Projet

Général

Profil

Révision a528bf59

IDa528bf593a7b3671efbadefb13bb3e81130dd29c
Parent 1331dc33
Enfant de945d0d

Ajouté par Steve Traylen il y a 11 mois

New clobber_default_config paramter

Certain OSes namely Debian and Archlinux provide default rules
with the OS.

This module has always respected those rules and appended all of
its own rules to the end of the existing rules.

The new parameter `clobber_default_config` if set `true` (default `false`)
will drop any existing OS provided rules.

Also related to acceptance tests only on Archlinux where the default
OS provided configuration requires kernel >= 6.3 we purge the default rules
if required.

Voir les différences:

spec/acceptance/default_spec.rb
6 6 
  context 'configure default nftables service' do
7 7 
    it 'works idempotently with no errors' do
8 8 
      pp = <<-EOS
9 

  		




  
  10
  
    
      # Default ArchLinux rules contain "destroy" that requires kernel >= 6.3


  		




  
  11
  
    
      # https://gitlab.archlinux.org/archlinux/packaging/packages/nftables/-/commit/f26a7145b2885d298925819782a5302905332dbe


  		




  
  12
  
    
      # When running on docker this may not be the case.


  		




  
  13
  
    
      if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {


  		




  
  14
  
    
        $_clobber_default_config = true


  		




  
  15
  
    
      } else {


  		




  
  16
  
    
        $_clobber_default_config = undef


  		




  
  17
  
    
      }


  		




  
  18
  
    

  		




  9
  19
  
    
      # default mask of firewalld service fails if service is not installed.


  		




  10
  20
  
    
      # https://tickets.puppetlabs.com/browse/PUP-10814


  		




  11
  21
  
    
      class { 'nftables':


  		




  12
  22
  
    
        firewalld_enable => false,


  		




  
  23
  
    
        clobber_default_config => $_clobber_default_config,


  		




  13
  24
  
    
      }


  		




  14
  25
  
    
      $config_path = $facts['os']['family'] ? {


  		




  15
  26
  
    
        'Archlinux' => '/etc/nftables.conf',


  		




  ......




  61
  72
  
    
  context 'with bad invalid nft rules' do


  		




  62
  73
  
    
    it 'puppet fails but should leave nft service running' do


  		




  63
  74
  
    
      pp = <<-EOS


  		




  
  75
  
    
      if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {


  		




  
  76
  
    
        $_clobber_default_config = true


  		




  
  77
  
    
      } else {


  		




  
  78
  
    
        $_clobber_default_config = undef


  		




  
  79
  
    
      }


  		




  64
  80
  
    
      class{'nftables':


  		




  65
  81
  
    
        firewalld_enable => false,


  		




  
  82
  
    
        clobber_default_config => $_clobber_default_config,


  		




  66
  83
  
    
      }


  		




  67
  84
  
    
      nftables::rule{'default_out-junk':


  		




  68
  85
  
    
        content => 'A load of junk',


  		




  ......




  103
  120
  
    
  context 'with totally empty firewall' do


  		




  104
  121
  
    
    it 'no rules validate okay' do


  		




  105
  122
  
    
      pp = <<-EOS


  		




  
  123
  
    
      if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {


  		




  
  124
  
    
        $_clobber_default_config = true


  		




  
  125
  
    
      } else {


  		




  
  126
  
    
        $_clobber_default_config = undef


  		




  
  127
  
    
      }


  		




  106
  128
  
    
      class{'nftables':


  		




  107
  129
  
    
        firewalld_enable => false,


  		




  108
  130
  
    
        inet_filter => false,


  		




  109
  131
  
    
        nat => false,


  		




  
  132
  
    
        clobber_default_config => $_clobber_default_config,


  		




  110
  133
  
    
      }


  		




  111
  134
  
    
      $config_path = $facts['os']['family'] ? {


  		




  112
  135
  
    
        'Archlinux' => '/etc/nftables.conf',


  		




  ......




  144
  167
  
    
  context 'with custom nat_table_name' do


  		




  145
  168
  
    
    it 'no rules validate okay' do


  		




  146
  169
  
    
      pp = <<-EOS


  		




  
  170
  
    
      if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {


  		




  
  171
  
    
        $_clobber_default_config = true


  		




  
  172
  
    
      } else {


  		




  
  173
  
    
        $_clobber_default_config = undef


  		




  
  174
  
    
      }


  		




  147
  175
  
    
      class{'nftables':


  		




  148
  176
  
    
        firewalld_enable => false,


  		




  149
  177
  
    
        nat => true,


  		




  150
  178
  
    
        nat_table_name => 'mycustomtablename',


  		




  
  179
  
    
        clobber_default_config => $_clobber_default_config,


  		




  151
  180
  
    
      }


  		




  152
  181
  
    
      $config_path = $facts['os']['family'] ? {


  		




  153
  182
  
    
        'Archlinux' => '/etc/nftables.conf',


  		




  ......




  185
  214
  
    
  context 'with only an empty netdev table' do


  		




  186
  215
  
    
    it 'rules validate okay' do


  		




  187
  216
  
    
      pp = <<-EOS


  		




  
  217
  
    
      if $facts['os']['family'] == 'Archlinux' and versioncmp($facts['kernelrelease'],'6.3') < 0 {


  		




  
  218
  
    
        $_clobber_default_config = true


  		




  
  219
  
    
      } else {


  		




  
  220
  
    
        $_clobber_default_config = undef


  		




  
  221
  
    
      }


  		




  188
  222
  
    
      class{'nftables':


  		




  189
  223
  
    
        firewalld_enable => false,


  		




  190
  224
  
    
        inet_filter => false,


  		




  191
  225
  
    
        nat => false,


  		




  
  226
  
    
        clobber_default_config => $_clobber_default_config,


  		




  192
  227
  
    
      }


  		




  193
  228
  
    
      nftables::config {


  		




  194
  229
  
    
        'netdev-filter':


  		












Formats disponibles :  Unified diff