Révision 94a80621
Use Stdlib::Port everywhere in place of Integer
Use Stdlib::Port in place of Integer for ports
Fixes #37
| manifests/rules/ceph_mon.pp | ||
|---|---|---|
| 1 | 1 |
# Ceph is a distributed object store and file system. |
| 2 | 2 |
# Enable this option to support Ceph's Monitor Daemon. |
| 3 | 3 |
class nftables::rules::ceph_mon ( |
| 4 |
Array[Integer,1] $ports = [3300, 6789],
|
|
| 4 |
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
|
| 5 | 5 |
) {
|
| 6 | 6 |
nftables::rule {
|
| 7 | 7 |
'default_in-ceph_mon': |
| manifests/rules/dnat4.pp | ||
|---|---|---|
| 1 | 1 |
# manage a ipv4 dnat rule |
| 2 | 2 |
define nftables::rules::dnat4 ( |
| 3 | 3 |
Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/] $daddr,
|
| 4 |
Variant[String,Integer[1,65535]] $port,
|
|
| 4 |
Variant[String,Stdlib::Port] $port,
|
|
| 5 | 5 |
Pattern[/^[a-zA-Z0-9_]+$/] $rulename = $title, |
| 6 | 6 |
Pattern[/^\d\d$/] $order = '50', |
| 7 | 7 |
String[1] $chain = 'default_fwd', |
| 8 | 8 |
Optional[String[1]] $iif = undef, |
| 9 | 9 |
Enum['tcp','udp'] $proto = 'tcp', |
| 10 |
Optional[Variant[String,Integer[1,65535]]] $dport = '',
|
|
| 10 |
Optional[Variant[String,Stdlib::Port]] $dport = '',
|
|
| 11 | 11 |
Enum['present','absent'] $ensure = 'present', |
| 12 | 12 |
) {
|
| 13 | 13 |
$iifname = $iif ? {
|
| manifests/rules/dns.pp | ||
|---|---|---|
| 1 | 1 |
# manage in dns |
| 2 | 2 |
class nftables::rules::dns ( |
| 3 |
Array[Integer,1] $ports = [53],
|
|
| 3 |
Array[Stdlib::Port,1] $ports = [53],
|
|
| 4 | 4 |
) {
|
| 5 | 5 |
nftables::rule {
|
| 6 | 6 |
'default_in-dns_tcp': |
| manifests/rules/icinga2.pp | ||
|---|---|---|
| 1 | 1 |
# manage in icinga2 |
| 2 | 2 |
class nftables::rules::icinga2 ( |
| 3 |
Array[Integer,1] $ports = [5665],
|
|
| 3 |
Array[Stdlib::Port,1] $ports = [5665],
|
|
| 4 | 4 |
) {
|
| 5 | 5 |
nftables::rule {
|
| 6 | 6 |
'default_in-icinga2': |
| manifests/rules/masquerade.pp | ||
|---|---|---|
| 7 | 7 |
Optional[String[1]] $saddr = undef, |
| 8 | 8 |
Optional[String[1]] $daddr = undef, |
| 9 | 9 |
Optional[Enum['tcp','udp']] $proto = undef, |
| 10 |
Optional[Variant[String,Integer[1,65535]]] $dport = undef,
|
|
| 10 |
Optional[Variant[String,Stdlib::Port]] $dport = undef,
|
|
| 11 | 11 |
Enum['present','absent'] $ensure = 'present', |
| 12 | 12 |
) {
|
| 13 | 13 |
$oifname = $oif ? {
|
| manifests/rules/node_exporter.pp | ||
|---|---|---|
| 1 | 1 |
# manage in node exporter |
| 2 | 2 |
class nftables::rules::node_exporter ( |
| 3 | 3 |
Optional[Variant[String,Array[String,1]]] $prometheus_server = undef, |
| 4 |
Integer $port = 9100,
|
|
| 4 |
Stdlib::Port $port = 9100,
|
|
| 5 | 5 |
) {
|
| 6 | 6 |
if $prometheus_server {
|
| 7 | 7 |
any2array($prometheus_server).each |$index,$prom| {
|
| manifests/rules/out/ceph_client.pp | ||
|---|---|---|
| 3 | 3 |
# Object Storage Daemons (OSD), Metadata Server Daemons (MDS), |
| 4 | 4 |
# and Manager Daemons (MGR). |
| 5 | 5 |
class nftables::rules::out::ceph_client ( |
| 6 |
Array[Integer,1] $ports = [3300, 6789],
|
|
| 6 |
Array[Stdlib::Port,1] $ports = [3300, 6789],
|
|
| 7 | 7 |
) {
|
| 8 | 8 |
nftables::rule {
|
| 9 | 9 |
'default_out-ceph_client': |
| manifests/rules/out/openafs_client.pp | ||
|---|---|---|
| 6 | 6 |
# @see https://wiki.openafs.org/devel/AFSServicePorts/ AFS Service Ports |
| 7 | 7 |
# |
| 8 | 8 |
class nftables::rules::out::openafs_client ( |
| 9 |
Array[Integer,1] $ports = [7000, 7002, 7003],
|
|
| 9 |
Array[Stdlib::Port,1] $ports = [7000, 7002, 7003],
|
|
| 10 | 10 |
) {
|
| 11 | 11 |
include nftables::rules::out::kerberos |
| 12 | 12 |
|
| manifests/rules/out/puppet.pp | ||
|---|---|---|
| 1 | 1 |
# manage outgoing puppet |
| 2 | 2 |
class nftables::rules::out::puppet ( |
| 3 | 3 |
Variant[Stdlib::IP::Address,Array[Stdlib::IP::Address,1]] $puppetserver, |
| 4 |
Integer $puppetserver_port = 8140,
|
|
| 4 |
Stdlib::Port $puppetserver_port = 8140,
|
|
| 5 | 5 |
) {
|
| 6 | 6 |
