root / manifests / init.pp @ cb6f3584
Historique | Voir | Annoter | Télécharger (5,83 ko)
| 1 |
# @summary Configure nftables |
|---|---|
| 2 |
# |
| 3 |
# @example allow dns out and do not allow ntp out |
| 4 |
# class{'nftables:
|
| 5 |
# out_ntp = false, |
| 6 |
# out_dns = true, |
| 7 |
# } |
| 8 |
# |
| 9 |
# @example do not flush particular tables, fail2ban in this case |
| 10 |
# class{'nftables':
|
| 11 |
# noflush_tables = ['inet-f2b-table'], |
| 12 |
# } |
| 13 |
# |
| 14 |
# @param out_all |
| 15 |
# Allow all outbound connections. If `true` then all other |
| 16 |
# out parameters `out_ntp`, `out_dns`, ... will be assuemed |
| 17 |
# false. |
| 18 |
# |
| 19 |
# @param out_ntp |
| 20 |
# Allow outbound to ntp servers. |
| 21 |
# |
| 22 |
# @param out_http |
| 23 |
# Allow outbound to http servers. |
| 24 |
# |
| 25 |
# @param out_dns |
| 26 |
# Allow outbound to dns servers. |
| 27 |
# |
| 28 |
# @param out_https |
| 29 |
# Allow outbound to https servers. |
| 30 |
# |
| 31 |
# @param out_icmp |
| 32 |
# Allow outbound ICMPv4/v6 traffic. |
| 33 |
# |
| 34 |
# @param in_ssh |
| 35 |
# Allow inbound to ssh servers. |
| 36 |
# |
| 37 |
# @param in_icmp |
| 38 |
# Allow inbound ICMPv4/v6 traffic. |
| 39 |
# |
| 40 |
# @param nat |
| 41 |
# Add default tables and chains to process NAT traffic. |
| 42 |
# |
| 43 |
# @param sets |
| 44 |
# Allows sourcing set definitions directly from Hiera. |
| 45 |
# |
| 46 |
# @param log_prefix |
| 47 |
# String that will be used as prefix when logging packets. It can contain |
| 48 |
# two variables using standard sprintf() string-formatting: |
| 49 |
# * chain: Will be replaced by the name of the chain. |
| 50 |
# * comment: Allows chains to add extra comments. |
| 51 |
# |
| 52 |
# @param log_limit |
| 53 |
# String with the content of a limit statement to be applied |
| 54 |
# to the rules that log discarded traffic. Set to false to |
| 55 |
# disable rate limiting. |
| 56 |
# |
| 57 |
# @param reject_with |
| 58 |
# How to discard packets not matching any rule. If `false`, the |
| 59 |
# fate of the packet will be defined by the chain policy (normally |
| 60 |
# drop), otherwise the packet will be rejected with the REJECT_WITH |
| 61 |
# policy indicated by the value of this parameter. |
| 62 |
# |
| 63 |
# @param in_out_conntrack |
| 64 |
# Adds INPUT and OUTPUT rules to allow traffic that's part of an |
| 65 |
# established connection and also to drop invalid packets. |
| 66 |
# |
| 67 |
# @param fwd_conntrack |
| 68 |
# Adds FORWARD rules to allow traffic that's part of an |
| 69 |
# established connection and also to drop invalid packets. |
| 70 |
# |
| 71 |
# @param firewalld_enable |
| 72 |
# Configures how the firewalld systemd service unit is enabled. It might be |
| 73 |
# useful to set this to false if you're externaly removing firewalld from |
| 74 |
# the system completely. |
| 75 |
# |
| 76 |
# @param noflush_tables |
| 77 |
# If specified only other existings tables will be flushed. |
| 78 |
# If left unset all tables will be flushed via a `flush ruleset` |
| 79 |
# |
| 80 |
# @param rules |
| 81 |
# Specify hashes of `nftables::rule`s via hiera |
| 82 |
# |
| 83 |
# @param configuration_path |
| 84 |
# The absolute path to the principal nftables configuration file. |
| 85 |
# |
| 86 |
class nftables ( |
| 87 |
Boolean $in_ssh = true, |
| 88 |
Boolean $in_icmp = true, |
| 89 |
Boolean $out_ntp = true, |
| 90 |
Boolean $out_dns = true, |
| 91 |
Boolean $out_http = true, |
| 92 |
Boolean $out_https = true, |
| 93 |
Boolean $out_icmp = true, |
| 94 |
Boolean $out_all = false, |
| 95 |
Boolean $in_out_conntrack = true, |
| 96 |
Boolean $fwd_conntrack = false, |
