root / manifests / rules / ftp.pp @ c00bcf2d
Historique | Voir | Annoter | Télécharger (1,05 ko)
| 1 | baad986e | Vadym Chepkov | # @summary manage in ftp (with conntrack helper) |
|---|---|---|---|
| 2 | # |
||
| 3 | # @param enable_passive |
||
| 4 | # Enable FTP passive mode support |
||
| 5 | # |
||
| 6 | # @param passive_ports |
||
| 7 | # Set the FTP passive mode port range |
||
| 8 | # |
||
| 9 | class nftables::rules::ftp ( |
||
| 10 | Boolean $enable_passive = true, |
||
| 11 | Nftables::Port::Range $passive_ports = '10090-10100', |
||
| 12 | ) {
|
||
| 13 | nftables::helper { 'ftp-standard':
|
||
| 14 | content => ' type "ftp" protocol tcp;', |
||
| 15 | } |
||
| 16 | nftables::chain { 'PRE': }
|
||
| 17 | nftables::rule {
|
||
| 18 | 'PRE-type': |
||
| 19 | order => '01', |
||
| 20 | content => 'type filter hook prerouting priority filter'; |
||
| 21 | 'PRE-policy': |
||
| 22 | order => '02', |
||
| 23 | content => 'policy accept'; |
||
| 24 | 'PRE-helper': |
||
| 25 | order => '03', |
||
| 26 | content => 'tcp dport 21 ct helper set "ftp-standard"'; |
||
| 27 | } |
||
| 28 | nftables::rule { 'default_in-ftp':
|
||
| 29 | content => 'tcp dport 21 accept', |
||
| 30 | } |
||
| 31 | if $enable_passive {
|
||
| 32 | nftables::rule { 'INPUT-ftp':
|
||
| 33 | order => '10', |
||
| 34 | content => "ct helper \"ftp\" tcp dport ${passive_ports} accept",
|
||
| 35 | } |
||
| 36 | } else {
|
||
| 37 | nftables::rule { 'INPUT-ftp':
|
||
| 38 | order => '10', |
||
| 39 | content => 'ct helper "ftp" accept', |
||
| 40 | } |
||
| 41 | } |
||
| 42 | } |