Révision c94658e1
Allow declaring the same set in several tables
Closes #100
| REFERENCE.md | ||
|---|---|---|
| 1554 | 1554 |
|
| 1555 | 1555 |
##### <a name="table"></a>`table` |
| 1556 | 1556 |
|
| 1557 |
Data type: `String`
|
|
| 1557 |
Data type: `Variant[String, Array[String, 1]]`
|
|
| 1558 | 1558 |
|
| 1559 |
table to add set to.
|
|
| 1559 |
table or array of tables to add the set to.
|
|
| 1560 | 1560 |
|
| 1561 | 1561 |
Default value: `'inet-filter'` |
| 1562 | 1562 |
|
| manifests/set.pp | ||
|---|---|---|
| 12 | 12 |
# @param setname name of set, equal to to title. |
| 13 | 13 |
# @param order concat ordering. |
| 14 | 14 |
# @param type type of set. |
| 15 |
# @param table table to add set to.
|
|
| 15 |
# @param table table or array of tables to add the set to.
|
|
| 16 | 16 |
# @param flags specify flags for set |
| 17 | 17 |
# @param timeout timeout in seconds |
| 18 | 18 |
# @param gc_interval garbage collection interval. |
| ... | ... | |
| 27 | 27 |
Pattern[/^[-a-zA-Z0-9_]+$/] $setname = $title, |
| 28 | 28 |
Pattern[/^\d\d$/] $order = '10', |
| 29 | 29 |
Optional[Enum['ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', 'mark']] $type = undef, |
| 30 |
String $table = 'inet-filter',
|
|
| 30 |
Variant[String, Array[String, 1]] $table = 'inet-filter',
|
|
| 31 | 31 |
Array[Enum['constant', 'dynamic', 'interval', 'timeout'], 0, 4] $flags = [], |
| 32 | 32 |
Optional[Integer] $timeout = undef, |
| 33 | 33 |
Optional[Integer] $gc_interval = undef, |
| ... | ... | |
| 44 | 44 |
} |
| 45 | 45 |
} |
| 46 | 46 |
|
| 47 |
if $ensure == 'present' {
|
|
| 48 |
concat::fragment {
|
|
| 49 |
"nftables-${table}-set-${setname}":
|
|
| 50 |
order => $order, |
|
| 51 |
target => "nftables-${table}",
|
|
| 52 |
} |
|
| 47 |
$_tables = Array($table, true) |
|
| 53 | 48 |
|
| 54 |
if $content {
|
|
| 55 |
Concat::Fragment["nftables-${table}-set-${setname}"] {
|
|
| 56 |
content => " ${content}",
|
|
| 57 |
} |
|
| 58 |
} elsif $source {
|
|
| 59 |
Concat::Fragment["nftables-${table}-set-${setname}"] {
|
|
| 60 |
source => $source, |
|
| 61 |
} |
|
| 62 |
} else {
|
|
| 63 |
if $type == undef {
|
|
| 64 |
fail('The way the resource is configured must have a type set')
|
|
| 49 |
if $ensure == 'present' {
|
|
| 50 |
$_tables.each |Integer $index, String $_table| {
|
|
| 51 |
concat::fragment {
|
|
| 52 |
"nftables-${_table}-set-${setname}":
|
|
| 53 |
order => $order, |
|
| 54 |
target => "nftables-${_table}",
|
|
| 65 | 55 |
} |
| 66 |
Concat::Fragment["nftables-${table}-set-${setname}"] {
|
|
| 67 |
content => epp('nftables/set.epp',
|
|
| 68 |
{
|
|
| 69 |
'name' => $setname, |
|
| 70 |
'type' => $type, |
|
| 71 |
'flags' => $flags, |
|
| 72 |
'timeout' => $timeout, |
|
| 73 |
'gc_interval' => $gc_interval, |
|
| 74 |
'elements' => $elements, |
|
| 75 |
'size' => $size, |
|
| 76 |
'policy' => $policy, |
|
| 77 |
'auto_merge' => $auto_merge, |
|
| 78 |
} |
|
| 79 |
) |
|
| 56 |
|
|
| 57 |
if $content {
|
|
| 58 |
Concat::Fragment["nftables-${_table}-set-${setname}"] {
|
|
| 59 |
content => " ${content}",
|
|
| 60 |
} |
|
| 61 |
} elsif $source {
|
|
| 62 |
Concat::Fragment["nftables-${_table}-set-${setname}"] {
|
|
| 63 |
source => $source, |
|
| 64 |
} |
|
| 65 |
} else {
|
|
| 66 |
if $type == undef {
|
|
| 67 |