| 97 |
Boolean $nat = true, |
| 98 |
Hash $rules = {},
|
| 99 |
Hash $sets = {},
|
| 100 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 101 |
Variant[Boolean[false], String] $log_limit = '3/minute burst 5 packets', |
| 102 |
Variant[Boolean[false], Pattern[/icmp(v6|x)? type .+|tcp reset/]] $reject_with = 'icmpx type port-unreachable', |
| 103 |
Variant[Boolean[false], Enum['mask']] $firewalld_enable = 'mask', |
| 104 |
Optional[Array[Pattern[/^(ip|ip6|inet)-[-a-zA-Z0-9_]+$/],1]] $noflush_tables = undef, |
| 105 |
Stdlib::Unixpath $configuration_path = '/etc/sysconfig/nftables.conf', |
| 106 |
Stdlib::Unixpath $nft_path = '/usr/sbin/nft', |
| 107 |
Stdlib::Unixpath $systemctl_path = '/usr/bin/systemctl', |
| 108 |
Stdlib::Unixpath $echo_path = '/usr/bin/echo', |
| 109 |
) {
|
| 110 |
package { 'nftables':
|
| 111 |
ensure => installed, |
| 112 |
} -> file_line {
|
| 113 |
'enable_nftables': |
| 114 |
line => 'include "/etc/nftables/puppet.nft"', |
| 115 |
path => $configuration_path, |
| 116 |
notify => Service['nftables'], |
| 117 |
} -> file {
|
| 118 |
default: |
| 119 |
owner => 'root', |
| 120 |
group => 'root', |
| 121 |
mode => '0640'; |
| 122 |
'/etc/nftables': |
| 123 |
ensure => directory, |
| 124 |
mode => '0750'; |
| 125 |
'/etc/nftables/puppet-preflight': |
| 126 |
ensure => directory, |
| 127 |
mode => '0750', |
| 128 |
purge => true, |
| 129 |
force => true, |
| 130 |
recurse => true; |
| 131 |
'/etc/nftables/puppet-preflight.nft': |
| 132 |
ensure => file, |
| 133 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
| 134 |
} ~> exec {
|
| 135 |
'nft validate': |
| 136 |
refreshonly => true, |
| 137 |
command => "${nft_path} -I /etc/nftables/puppet-preflight -c -f /etc/nftables/puppet-preflight.nft || ( ${echo_path} \"#CONFIG BROKEN\" >> /etc/nftables/puppet-preflight.nft && /bin/false)";
|
| 138 |
} -> file {
|
| 139 |
default: |
| 140 |
owner => 'root', |
| 141 |
group => 'root', |
| 142 |
mode => '0640'; |
| 143 |
'/etc/nftables/puppet.nft': |
| 144 |
ensure => file, |
| 145 |
content => epp('nftables/config/puppet.nft.epp', { 'nat' => $nat, 'noflush' => $noflush_tables });
|
| 146 |
'/etc/nftables/puppet': |
| 147 |
ensure => directory, |
| 148 |
mode => '0750', |
| 149 |
purge => true, |
| 150 |
force => true, |
| 151 |
recurse => true; |
| 152 |
} ~> service { 'nftables':
|
| 153 |
ensure => running, |
| 154 |
enable => true, |
| 155 |
hasrestart => true, |
| 156 |
restart => "${systemctl_path} reload nftables",
|
| 157 |
} |
| 158 |
|
| 159 |
$puppet_nft_vars = {
|
| 160 |
'configuration_path' => $configuration_path, |
| 161 |
'nft_path' => $nft_path, |
| 162 |
} |
| 163 |
systemd::dropin_file { 'puppet_nft.conf':
|
| 164 |
ensure => present, |
| 165 |
unit => 'nftables.service', |
| 166 |
content => epp('nftables/systemd/puppet_nft.conf.epp', $puppet_nft_vars),
|
| 167 |
notify => Service['nftables'], |
| 168 |
} |
| 169 |
|
| 170 |
# firewalld.enable can be mask or false depending upon if firewalld is installed or not |
| 171 |
# https://tickets.puppetlabs.com/browse/PUP-10814 |
| 172 |
service { 'firewalld':
|
| 173 |
ensure => stopped, |
| 174 |
enable => $firewalld_enable, |
| 175 |
} |
| 176 |
|
| 177 |
include nftables::inet_filter |
| 178 |
if $nat {
|
| 179 |
include nftables::ip_nat |
| 180 |
} |
| 181 |
|
| 182 |
# inject custom rules e.g. from hiera |
| 183 |
$rules.each |$n,$v| {
|
| 184 |
nftables::rule {
|
| 185 |
$n: |
| 186 |
* => $v, |
| 187 |
} |
| 188 |
} |
| 189 |
|
| 190 |
# inject custom sets e.g. from hiera |
| 191 |
$sets.each |$n,$v| {
|
| 192 |
nftables::set {
|
| 193 |
$n: |
| 194 |
* => $v, |
| 195 |
} |
| 196 |
} |
| 197 |
} |