
| 81 |
:target => 'nftables-filter-chain-default_in',
|
|
| 44 | 82 |
:content => /^}$/, |
| 45 | 83 |
:order => '99', |
| 46 | 84 |
)} |
| 47 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_in-ssh').with(
|
|
| 48 |
:target => 'nftables-chain-filter-default_in',
|
|
| 85 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_in-rule-ssh').with(
|
|
| 86 |
:target => 'nftables-filter-chain-default_in',
|
|
| 49 | 87 |
:content => /^ tcp dport \{22\} accept$/,
|
| 50 | 88 |
:order => '50', |
| 51 | 89 |
)} |
| 52 | 90 |
end |
| 53 | 91 |
|
| 54 |
context 'chain forward' do |
|
| 55 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-forward-chains-50-default_fwd.nft').with(
|
|
| 56 |
:ensure => 'file', |
|
| 57 |
:owner => 'root', |
|
| 58 |
:group => 'root', |
|
| 59 |
:mode => '0640', |
|
| 60 |
)} |
|
| 61 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-forward-chains-50-default_fwd.nft').with_content(
|
|
| 62 |
/^jump default_fwd$/, |
|
| 63 |
)} |
|
| 64 |
|
|
| 65 |
it { is_expected.to contain_concat('nftables-chain-filter-default_fwd').with(
|
|
| 66 |
:path => '/etc/nftables/puppet/filter-chains-default_fwd.nft', |
|
| 92 |
context 'chain output' do |
|
| 93 |
it { is_expected.to contain_concat('nftables-filter-chain-OUTPUT').with(
|
|
| 94 |
:path => '/etc/nftables/puppet/filter-chain-OUTPUT.nft', |
|
| 67 | 95 |
:owner => 'root', |
| 68 | 96 |
:group => 'root', |
| 69 |
:mode => '0644',
|
|
| 97 |
:mode => '0640',
|
|
| 70 | 98 |
:ensure_newline => true, |
| 71 | 99 |
)} |
| 72 |
it { is_expected.to contain_concat__fragment('filter@default_fwd-header').with(
|
|
| 73 |
:target => 'nftables-chain-filter-default_fwd',
|
|
| 74 |
:content => /^chain default_fwd {$/,
|
|
| 100 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-header').with(
|
|
| 101 |
:target => 'nftables-filter-chain-OUTPUT',
|
|
| 102 |
:content => /^chain OUTPUT {$/,
|
|
| 75 | 103 |
:order => '00', |
| 76 | 104 |
)} |
| 77 |
it { is_expected.to contain_concat__fragment('filter@default_fwd-footer').with(
|
|
| 78 |
:target => 'nftables-chain-filter-default_fwd', |
|
| 105 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-type').with(
|
|
| 106 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 107 |
:content => /^ type filter hook output priority 0$/, |
|
| 108 |
:order => '01', |
|
| 109 |
)} |
|
| 110 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-policy').with(
|
|
| 111 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 112 |
:content => /^ policy drop$/, |
|
| 113 |
:order => '02', |
|
| 114 |
)} |
|
| 115 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-lo').with(
|
|
| 116 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 117 |
:content => /^ oifname lo accept$/, |
|
| 118 |
:order => '03', |
|
| 119 |
)} |
|
| 120 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-jump_global').with(
|
|
| 121 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 122 |
:content => /^ jump global$/, |
|
| 123 |
:order => '04', |
|
| 124 |
)} |
|
| 125 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-jump_default_out').with(
|
|
| 126 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 127 |
:content => /^ jump default_out$/, |
|
| 128 |
:order => '10', |
|
| 129 |
)} |
|
| 130 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-rule-log_rejected').with(
|
|
| 131 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 132 |
:content => /^ log prefix \"\[nftables\] OUTPUT Rejected: \" flags all counter reject with icmpx type port-unreachable$/, |
|