fail('The way the resource is configured must have a type set')
|
|
| 68 |
} |
|
| 69 |
Concat::Fragment["nftables-${_table}-set-${setname}"] {
|
|
| 70 |
content => epp('nftables/set.epp',
|
|
| 71 |
{
|
|
| 72 |
'name' => $setname, |
|
| 73 |
'type' => $type, |
|
| 74 |
'flags' => $flags, |
|
| 75 |
'timeout' => $timeout, |
|
| 76 |
'gc_interval' => $gc_interval, |
|
| 77 |
'elements' => $elements, |
|
| 78 |
'size' => $size, |
|
| 79 |
'policy' => $policy, |
|
| 80 |
'auto_merge' => $auto_merge, |
|
| 81 |
} |
|
| 82 |
) |
|
| 83 |
} |
|
| 80 | 84 |
} |
| 81 | 85 |
} |
| 82 | 86 |
} |
| spec/acceptance/all_rules_spec.rb | ||
|---|---|---|
| 71 | 71 |
include nftables::rules::wireguard |
| 72 | 72 |
include nftables::services::dhcpv6_client |
| 73 | 73 |
include nftables::services::openafs_client |
| 74 |
nftables::set{'my_test_set':
|
|
| 75 |
type => 'ipv4_addr', |
|
| 76 |
elements => ['192.168.0.1', '10.0.0.2'], |
|
| 77 |
table => ['inet-filter', 'ip-nat'], |
|
| 78 |
} |
|
| 74 | 79 |
# nftables cannot be started in docker so replace service with a validation only. |
| 75 | 80 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
| 76 | 81 |
ensure => present, |
| spec/defines/set_spec.rb | ||
|---|---|---|
| 154 | 154 |
) |
| 155 | 155 |
} |
| 156 | 156 |
end |
| 157 |
|
|
| 158 |
describe 'default table can be changed' do |
|
| 159 |
let(:params) do |
|
| 160 |
{
|
|
| 161 |
type: 'ipv6_addr', |
|
| 162 |
elements: ['2001:1458::1', '2001:1458:1::2'], |
|
| 163 |
table: 'ip-nat' |
|
| 164 |
} |
|
| 165 |
end |
|
| 166 |
|
|
| 167 |
it { is_expected.to compile }
|
|
| 168 |
it {
|
|
| 169 |
is_expected.to contain_concat__fragment('nftables-ip-nat-set-my_set').with(
|
|
| 170 |
target: 'nftables-ip-nat', |
|
| 171 |
content: %r{^ set my_set \{\n type ipv6_addr\n elements = \{ 2001:1458::1, 2001:1458:1::2 \}\n \}$}m,
|
|
| 172 |
order: '10', |
|
| 173 |
) |
|
| 174 |
} |
|
| 175 |
end |
|
| 176 |
|
|
| 177 |
describe 'multiple tables no tables' do |
|
| 178 |
let(:params) do |
|
| 179 |
{
|
|
| 180 |
type: 'ipv6_addr', |
|
| 181 |
elements: ['2001:1458::1', '2001:1458:1::2'], |
|
| 182 |
table: [] |
|
| 183 |
} |
|
| 184 |
end |
|
| 185 |
|
|
| 186 |
it { is_expected.not_to compile }
|
|
| 187 |
end |
|
| 188 |
|
|
| 189 |
describe 'multiple tables' do |
|
| 190 |
let(:params) do |
|
| 191 |
{
|
|
| 192 |
type: 'ipv6_addr', |
|
| 193 |
elements: ['2001:1458::1', '2001:1458:1::2'], |
|
| 194 |
table: ['inet-filter', 'ip-nat'] |
|
| 195 |
} |
|
| 196 |
end |
|
| 197 |
|
|
| 198 |
it { is_expected.to compile }
|
|
| 199 |
it {
|
|
| 200 |
is_expected.to contain_concat__fragment('nftables-inet-filter-set-my_set').with(
|
|
| 201 |
target: 'nftables-inet-filter', |
|
| 202 |
content: %r{^ set my_set \{\n type ipv6_addr\n elements = \{ 2001:1458::1, 2001:1458:1::2 \}\n \}$}m,
|
|
| 203 |
order: '10', |
|
| 204 |
) |
|
| 205 |
is_expected.to contain_concat__fragment('nftables-ip-nat-set-my_set').with(
|
|
| 206 |
target: 'nftables-ip-nat', |
|
| 207 |
content: %r{^ set my_set \{\n type ipv6_addr\n elements = \{ 2001:1458::1, 2001:1458:1::2 \}\n \}$}m,
|
|
| 208 |
order: '10', |
|
| 209 |
) |
|
| 210 |
} |
|
| 211 |
end |
|
| 157 | 212 |
end |
| 158 | 213 |
end |
| 159 | 214 |
end |
Formats disponibles : Unified diff