root / README.md @ c88d259d
Historique | Voir | Annoter | Télécharger (6,13 ko)
| 1 |
# nftables puppet module |
|---|---|
| 2 |
|
| 3 |
[](https://forge.puppetlabs.com/puppet/nftables) |
| 4 |
[](https://forge.puppetlabs.com/puppet/nftables) |
| 5 |
[](http://www.puppetmodule.info/m/puppet-nftables) |
| 6 |
[](LICENSE) |
| 7 |
|
| 8 |
This module manages an opinionated nftables configuration. |
| 9 |
|
| 10 |
By default it sets up a firewall that drops every connection, except |
| 11 |
outbound ICMP, DNS, NTP, HTTP, and HTTPS, and inbound ICMP and SSH |
| 12 |
traffic: |
| 13 |
|
| 14 |
```puppet |
| 15 |
include nftables |
| 16 |
``` |
| 17 |
|
| 18 |
This can be overridden using parameters, for example, this allows all |
| 19 |
outbound traffic: |
| 20 |
|
| 21 |
```puppet |
| 22 |
class { 'nftables':
|
| 23 |
out_all => true, |
| 24 |
} |
| 25 |
``` |
| 26 |
|
| 27 |
There are also pre-built rules for specific services, for example this |
| 28 |
will allow a web server to serve traffic over HTTPS: |
| 29 |
|
| 30 |
```puppet |
| 31 |
include nftables |
| 32 |
include nftables::rules::https |
| 33 |
``` |
| 34 |
|
| 35 |
Note that the module conflicts with the `firewalld` system and will |
| 36 |
stop it in Puppet runs. |
| 37 |
|
| 38 |
## Configuration |
| 39 |
|
| 40 |
The main configuration file loaded by the nftables service |
| 41 |
will be `files/config/puppet.nft`, all other files created |
| 42 |
by that module go into `files/config/puppet` and will also |
| 43 |
be purged if not managed anymore. |
| 44 |
|
| 45 |
The main configuration file includes dedicated files for |
| 46 |
the filter and NAT tables, as well as processes any |
| 47 |
`custom-*.nft` files before hand. |
| 48 |
|
| 49 |
The filter and NAT tables both have all the master chains |
| 50 |
(`INPUT`, `OUTPUT`, `FORWARD` in case of filter and `PREROUTING` |
| 51 |
and `POSTROUTING` in case of NAT) configured, to which you |
| 52 |
can hook in your own chains that can contain specific |
| 53 |
rules. |
| 54 |
|
| 55 |
All filter masterchains drop by default. |
| 56 |
By default we have a set of `default_MASTERCHAIN` chains |
| 57 |
configured to which you can easily add your custom rules. |
| 58 |
|
| 59 |
For specific needs you can add your own chain. |
| 60 |
|
| 61 |
There is a global chain, that defines the default behavior |
| 62 |
for all masterchains. This chain is empty by default. |
| 63 |
|
| 64 |
`INPUT` and `OUTPUT` to the loopback device is allowed by |
| 65 |
default, though you could restrict it later. |
| 66 |
|
| 67 |
On the other hand, if you don't want any of the default tables, chains |
| 68 |
and rules created by the module, you can set `nftables::inet_filter` |
| 69 |
and/or `nftables::nat` to `false` and build your whole nftables |
| 70 |
configuration from scratch by using the building blocks provided by |
| 71 |
this module. Look at `nftables::inet_filter` for inspiration. |
| 72 |
|
| 73 |
## Rules Validation |
| 74 |
|
| 75 |
Initially puppet deploys all configuration to |
| 76 |
`/etc/nftables/puppet-preflight/` and |
| 77 |
`/etc/nftables/puppet-preflight.nft`. This is validated with |
| 78 |
`nft -c -I /etc/nftables/puppet-preflight/ -f /etc/nftables/puppet-preflight.nft`. |
| 79 |
If and only if successful the configuration will be copied to |
| 80 |
the real locations before the service is reloaded. |
| 81 |
|
| 82 |
## Un-managed rules |
| 83 |
|
| 84 |
By default, rules added manually by the administrator to the in-memory |
| 85 |
ruleset will be left untouched. However, |
| 86 |
`nftables::purge_unmanaged_rules` can be set to `true` to revert this |
| 87 |
behaviour and force a reload of the ruleset during the Puppet run if |
| 88 |
non-managed changes are detected. |
| 89 |
|
| 90 |
## Basic types |
| 91 |
|
| 92 |
### nftables::config |
| 93 |
|
| 94 |
