root / manifests / rule.pp @ c1bd001d
Historique | Voir | Annoter | Télécharger (2,32 ko)
| 1 |
# @summary Provides an interface to create a firewall rule |
|---|---|
| 2 |
# |
| 3 |
# @example add a rule named 'myhttp' to the 'default_in' chain to allow incoming traffic to TCP port 80 |
| 4 |
# nftables::rule {
|
| 5 |
# 'default_in-myhttp': |
| 6 |
# content => 'tcp dport 80 accept', |
| 7 |
# } |
| 8 |
# |
| 9 |
# @example add a rule named 'count' to the 'PREROUTING6' chain in table 'ip6 nat' to count traffic |
| 10 |
# nftables::rule {
|
| 11 |
# 'PREROUTING6-count': |
| 12 |
# content => 'counter', |
| 13 |
# table => 'ip6-nat' |
| 14 |
# } |
| 15 |
# |
| 16 |
# @example Redirect port 443 to port 8443 |
| 17 |
# nftables::rule { 'PREROUTING-redirect':
|
| 18 |
# content => 'tcp dport 443 redirect to :8443', |
| 19 |
# table => 'ip-nat', |
| 20 |
# } |
| 21 |
# nftables::rule{'PREROUTING6-redirect':
|
| 22 |
# content => 'tcp dport 443 redirect to :8443', |
| 23 |
# table => 'ip6-nat', |
| 24 |
# } |
| 25 |
# |
| 26 |
# @param ensure |
| 27 |
# Should the rule be created. |
| 28 |
# |
| 29 |
# @param rulename |
| 30 |
# The symbolic name for the rule and to what chain to add it. The |
| 31 |
# format is defined by the Nftables::RuleName type. |
| 32 |
# |
| 33 |
# @param order |
| 34 |
# A number representing the order of the rule. |
| 35 |
# |
| 36 |
# @param table |
| 37 |
# The name of the table to add this rule to. |
| 38 |
# |
| 39 |
# @param content |
| 40 |
# The raw statements that compose the rule represented using the nftables |
| 41 |
# language. |
| 42 |
# |
| 43 |
# @param source |
| 44 |
# Same goal as content but sourcing the value from a file. |
| 45 |
define nftables::rule ( |
| 46 |
Enum['present','absent'] $ensure = 'present', |
| 47 |
Nftables::RuleName $rulename = $title, |
| 48 |
Pattern[/^\d\d$/] $order = '50', |
| 49 |
String $table = 'inet-filter', |
| 50 |
Optional[String] $content = undef, |
| 51 |
Optional[Variant[String,Array[String,1]]] $source = undef, |
| 52 |
) {
|
| 53 |
if $ensure == 'present' {
|
| 54 |
$data = split($rulename, '-') |
| 55 |
|
| 56 |
if $data[2] {
|
| 57 |
$fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}-${data[2]}"
|
| 58 |
} else {
|
| 59 |
$fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}"
|
| 60 |
} |
| 61 |
|
| 62 |
concat::fragment { "${fragment}_header":
|
| 63 |
content => "# Start of fragment order:${order} rulename:${rulename}",
|
| 64 |
order => "${order}-${fragment}-a",
|
| 65 |
target => "nftables-${table}-chain-${data[0]}",
|
| 66 |
} |
| 67 |
|
| 68 |
concat::fragment {
|
| 69 |
$fragment: |
| 70 |
order => "${order}-${fragment}-b",
|
| 71 |
target => "nftables-${table}-chain-${data[0]}",
|
| 72 |
} |
| 73 |
|
| 74 |
if $content {
|
| 75 |
Concat::Fragment[$fragment] {
|
| 76 |
content => " ${content}",
|
| 77 |
} |
| 78 |
} else {
|
| 79 |
Concat::Fragment[$fragment] {
|
| 80 |
source => $source, |
| 81 |
} |
| 82 |
} |
| 83 |
} |
| 84 |
} |