Révision a528bf59
New clobber_default_config paramter
Certain OSes namely Debian and Archlinux provide default rules
with the OS.
This module has always respected those rules and appended all of
its own rules to the end of the existing rules.
The new parameter `clobber_default_config` if set `true` (default `false`)
will drop any existing OS provided rules.
Also related to acceptance tests only on Archlinux where the default
OS provided configuration requires kernel >= 6.3 we purge the default rules
if required.
| manifests/init.pp | ||
|---|---|---|
| 109 | 109 |
# The default file & dir mode for configuration files and directories. The |
| 110 | 110 |
# default varies depending on the system, and is set in the module's data. |
| 111 | 111 |
# |
| 112 |
# @param clobber_default_config |
|
| 113 |
# Should the existing OS provided rules in the `configuration_path` be removed? If |
|
| 114 |
# they are not being removed this module will add all of its configuration to the end of |
|
| 115 |
# the existing rules. |
|
| 116 |
# |
|
| 112 | 117 |
class nftables ( |
| 113 | 118 |
Stdlib::Unixpath $echo, |
| 114 | 119 |
Stdlib::Unixpath $configuration_path, |
| 115 | 120 |
Stdlib::Unixpath $nft_path, |
| 116 | 121 |
Stdlib::Filemode $default_config_mode, |
| 122 |
Boolean $clobber_default_config = false, |
|
| 117 | 123 |
Boolean $in_ssh = true, |
| 118 | 124 |
Boolean $in_icmp = true, |
| 119 | 125 |
Boolean $out_ntp = true, |
| ... | ... | |
| 140 | 146 |
) {
|
| 141 | 147 |
package { 'nftables':
|
| 142 | 148 |
ensure => installed, |
| 143 |
} -> file_line {
|
|
| 144 |
'enable_nftables': |
|
| 145 |
line => 'include "/etc/nftables/puppet.nft"', |
|
| 146 |
path => $configuration_path, |
|
| 147 |
notify => Service['nftables'], |
|
| 148 |
} -> file {
|
|
| 149 |
} |
|
| 150 |
|
|
| 151 |
if $clobber_default_config {
|
|
| 152 |
file { $configuration_path:
|
|
| 153 |
ensure => file, |
|
| 154 |
owner => 'root', |
|
| 155 |
group => 'root', |
|
| 156 |
mode => $default_config_mode, |
|
| 157 |
content => "#Puppet Managed\ninclude \"/etc/nftables/puppet.nft\"\n", |
|
| 158 |
require => Package['nftables'], |
|
| 159 |
before => File['/etc/nftables'], |
|
| 160 |
notify => Service['nftables'], |
|
| 161 |
} |
|
| 162 |
} else {
|
|
| 163 |
file_line { 'enable_nftables':
|
|
| 164 |
line => 'include "/etc/nftables/puppet.nft"', |
|
| 165 |
path => $configuration_path, |
|
| 166 |
require => Package['nftables'], |
|
| 167 |
before => File['/etc/nftables'], |
|
| 168 |
notify => Service['nftables'], |
|
| 169 |
} |
|
| 170 |
} |
|
| 171 |
|
|
| 172 |
file {
|
|
| 149 | 173 |
default: |
| 150 | 174 |
owner => 'root', |
| 151 | 175 |
group => 'root', |
Formats disponibles : Unified diff