Manages a raw file in `/etc/nftables/puppet/${name}.nft`
|
| 95 |
|
| 96 |
Use this for any custom table files. |
| 97 |
|
| 98 |
### nftables::chain |
| 99 |
|
| 100 |
Prepares a chain file as a `concat` file to which you will |
| 101 |
be able to add dedicated rules through `nftables::rule`. |
| 102 |
|
| 103 |
The name must be unique for all chains. The inject |
| 104 |
parameter can be used to directly add a jump to a |
| 105 |
masterchain. inject must follow the pattern |
| 106 |
`ORDER-MASTERCHAIN`, where order references a 2-digit |
| 107 |
number which defines the rule order (by default use e.g. 20) |
| 108 |
and masterchain references the chain to hook in the new |
| 109 |
chain. It's possible to specify the in-interface name and |
| 110 |
out-interface name for the inject rule. |
| 111 |
|
| 112 |
### nftables::rule |
| 113 |
|
| 114 |
A simple way to add rules to any chain. The name must be: |
| 115 |
`CHAIN_NAME-rulename`, where CHAIN_NAME refers to your |
| 116 |
chain and an arbitrary name for your rule. |
| 117 |
The rule will be a `concat::fragment` to the chain |
| 118 |
`CHAIN_NAME`. |
| 119 |
|
| 120 |
You can define the order by using the `order` param. |
| 121 |
|
| 122 |
Before defining your own rule, take a look to the list of ready-to-use rules |
| 123 |
available in the |
| 124 |
[REFERENCE](https://github.com/voxpupuli/puppet-nftables/blob/master/REFERENCE.md), |
| 125 |
somebody might have encapsulated a rule definition for you already. |
| 126 |
|
| 127 |
### nftables::set |
| 128 |
|
| 129 |
Adds a named set to a given table. It allows composing the |
| 130 |
set using individual parameters but also takes raw input |
| 131 |
via the content and source parameters. |
| 132 |
|
| 133 |
### nftables::simplerule |
| 134 |
|
| 135 |
Allows expressing firewall rules without having to use nftables's language by |
| 136 |
adding an abstraction layer a-la-Firewall. It's rather limited how far you can |
| 137 |
go so if you need rather complex rules or you can speak nftables it's |
| 138 |
recommended to use `nftables::rule` directly. |
| 139 |
|
| 140 |
## Facts |
| 141 |
|
| 142 |
One structured fact `nftables` is available |
| 143 |
|
| 144 |
``` |
| 145 |
{
|
| 146 |
tables => [ |
| 147 |
"bridge-filter", |
| 148 |
"bridge-nat", |
| 149 |
"inet-firewalld", |
| 150 |
"ip-firewalld", |
| 151 |
"ip6-firewalld" |
| 152 |
], |
| 153 |
version => "0.9.3" |
| 154 |
} |
| 155 |
``` |
| 156 |
|
| 157 |
* `nftables.version` is the version of the nft command from `nft --version`. |
| 158 |
* `nftables.tables` is the list of tables installed on the machine from `nft list tables`. |
| 159 |
|
| 160 |
## Editor goodies |
| 161 |
|
| 162 |
If you're using Emacs there are some snippets for |
| 163 |
[Yasnippet](https://github.com/joaotavora/yasnippet) available |
| 164 |
[here](https://github.com/nbarrientos/dotfiles/tree/master/.emacs.d/snippets/puppet-mode) |
| 165 |
that could make your life easier when using the module. This is third |
| 166 |
party configuration that's only included here for reference so changes |
| 167 |
in the interfaces exposed by this module are not guaranteed to be |
| 168 |
automatically applied there. |
| 169 |
|
| 170 |
## Development |
| 171 |
|
| 172 |
This module relies on CI testing. To ensure the tests and documentation is complete. |
| 173 |
|
| 174 |
The following steps are a blueprint for the necessary work to add a new rule to the module: |
| 175 |
|
| 176 |
1. add a new class for the new rule (there are enough examples) |
| 177 |
2. document class and parameters |
| 178 |
3. Add a spec test for the new rule to `spec/classes/rules` |
| 179 |
4. add the rule to `spec/acceptance/all_rules_spec.rb` |
| 180 |
5. update the reference with `bundle exec rake strings:generate:reference` |
| 181 |
6. commit, push and open a PR |