Array($puppetserver, true).each |$index,$ps| {
|
| 7 | 7 |
nftables::rule {
|
| manifests/rules/snat4.pp | ||
|---|---|---|
| 7 | 7 |
Optional[String[1]] $oif = undef, |
| 8 | 8 |
Optional[String[1]] $saddr = undef, |
| 9 | 9 |
Optional[Enum['tcp','udp']] $proto = undef, |
| 10 |
Optional[Variant[String,Integer[1,65535]]] $dport = undef,
|
|
| 10 |
Optional[Variant[String,Stdlib::Port]] $dport = undef,
|
|
| 11 | 11 |
Enum['present','absent'] $ensure = 'present', |
| 12 | 12 |
) {
|
| 13 | 13 |
$oifname = $oif ? {
|
| manifests/rules/ssh.pp | ||
|---|---|---|
| 1 | 1 |
# manage in ssh |
| 2 | 2 |
class nftables::rules::ssh ( |
| 3 |
Array[Integer,1] $ports = [22],
|
|
| 3 |
Array[Stdlib::Port,1] $ports = [22],
|
|
| 4 | 4 |
) {
|
| 5 | 5 |
nftables::rule {
|
| 6 | 6 |
'default_in-ssh': |
| manifests/rules/tor.pp | ||
|---|---|---|
| 1 | 1 |
# manage in tor |
| 2 | 2 |
class nftables::rules::tor ( |
| 3 |
Array[Integer,1] $ports = [9001],
|
|
| 3 |
Array[Stdlib::Port,1] $ports = [9001],
|
|
| 4 | 4 |
) {
|
| 5 | 5 |
nftables::rule {
|
| 6 | 6 |
'default_in-tor': |
| manifests/rules/wireguard.pp | ||
|---|---|---|
| 1 | 1 |
# manage in wireguard |
| 2 | 2 |
class nftables::rules::wireguard ( |
| 3 |
Array[Integer,1] $ports = [51820],
|
|
| 3 |
Array[Stdlib::Port,1] $ports = [51820],
|
|
| 4 | 4 |
) {
|
| 5 | 5 |
nftables::rule {
|
| 6 | 6 |
'default_in-wireguard': |
| spec/classes/rules/dns_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::dns' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-dns_tcp').with_content('tcp dport {53} accept') }
|
|
| 11 |
it { is_expected.to contain_nftables__rule('default_in-dns_udp').with_content('udp dport {53} accept') }
|
|
| 12 |
end |
|
| 13 |
|
|
| 14 |
context 'with ports set' do |
|
| 15 |
let(:params) do |
|
| 16 |
{
|
|
| 17 |
ports: [55, 60], |
|
| 18 |
} |
|
| 19 |
end |
|
| 20 |
|
|
| 21 |
it { is_expected.to compile }
|
|
| 22 |
it { is_expected.to contain_nftables__rule('default_in-dns_tcp').with_content('tcp dport {55, 60} accept') }
|
|
| 23 |
it { is_expected.to contain_nftables__rule('default_in-dns_udp').with_content('udp dport {55, 60} accept') }
|
|
| 24 |
end |
|
| 25 |
end |
|
| 26 |
end |
|
| 27 |
end |
|
| spec/classes/rules/icinga2_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::icinga2' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-icinga2').with_content('tcp dport {5665} accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with ports set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
ports: [55, 60], |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_in-icinga2').with_content('tcp dport {55, 60} accept') }
|
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| 25 |
end |
|
| spec/classes/rules/node_exporter_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::node_exporter' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-node_exporter').with_content('tcp dport 9100 accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with port set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
port: 100, |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_in-node_exporter').with_content('tcp dport 100 accept') }
|
|
| 22 |
context 'with prometheus_server set' do |
|
| 23 |
let(:params) do |
|
| 24 |
super().merge({ prometheus_server: ['127.0.0.1', '::1'] })
|
|
| 25 |
end |
|
| 26 |
|
|
| 27 |
it { is_expected.to contain_nftables__rule('default_in-node_exporter-0').with_content('ip saddr 127.0.0.1 tcp dport 100 accept') }
|
|
| 28 |
it { is_expected.to contain_nftables__rule('default_in-node_exporter-1').with_content('ip6 saddr ::1 tcp dport 100 accept') }
|
|
| 29 |
end |
|
| 30 |
end |
|
| 31 |
end |
|
| 32 |
end |
|
| 33 |
end |
|
| spec/classes/rules/ssh_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::ssh' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-ssh').with_content('tcp dport {22} accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with ports set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
