Révision ac0af4aa
Allow tables to add comments to $log_prefix
| manifests/inet_filter.pp | ||
|---|---|---|
| 1 | 1 |
# manage basic chains in table inet filter |
| 2 | 2 |
class nftables::inet_filter inherits nftables {
|
| 3 | 3 |
|
| 4 |
$_log_prefix_discard = sprintf($nftables::log_prefix, { 'chain' => '%<chain>s', 'comment' => 'Rejected: ' })
|
|
| 5 |
|
|
| 4 | 6 |
nftables::config{
|
| 5 | 7 |
'inet-filter': |
| 6 | 8 |
source => 'puppet:///modules/nftables/config/puppet-inet-filter.nft'; |
| ... | ... | |
| 39 | 41 |
content => 'jump global'; |
| 40 | 42 |
'INPUT-log_discarded': |
| 41 | 43 |
order => '97', |
| 42 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'INPUT' })}\" flags all counter";
|
|
| 44 |
content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'INPUT' })}\" flags all counter";
|
|
| 43 | 45 |
} |
| 44 | 46 |
if $nftables::reject_with {
|
| 45 | 47 |
nftables::rule{
|
| ... | ... | |
| 65 | 67 |
content => 'jump global'; |
| 66 | 68 |
'OUTPUT-log_discarded': |
| 67 | 69 |
order => '97', |
| 68 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'OUTPUT' })}\" flags all counter";
|
|
| 70 |
content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'OUTPUT' })}\" flags all counter";
|
|
| 69 | 71 |
} |
| 70 | 72 |
if $nftables::reject_with {
|
| 71 | 73 |
nftables::rule{
|
| ... | ... | |
| 88 | 90 |
content => 'jump global'; |
| 89 | 91 |
'FORWARD-log_discarded': |
| 90 | 92 |
order => '97', |
| 91 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'FORWARD' })}\" flags all counter";
|
|
| 93 |
content => "log prefix \"${sprintf($_log_prefix_discard, { 'chain' => 'FORWARD' })}\" flags all counter";
|
|
| 92 | 94 |
} |
| 93 | 95 |
if $nftables::reject_with {
|
| 94 | 96 |
nftables::rule{
|
| manifests/init.pp | ||
|---|---|---|
| 26 | 26 |
# @param in_ssh |
| 27 | 27 |
# Allow inbound to ssh servers. |
| 28 | 28 |
# |
| 29 |
# @param log_prefix |
|
| 30 |
# String that will be used as prefix when logging packets. It can contain |
|
| 31 |
# two variables using standard sprintf() string-formatting: |
|
| 32 |
# * chain: Will be replaced by the name of the chain. |
|
| 33 |
# * comment: Allows chains to add extra comments. |
|
| 34 |
# |
|
| 29 | 35 |
# @param reject_with |
| 30 | 36 |
# How to discard packets not matching any rule. If `false`, the |
| 31 | 37 |
# fate of the packet will be defined by the chain policy (normally |
| ... | ... | |
| 40 | 46 |
Boolean $out_https = true, |
| 41 | 47 |
Boolean $out_all = false, |
| 42 | 48 |
Hash $rules = {},
|
| 43 |
String $log_prefix = '[nftables] %<chain>s Rejected: ',
|
|
| 49 |
String $log_prefix = '[nftables] %<chain>s %<comment>s',
|
|
| 44 | 50 |
Variant[Boolean[false], Pattern[ |
| 45 | 51 |
/icmp(v6|x)? type .+|tcp reset/]] |
| 46 | 52 |
$reject_with = 'icmpx type port-unreachable', |
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 375 | 375 |
end |
| 376 | 376 |
|
| 377 | 377 |
context 'custom log prefix without variable substitution' do |
| 378 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => "test "}' }
|
|
| 378 |
let(:params) do |
|
| 379 |
{
|
|
| 380 |
'log_prefix' => 'test', |
|
| 381 |
} |
|
| 382 |
end |
|
| 379 | 383 |
|
| 380 | 384 |
it {
|
| 381 | 385 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 382 | 386 |
target: 'nftables-inet-filter-chain-INPUT', |
| 383 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 387 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 384 | 388 |
order: '97', |
| 385 | 389 |
) |
| 386 | 390 |
} |
| 387 | 391 |
it {
|
| 388 | 392 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 389 | 393 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 390 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 394 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 391 | 395 |
order: '97', |
| 392 | 396 |
) |
| 393 | 397 |
} |
| 394 | 398 |
it {
|
| 395 | 399 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 396 | 400 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 397 |
content: %r{^ log prefix \"test " flags all counter$},
|
|
| 401 |
content: %r{^ log prefix "test" flags all counter$},
|
|
| 398 | 402 |
order: '97', |
| 399 | 403 |
) |
| 400 | 404 |
} |
| 401 | 405 |
end |
| 402 | 406 |
|
| 403 | 407 |
context 'custom log prefix with variable substitution' do |
| 404 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => " bar [%<chain>s] "}' } # rubocop:disable Style/FormatStringToken
|
|
| 408 |
let(:params) do |
|
| 409 |
{
|
|
| 410 |
'log_prefix' => ' bar [%<chain>s] ', # rubocop:disable Style/FormatStringToken |
|
| 411 |
} |
|
| 412 |
end |
|
| 405 | 413 |
|
| 406 | 414 |
it {
|
| 407 | 415 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_discarded').with(
|
| 408 | 416 |
target: 'nftables-inet-filter-chain-INPUT', |
| 409 |
content: %r{^ log prefix \" bar \[INPUT\] " flags all counter$},
|
|
| 417 |
content: %r{^ log prefix " bar \[INPUT\] " flags all counter$},
|
|
| 410 | 418 |
order: '97', |
| 411 | 419 |
) |
| 412 | 420 |
} |
| 413 | 421 |
it {
|
| 414 | 422 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_discarded').with(
|
| 415 | 423 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 416 |
content: %r{^ log prefix \" bar \[OUTPUT\] " flags all counter$},
|
|
| 424 |
content: %r{^ log prefix " bar \[OUTPUT\] " flags all counter$},
|
|
| 417 | 425 |
order: '97', |
| 418 | 426 |
) |
| 419 | 427 |
} |
| 420 | 428 |
it {
|
| 421 | 429 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_discarded').with(
|
| 422 | 430 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 423 |
content: %r{^ log prefix \" bar \[FORWARD\] " flags all counter$},
|
|
| 431 |
content: %r{^ log prefix " bar \[FORWARD\] " flags all counter$},
|
|
| 424 | 432 |
order: '97', |
| 425 | 433 |
) |
| 426 | 434 |
} |
Formats disponibles : Unified diff