| 133 |
:order => '98', |
|
| 134 |
)} |
|
| 135 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-OUTPUT-footer').with(
|
|
| 136 |
:target => 'nftables-filter-chain-OUTPUT', |
|
| 79 | 137 |
:content => /^}$/, |
| 80 | 138 |
:order => '99', |
| 81 | 139 |
)} |
| 82 |
end |
|
| 83 |
|
|
| 84 |
context 'chain output' do |
|
| 85 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-output-chains-50-default_out.nft').with(
|
|
| 86 |
:ensure => 'file', |
|
| 87 |
:owner => 'root', |
|
| 88 |
:group => 'root', |
|
| 89 |
:mode => '0640', |
|
| 90 |
)} |
|
| 91 |
it { is_expected.to contain_file('/etc/nftables/puppet/filter-output-chains-50-default_out.nft').with_content(
|
|
| 92 |
/^jump default_out$/, |
|
| 93 |
)} |
|
| 94 | 140 |
|
| 95 |
it { is_expected.to contain_concat('nftables-chain-filter-default_out').with(
|
|
| 96 |
:path => '/etc/nftables/puppet/filter-chains-default_out.nft',
|
|
| 141 |
it { is_expected.to contain_concat('nftables-filter-chain-default_out').with(
|
|
| 142 |
:path => '/etc/nftables/puppet/filter-chain-default_out.nft', |
|
| 97 | 143 |
:owner => 'root', |
| 98 | 144 |
:group => 'root', |
| 99 |
:mode => '0644',
|
|
| 145 |
:mode => '0640',
|
|
| 100 | 146 |
:ensure_newline => true, |
| 101 | 147 |
)} |
| 102 |
it { is_expected.to contain_concat__fragment('filter@default_out-header').with(
|
|
| 103 |
:target => 'nftables-chain-filter-default_out',
|
|
| 148 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-header').with(
|
|
| 149 |
:target => 'nftables-filter-chain-default_out',
|
|
| 104 | 150 |
:content => /^chain default_out {$/,
|
| 105 | 151 |
:order => '00', |
| 106 | 152 |
)} |
| 107 |
it { is_expected.to contain_concat__fragment('filter@default_out-footer').with(
|
|
| 108 |
:target => 'nftables-chain-filter-default_out',
|
|
| 153 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-footer').with(
|
|
| 154 |
:target => 'nftables-filter-chain-default_out',
|
|
| 109 | 155 |
:content => /^}$/, |
| 110 | 156 |
:order => '99', |
| 111 | 157 |
)} |
| 112 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_out-chrony').with(
|
|
| 113 |
:target => 'nftables-chain-filter-default_out', |
|
| 114 |
:content => /^ udp dport 123 accept$/, |
|
| 115 |
:order => '50', |
|
| 116 |
)} |
|
| 117 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_out-dnsudp').with(
|
|
| 118 |
:target => 'nftables-chain-filter-default_out', |
|
| 158 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-rule-dnsudp').with(
|
|
| 159 |
:target => 'nftables-filter-chain-default_out', |
|
| 119 | 160 |
:content => /^ udp dport 53 accept$/, |
| 120 | 161 |
:order => '50', |
| 121 | 162 |
)} |
| 122 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_out-dnstcp').with(
|
|
| 123 |
:target => 'nftables-chain-filter-default_out',
|
|
| 163 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-rule-dnstcp').with(
|
|
| 164 |
:target => 'nftables-filter-chain-default_out',
|
|
| 124 | 165 |
:content => /^ tcp dport 53 accept$/, |
| 125 | 166 |
:order => '50', |
| 126 | 167 |
)} |
| 127 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_out-http').with(
|
|
| 128 |
:target => 'nftables-chain-filter-default_out', |
|
| 168 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-rule-chrony').with(
|
|
| 169 |
:target => 'nftables-filter-chain-default_out', |
|
| 170 |
:content => /^ udp dport 123 accept$/, |
|
| 171 |
:order => '50', |
|
| 172 |
)} |
|
| 173 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-rule-http').with(
|
|
| 174 |
