Projet

Général

Profil

Révision af544fea

IDaf544fea6fe8a0a96f6cfa38b9f9f690fafaa1c1
Parent 9adf6851
Enfant 351a88fb

Ajouté par tr il y a plus de 4 ans

Create a special ingoing chain for all ingoing fwd rules

Voir les différences:

README.md
59 59 
`ORDER-MASTERCHAIN`, where order references a 2-digit
60 60 
number which defines the rule order (by default use e.g. 20)
61 61 
and masterchain references the chain to hook in the new
62 
chain.
62 
chain. It's possible to specify the in-interface name and
63 
out-interface name for the inject rule.
63 64 

  		




  64
  65
  
    
## nftables::rule


  		




  65
  66
  
    

  		












  

    
      manifests/chain.pp
    
  





  6
  6
  
    
    $chain = $title,


  		




  7
  7
  
    
  Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]


  		




  8
  8
  
    
    $inject = undef,


  		




  
  9
  
    
  Optional[String]


  		




  
  10
  
    
    $inject_iif = undef,


  		




  
  11
  
    
  Optional[String]


  		




  
  12
  
    
    $inject_oif = undef,


  		




  9
  13
  
    
){


  		




  10
  14
  
    
  $concat_name = "nftables-${table}-chain-${chain}"


  		




  11
  15
  
    

  		




  ......




  33
  37
  
    

  		




  34
  38
  
    
  if $inject {


  		




  35
  39
  
    
    $data = split($inject, '-')


  		




  
  40
  
    
    $iif = $inject_iif ? {


  		




  
  41
  
    
      undef => '',


  		




  
  42
  
    
      default => "iifname ${inject_iif} ",


  		




  
  43
  
    
    }


  		




  
  44
  
    
    $oif = $inject_oif ? {


  		




  
  45
  
    
      undef => '',


  		




  
  46
  
    
      default => "oifname ${inject_oif} ",


  		




  
  47
  
    
    }


  		




  36
  48
  
    
    nftables::rule{ "${data[1]}-jump_${chain}":


  		




  37
  49
  
    
      order   => $data[0],


  		




  38
  
  
    
      content => "jump ${chain}",


  		




  
  50
  
    
      content => "${iif}${oif}jump ${chain}",


  		




  39
  51
  
    
    }


  		




  40
  52
  
    
  }


  		




  41
  53
  
    
}


  		












  

    
      spec/classes/router_spec.rb
    
  





  10
  10
  
    
      context 'as router' do


  		




  11
  11
  
    
        let(:pre_condition) do


  		




  12
  12
  
    
          """


  		




  
  13
  
    
          # inet-filter-chain-ingoing


  		




  
  14
  
    
          nftables::chain{ 'ingoing':


  		




  
  15
  
    
            inject     => '20-default_fwd',


  		




  
  16
  
    
            inject_iif => 'eth0',


  		




  
  17
  
    
            inject_oif => 'eth1';


  		




  
  18
  
    
          }


  		




  
  19
  
    

  		




  13
  20
  
    
          # inet-filter-chain-default_fwd


  		




  14
  21
  
    
          nftables::rule{


  		




  15
  22
  
    
            'default_fwd-out':


  		




  ......




  18
  25
  
    
            'default_fwd-drop':


  		




  19
  26
  
    
              order   => '90',


  		




  20
  27
  
    
              content => 'iifname eth0 drop';


  		




  21
  
  
    
            'default_fwd-in_web':


  		




  22
  
  
    
              order   => '30',


  		




  23
  
  
    
              content => 'iifname eth0 oifname eth1 ip daddr 192.0.2.2 tcp dport { http, https } accept';


  		




  24
  
  
    
            'PREROUTING-in_web':


  		




  
  28
  
    

  		




  
  29
  
    
            'ingoing-web':


  		




  
  30
  
    
              order   => '10',


  		




  
  31
  
    
              content => 'ip daddr 192.0.2.2 tcp dport { http, https } accept';


  		




  
  32
  
    
            'PREROUTING-web':


  		




  25
  33
  
    
              table   => 'ip-nat',


  		




  26
  34
  
    
              order   => '30',


  		




  27
  35
  
    
              content => 'iifname eth0 tcp dport { http, https } dnat to 192.0.2.2';


  		




  ......




  52
  60
  
    
          :content => /^  iifname eth1 oifname eth0 accept$/,


  		




  53
  61
  
    
          :order   => '20',


  		




  54
  62
  
    
        )}


  		




  55
  
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-in_web').with(


  		




  
  63
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-jump_ingoing').with(


  		




  56
  64
  
    
          :target  => 'nftables-inet-filter-chain-default_fwd',


  		




  57
  
  
    
          :content => /^  iifname eth0 oifname eth1 ip daddr 192.0.2.2 tcp dport \{ http, https \} accept$/,


  		




  58
  
  
    
          :order   => '30',


  		




  
  65
  
    
          :content => /^  iifname eth0 oifname eth1 jump ingoing$/,


  		




  
  66
  
    
          :order   => '20',


  		




  59
  67
  
    
        )}


  		




  60
  68
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-default_fwd-rule-drop').with(


  		




  61
  69
  
    
          :target  => 'nftables-inet-filter-chain-default_fwd',


  		




  ......




  68
  76
  
    
          :order   => '99',


  		




  69
  77
  
    
        )}


  		




  70
  78
  
    

  		




  
  79
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-header').with(


  		




  
  80
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  81
  
    
          :content => /^chain ingoing {$/,


  		




  
  82
  
    
          :order   => '00',


  		




  
  83
  
    
        )}


  		




  
  84
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-rule-web').with(


  		




  
  85
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  86
  
    
          :content => /^  ip daddr 192.0.2.2 tcp dport \{ http, https \} accept$/,


  		




  
  87
  
    
          :order   => '10',


  		




  
  88
  
    
        )}


  		




  
  89
  
    
        it { is_expected.to contain_concat__fragment('nftables-inet-filter-chain-ingoing-footer').with(


  		




  
  90
  
    
          :target  => 'nftables-inet-filter-chain-ingoing',


  		




  
  91
  
    
          :content => /^}$/,


  		




  
  92
  
    
          :order   => '99',


  		




  
  93
  
    
        )}


  		




  
  94
  
    

  		




  71
  95
  
    
        it { is_expected.to contain_concat('nftables-ip-nat-chain-PREROUTING').with(


  		




  72
  96
  
    
          :path           => '/etc/nftables/puppet/ip-nat-chain-PREROUTING.nft',


  		




  73
  97
  
    
          :owner          => 'root',


  		




  ......




  90
  114
  
    
          :content => /^  policy accept$/,


  		




  91
  115
  
    
          :order   => '02',


  		




  92
  116
  
    
        )}


  		




  93
  
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-in_web').with(


  		




  
  117
  
    
        it { is_expected.to contain_concat__fragment('nftables-ip-nat-chain-PREROUTING-rule-web').with(


  		




  94
  118
  
    
          :target  => 'nftables-ip-nat-chain-PREROUTING',


  		




  95
  119
  
    
          :content => /^  iifname eth0 tcp dport \{ http, https \} dnat to 192.0.2.2$/,


  		




  96
  120
  
    
          :order   => '30',


  		












Formats disponibles :  Unified diff