root / manifests / simplerule.pp @ af15de48
Historique | Voir | Annoter | Télécharger (1,97 ko)
| 1 | af15de48 | Nacho Barrientos | # @summary Provides a simplified interface to nftables::rule for basic use cases. |
|---|---|---|---|
| 2 | # It's recommended to use nftables::rule directly if you feel comfortable with |
||
| 3 | # nft's syntax. |
||
| 4 | 4ec94616 | Nacho Barrientos | # |
| 5 | 77abc10b | Nacho Barrientos | # @example allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets |
| 6 | 4ec94616 | Nacho Barrientos | # nftables::simplerule{'my_service_in':
|
| 7 | # action => 'accept', |
||
| 8 | # comment => 'allow traffic to port 543', |
||
| 9 | # counter => true, |
||
| 10 | # proto => 'tcp', |
||
| 11 | # dport => 543, |
||
| 12 | # daddr => '2001:1458::/32', |
||
| 13 | 77abc10b | Nacho Barrientos | # sport => 541, |
| 14 | 4ec94616 | Nacho Barrientos | # } |
| 15 | |||
| 16 | 467ea4e2 | Nacho Barrientos | define nftables::simplerule ( |
| 17 | Enum['present','absent'] $ensure = 'present', |
||
| 18 | Pattern[/^[-a-zA-Z0-9_]+$/] $rulename = $title, |
||
| 19 | Pattern[/^\d\d$/] $order = '50', |
||
| 20 | String $chain = 'default_in', |
||
| 21 | String $table = 'inet-filter', |
||
| 22 | Enum['accept', 'drop'] $action = 'accept', |
||
| 23 | Optional[String] $comment = undef, |
||
| 24 | fb58f7b3 | Nacho Barrientos | Optional[Variant[Array[Stdlib::Port, 1], Stdlib::Port, Pattern[/\d+-\d+/]]] $dport = undef, |
| 25 | Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef, |
||
| 26 | 467ea4e2 | Nacho Barrientos | Optional[Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Pattern[/^@[-a-zA-Z0-9_]+$/]]] $daddr = undef, |
| 27 | Enum['ip', 'ip6'] $set_type = 'ip6', |
||
| 28 | 77abc10b | Nacho Barrientos | Optional[Variant[Array[Stdlib::Port, 1], Stdlib::Port, Pattern[/\d+-\d+/]]] $sport = undef, |
| 29 | 467ea4e2 | Nacho Barrientos | Boolean $counter = false, |
| 30 | ) {
|
||
| 31 | 3a52fb41 | Nacho Barrientos | if $dport and !$proto {
|
| 32 | 2489f932 | Nacho Barrientos | fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
|
| 33 | 3a52fb41 | Nacho Barrientos | } |
| 34 | |||
| 35 | 77abc10b | Nacho Barrientos | if $sport and !$proto {
|
| 36 | fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
|
||
| 37 | } |
||
| 38 | |||
| 39 | 83382bb5 | Nacho Barrientos | if $ensure == 'present' {
|
| 40 | 467ea4e2 | Nacho Barrientos | nftables::rule { "${chain}-${rulename}":
|
| 41 | 83382bb5 | Nacho Barrientos | content => epp('nftables/simplerule.epp',
|
| 42 | {
|
||
| 43 | aaa37172 | Nacho Barrientos | 'action' => $action, |
| 44 | 'comment' => $comment, |
||
| 45 | d43ced4d | Nacho Barrientos | 'counter' => $counter, |
| 46 | aaa37172 | Nacho Barrientos | 'dport' => $dport, |
| 47 | 'proto' => $proto, |
||
| 48 | 'daddr' => $daddr, |
||
| 49 | 'set_type' => $set_type, |
||
| 50 | 77abc10b | Nacho Barrientos | 'sport' => $sport, |
| 51 | 83382bb5 | Nacho Barrientos | } |
| 52 | ), |
||
| 53 | order => $order, |
||
| 54 | table => $table, |
||
| 55 | } |
||
| 56 | } |
||
| 57 | } |