:target => 'nftables-filter-chain-default_out', |
|
| 129 | 175 |
:content => /^ tcp dport 80 accept$/, |
| 130 | 176 |
:order => '50', |
| 131 | 177 |
)} |
| 132 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-rule-default_out-https').with(
|
|
| 133 |
:target => 'nftables-chain-filter-default_out',
|
|
| 178 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_out-rule-https').with(
|
|
| 179 |
:target => 'nftables-filter-chain-default_out',
|
|
| 134 | 180 |
:content => /^ tcp dport 443 accept$/, |
| 135 | 181 |
:order => '50', |
| 136 | 182 |
)} |
| 137 | 183 |
end |
| 184 |
|
|
| 185 |
context 'chain forward' do |
|
| 186 |
it { is_expected.to contain_concat('nftables-filter-chain-FORWARD').with(
|
|
| 187 |
:path => '/etc/nftables/puppet/filter-chain-FORWARD.nft', |
|
| 188 |
:owner => 'root', |
|
| 189 |
:group => 'root', |
|
| 190 |
:mode => '0640', |
|
| 191 |
:ensure_newline => true, |
|
| 192 |
)} |
|
| 193 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-header').with(
|
|
| 194 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 195 |
:content => /^chain FORWARD {$/,
|
|
| 196 |
:order => '00', |
|
| 197 |
)} |
|
| 198 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-rule-type').with(
|
|
| 199 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 200 |
:content => /^ type filter hook forward priority 0$/, |
|
| 201 |
:order => '01', |
|
| 202 |
)} |
|
| 203 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-rule-policy').with(
|
|
| 204 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 205 |
:content => /^ policy drop$/, |
|
| 206 |
:order => '02', |
|
| 207 |
)} |
|
| 208 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-rule-jump_global').with(
|
|
| 209 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 210 |
:content => /^ jump global$/, |
|
| 211 |
:order => '03', |
|
| 212 |
)} |
|
| 213 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-rule-jump_default_fwd').with(
|
|
| 214 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 215 |
:content => /^ jump default_fwd$/, |
|
| 216 |
:order => '10', |
|
| 217 |
)} |
|
| 218 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-rule-log_rejected').with(
|
|
| 219 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 220 |
:content => /^ log prefix \"\[nftables\] FORWARD Rejected: \" flags all counter reject with icmpx type port-unreachable$/, |
|
| 221 |
:order => '98', |
|
| 222 |
)} |
|
| 223 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-FORWARD-footer').with(
|
|
| 224 |
:target => 'nftables-filter-chain-FORWARD', |
|
| 225 |
:content => /^}$/, |
|
| 226 |
:order => '99', |
|
| 227 |
)} |
|
| 228 |
|
|
| 229 |
it { is_expected.to contain_concat('nftables-filter-chain-default_fwd').with(
|
|
| 230 |
:path => '/etc/nftables/puppet/filter-chain-default_fwd.nft', |
|
| 231 |
:owner => 'root', |
|
| 232 |
:group => 'root', |
|
| 233 |
:mode => '0640', |
|
| 234 |
:ensure_newline => true, |
|
| 235 |
)} |
|
| 236 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_fwd-header').with(
|
|
| 237 |
:target => 'nftables-filter-chain-default_fwd', |
|
| 238 |
:content => /^chain default_fwd {$/,
|
|
| 239 |
:order => '00', |
|
| 240 |
)} |
|
| 241 |
it { is_expected.to contain_concat__fragment('nftables-filter-chain-default_fwd-footer').with(
|
|
| 242 |
:target => 'nftables-filter-chain-default_fwd', |
|
| 243 |
:content => /^}$/, |
|
| 244 |
:order => '99', |
|
| 245 |
)} |
|
| 246 |
end |
|
| 138 | 247 |
end |
| 139 | 248 |
end |
| 140 | 249 |
end |
Formats disponibles : Unified diff