Révision b3a7a6dd
Allow to inject custom rules
| manifests/init.pp | ||
|---|---|---|
| 4 | 4 |
# class{'nftables:
|
| 5 | 5 |
# out_ntp = false, |
| 6 | 6 |
# out_dns = true, |
| 7 |
# }
|
|
| 7 |
# } |
|
| 8 | 8 |
# |
| 9 |
# @param out_all
|
|
| 9 |
# @param out_all |
|
| 10 | 10 |
# Allow all outbound connections. If `true` then all other |
| 11 | 11 |
# out parameters `out_ntp`, `out_dns`, ... will be assuemed |
| 12 | 12 |
# false. |
| ... | ... | |
| 33 | 33 |
Boolean $out_http = true, |
| 34 | 34 |
Boolean $out_https = true, |
| 35 | 35 |
Boolean $out_all = false, |
| 36 |
Hash $rules = {},
|
|
| 36 | 37 |
) {
|
| 37 | 38 |
|
| 38 | 39 |
package{'nftables':
|
| ... | ... | |
| 68 | 69 |
|
| 69 | 70 |
include nftables::inet_filter |
| 70 | 71 |
include nftables::ip_nat |
| 72 |
|
|
| 73 |
# inject custom rules e.g. from hiera |
|
| 74 |
create_resources(nftables::rule, $rules) |
|
| 71 | 75 |
} |
| spec/classes/nftables_spec.rb | ||
|---|---|---|
| 68 | 68 |
it { is_expected.to contain_nftables__rule('default_out-all').with_content('accept') }
|
| 69 | 69 |
it { is_expected.to contain_nftables__rule('default_out-all').with_order('90') }
|
| 70 | 70 |
end |
| 71 |
|
|
| 72 |
context 'with custom rules' do |
|
| 73 |
let(:params) do |
|
| 74 |
{
|
|
| 75 |
rules: {
|
|
| 76 |
'INPUT-web_accept' => {
|
|
| 77 |
order: '50', |
|
| 78 |
content: 'iifname eth0 tcp dport { 80, 443 } accept',
|
|
| 79 |
}, |
|
| 80 |
}, |
|
| 81 |
} |
|
| 82 |
end |
|
| 83 |
|
|
| 84 |
it {
|
|
| 85 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-web_accept').with(
|
|
| 86 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 87 |
content: %r{^ iifname eth0 tcp dport \{ 80, 443 \} accept$},
|
|
| 88 |
order: '50', |
|
| 89 |
) |
|
| 90 |
} |
|
| 91 |
end |
|
| 71 | 92 |
end |
| 72 | 93 |
end |
| 73 | 94 |
end |
Formats disponibles : Unified diff