ports: [55, 60], |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_in-ssh').with_content('tcp dport {55, 60} accept') }
|
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| 25 |
end |
|
| spec/classes/rules/tor_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::tor' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-tor').with_content('tcp dport {9001} accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with ports set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
ports: [55, 60], |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_in-tor').with_content('tcp dport {55, 60} accept') }
|
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| 25 |
end |
|
| spec/classes/rules/wireguard_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::wireguard' do |
|
| 4 |
on_supported_os.each do |os, os_facts| |
|
| 5 |
context "on #{os}" do
|
|
| 6 |
let(:facts) { os_facts }
|
|
| 7 |
|
|
| 8 |
context 'default options' do |
|
| 9 |
it { is_expected.to compile }
|
|
| 10 |
it { is_expected.to contain_nftables__rule('default_in-wireguard').with_content('udp dport {51820} accept') }
|
|
| 11 |
end |
|
| 12 |
|
|
| 13 |
context 'with ports set' do |
|
| 14 |
let(:params) do |
|
| 15 |
{
|
|
| 16 |
ports: [55, 60], |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile }
|
|
| 21 |
it { is_expected.to contain_nftables__rule('default_in-wireguard').with_content('udp dport {55, 60} accept') }
|
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| 25 |
end |
|
| spec/defines/rules/dnat4_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::dnat4' do |
|
| 4 |
let(:title) { 'foobar' }
|
|
| 5 |
|
|
| 6 |
on_supported_os.each do |os, facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:facts) do |
|
| 9 |
facts |
|
| 10 |
end |
|
| 11 |
|
|
| 12 |
context 'with minumum parameters' do |
|
| 13 |
let(:params) do |
|
| 14 |
{
|
|
| 15 |
daddr: '127.127.127.127', |
|
| 16 |
port: 100, |
|
| 17 |
} |
|
| 18 |
end |
|
| 19 |
|
|
| 20 |
it { is_expected.to compile.with_all_deps }
|
|
| 21 |
end |
|
| 22 |
end |
|
| 23 |
end |
|
| 24 |
end |
|
| spec/defines/rules/masquerade_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::masquerade' do |
|
| 4 |
let(:title) { 'foobar' }
|
|
| 5 |
|
|
| 6 |
on_supported_os.each do |os, facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:facts) do |
|
| 9 |
facts |
|
| 10 |
end |
|
| 11 |
|
|
| 12 |
context 'with default parameters' do |
|
| 13 |
it { is_expected.to compile.with_all_deps }
|
|
| 14 |
it { is_expected.to contain_nftables__rule('POSTROUTING-foobar').with_content('masquerade') }
|
|
| 15 |
end |
|
| 16 |
context 'with dport specified' do |
|
| 17 |
let(:params) do |
|
| 18 |
{
|
|
| 19 |
dport: 1000 |
|
| 20 |
} |
|
| 21 |
end |
|
| 22 |
|
|
| 23 |
it { is_expected.to contain_nftables__rule('POSTROUTING-foobar').with_content('tcp dport 1000 masquerade') }
|
|
| 24 |
end |
|
| 25 |
end |
|
| 26 |
end |
|
| 27 |
end |
|
| spec/defines/rules/snat4_spec.rb | ||
|---|---|---|
| 1 |
require 'spec_helper' |
|
| 2 |
|
|
| 3 |
describe 'nftables::rules::snat4' do |
|
| 4 |
let(:title) { 'foobar' }
|
|
| 5 |
|
|
| 6 |
on_supported_os.each do |os, facts| |
|
| 7 |
context "on #{os}" do
|
|
| 8 |
let(:facts) do |
|
| 9 |
facts |
|
| 10 |
end |
|
| 11 |
|
|
| 12 |
context 'with snat specified' do |
|
| 13 |
let(:params) do |
|
| 14 |
{
|
|
| 15 |
snat: 'sausage', |
|
| 16 |
} |
|
| 17 |
end |
|
| 18 |
|
|
| 19 |
it { is_expected.to compile.with_all_deps }
|
|
| 20 |
it { is_expected.to contain_nftables__rule('POSTROUTING-foobar').with_content('snat sausage') }
|
|
| 21 |
context 'with dport specified' do |
|
| 22 |
let(:params) do |
|
| 23 |
super().merge(dport: 1234) |
|
| 24 |
end |
|
| 25 |
|
|
| 26 |
it { is_expected.to contain_nftables__rule('POSTROUTING-foobar').with_content('tcp dport 1234 snat sausage') }
|
|
| 27 |
end |
|
| 28 |
end |
|
| 29 |
end |
|
| 30 |
end |
|
| 31 |
end |
|
Formats disponibles : Unified diff