/ - Diff - puppet nftables - Koumbit's Redmine

Révision d7d6d5d3

ID	d7d6d5d3903c66c32abc61afe4832e9d82efcbaf
Parent	545a379b
Enfant	e5a1eb78

Ajouté par Tim Meusel il y a plus d'un an

simplerule: Add support for outgoing interface filtering

     * [`saddr`](#-nftables--simplerule--saddr)
     * [`counter`](#-nftables--simplerule--counter)
     * [`iifname`](#-nftables--simplerule--iifname)
     * [`oifname`](#-nftables--simplerule--oifname)
     ##### <a name="-nftables--simplerule--ensure"></a>`ensure`
-...
     Default value: `undef`
     ##### <a name="-nftables--simplerule--oifname"></a>`oifname`
     Data type: `Optional[String[1]]`
     Optional filter for the outgoing interface
     Default value: `undef`
     ## Data types
     ### <a name="Nftables--Addr"></a>`Nftables::Addr`

+    #
     # @param iifname
     #   Optional filter for the incoming interface
     # @param oifname
     #   Optional filter for the outgoing interface
     define nftables::simplerule (
       Enum['present','absent'] $ensure = 'present',
       Nftables::SimpleRuleName $rulename = $title,
-...
       Optional[Nftables::Addr] $saddr = undef,
       Boolean $counter = false,
       Optional[String[1]] $iifname = undef,
       Optional[String[1]] $oifname = undef,
     ) {
       if $dport and !$proto {
         fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
-...
               'set_type' => $set_type,
               'sport'    => $sport,
               'iifname'  => $iifname,
               'oifname'  => $oifname,
+            }
           ),
           order   => $order,

     require 'spec_helper_acceptance'
     describe 'nftables class' do
       context 'configure a simple rule with input interface' do
       context 'configure a simple rule with interface' do
         it_behaves_like 'an idempotent resource' do
           let(:manifest) do
             <<-EOS
-...
               in_ssh           => false,
               in_icmp          => false,
+            }
             # just incoming interface
             nftables::simplerule { 'dummyrule_in':
               action  => 'accept',
               iifname => $facts['networking']['primary'],
               comment => 'allow some multicast stuff',
               daddr   => 'ff02::fb',
+            }
             # just outgoing interface
             nftables::simplerule { 'dummyrule_out':
               action  => 'accept',
               oifname => $facts['networking']['primary'],
               comment => 'allow some multicast stuff',
               chain   => 'default_out',
               daddr   => 'ff02::fb',
+            }
             # outgoing + incoming interface
             nftables::simplerule { 'dummyrule_fwd':
               action  => 'accept',
               iifname => $facts['networking']['primary'],
               oifname => 'lo',
               comment => 'allow some multicast stuff',
               chain   => 'default_fwd',
               daddr   => 'ff02::fb',
+            }
             include nftables::rules::ssh
             include nftables::rules::out::dns
             include nftables::rules::out::ssh

           String                   $set_type,
           Optional[Nftables::Port] $sport,
           Optional[String[1]]      $iifname,
           Optional[String[1]]      $oifname,
     | -%>
     <%- if $proto {
       $_proto = $proto ? {
-...
     } else {
       $_iifname = undef
     } -%>
     <%= regsubst(strip([$_ip_version_filter, $_iifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>
     <%- if $oifname {
       $_oifname = "oifname \"${oifname}\""
     } else {
       $_oifname = undef
     } -%>
     <%= regsubst(strip([$_ip_version_filter, $_iifname, $_oifname, $_src_port, $_dst_port, $_src_hosts, $_dst_hosts, $_counter, $action, $_comment].join(' ')), '\s+', ' ', 'G') -%>

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision d7d6d5d3