/ - Diff - puppet nftables - Koumbit's Redmine

Révision e17693e3

ID	e17693e334087a2d7ef4374c8b78bc0e332a337f
Parent	3f91610b
Enfant	9511e610

Ajouté par Steve Traylen il y a plus de 4 ans

New parameter out_all, default false

In order to allow all outbound traffic a parameter is
added to enable a simple `allow` entry on the out chain.

Default is false so backwards compatible.

If true all the other out_bound rules (ntp, ...) will be disabled
since not needed.

     # Reference
     <!-- DO NOT EDIT: This document was generated by Puppet Strings -->
     ## Table of Contents
     ### Classes
     * [`nftables`](#nftables): Configure nftables
     * [`nftables::inet_filter`](#nftablesinet_filter): manage basic chains in table inet filter
     * [`nftables::ip_nat`](#nftablesip_nat): manage basic chains in table ip nat
     * [`nftables::rules::http`](#nftablesruleshttp): manage in http
     * [`nftables::rules::https`](#nftablesruleshttps): manage in https
     * [`nftables::rules::icinga2`](#nftablesrulesicinga2): manage in icinga2
     * [`nftables::rules::ospf`](#nftablesrulesospf): manage in ospf
     * [`nftables::rules::ospf3`](#nftablesrulesospf3): manage in ospf3
     * [`nftables::rules::out::all`](#nftablesrulesoutall): allow all outbound
     * [`nftables::rules::out::chrony`](#nftablesrulesoutchrony): manage out chrony
     * [`nftables::rules::out::dhcp`](#nftablesrulesoutdhcp): manage out dhcp
     * [`nftables::rules::out::dns`](#nftablesrulesoutdns): manage out dns
     * [`nftables::rules::out::http`](#nftablesrulesouthttp): manage out http
     * [`nftables::rules::out::https`](#nftablesrulesouthttps): manage out https
     * [`nftables::rules::out::mysql`](#nftablesrulesoutmysql): manage out mysql
     * [`nftables::rules::out::ospf`](#nftablesrulesoutospf): manage out ospf
     * [`nftables::rules::out::ospf3`](#nftablesrulesoutospf3): manage out ospf3
     * [`nftables::rules::out::postgres`](#nftablesrulesoutpostgres): manage out postgres
     * [`nftables::rules::out::puppet`](#nftablesrulesoutpuppet): manage outgoing puppet
     * [`nftables::rules::out::smtp`](#nftablesrulesoutsmtp): manage out smtp
     * [`nftables::rules::out::ssh`](#nftablesrulesoutssh): manage out ssh
     * [`nftables::rules::out::ssh::remove`](#nftablesrulesoutsshremove): disable outgoing ssh
     * [`nftables::rules::out::tor`](#nftablesrulesouttor): manage out tor
     * [`nftables::rules::out::wireguard`](#nftablesrulesoutwireguard): manage out wireguard
     * [`nftables::rules::puppet`](#nftablesrulespuppet): manage in puppet
     * [`nftables::rules::smtp`](#nftablesrulessmtp): manage in smtp
     * [`nftables::rules::smtp_submission`](#nftablesrulessmtp_submission): manage in smtp submission
     * [`nftables::rules::smtps`](#nftablesrulessmtps): manage in smtps
     * [`nftables::rules::ssh`](#nftablesrulesssh): manage in ssh
     * [`nftables::rules::tor`](#nftablesrulestor): manage in tor
     * [`nftables::rules::wireguard`](#nftablesruleswireguard): manage in wireguard
     ### Defined types
     * [`nftables::chain`](#nftableschain): manage a chain
     * [`nftables::config`](#nftablesconfig): manage a config snippet
     * [`nftables::rule`](#nftablesrule): manage a chain rule Name should be:   CHAIN_NAME-rulename
     * [`nftables::rules::dnat4`](#nftablesrulesdnat4): manage a ipv4 dnat rule
     * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
     * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
     ## Classes
     ### `nftables`
     Configure nftables
     #### Examples
     #####
     ```puppet
     class{'nftables:
       out_ntp = false,
       out_dns = true,
+    }
     ```
     #### Parameters
     The following parameters are available in the `nftables` class.
     ##### `out_all`
     Data type: `Boolean`
     Allow all outbound connections. If `true` then all other
     out parameters `out_ntp`, `out_dns`, ... will be assuemed
     false.
     Default value: ``false``
     ##### `out_ntp`
     Data type: `Boolean`
     Allow outbound to ntp servers.
     Default value: ``true``
     ##### `out_http`
     Data type: `Boolean`
     Allow outbound to http servers.
     Default value: ``true``
     ##### `out_https`
     Data type: `Boolean`
     Allow outbound to https servers.
     Default value: ``true``
     ##### `out_https`
     Allow outbound to https servers.
     Default value: ``true``
     ##### `in_ssh`
     Data type: `Boolean`
     Allow inbound to ssh servers.
     Default value: ``true``
     ##### `out_dns`
     Data type: `Boolean`
     Default value: ``true``
     ### `nftables::inet_filter`
     manage basic chains in table inet filter
     ### `nftables::ip_nat`
     manage basic chains in table ip nat
     ### `nftables::rules::http`
     manage in http
     ### `nftables::rules::https`
     manage in https
     ### `nftables::rules::icinga2`
     manage in icinga2
     #### Parameters
     The following parameters are available in the `nftables::rules::icinga2` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[5665]`
     ### `nftables::rules::ospf`
     manage in ospf
     ### `nftables::rules::ospf3`
     manage in ospf3
     ### `nftables::rules::out::all`
     allow all outbound
     ### `nftables::rules::out::chrony`
     manage out chrony
     ### `nftables::rules::out::dhcp`
     manage out dhcp
     ### `nftables::rules::out::dns`
     manage out dns
     #### Parameters
     The following parameters are available in the `nftables::rules::out::dns` class.
     ##### `dns_server`
     Data type: `Optional[Variant[String,Array[String,1]]]`
     Default value: ``undef``
     ### `nftables::rules::out::http`
     manage out http
     ### `nftables::rules::out::https`
     manage out https
     ### `nftables::rules::out::mysql`
     manage out mysql
     ### `nftables::rules::out::ospf`
     manage out ospf
     ### `nftables::rules::out::ospf3`
     manage out ospf3
     ### `nftables::rules::out::postgres`
     manage out postgres
     ### `nftables::rules::out::puppet`
     manage outgoing puppet
     #### Parameters
     The following parameters are available in the `nftables::rules::out::puppet` class.
     ##### `puppetmaster`
     Data type: `Variant[String,Array[String,1]]`
     ##### `puppetserver_port`
     Data type: `Integer`
     Default value: `8140`
     ### `nftables::rules::out::smtp`
     manage out smtp
     ### `nftables::rules::out::ssh`
     manage out ssh
     ### `nftables::rules::out::ssh::remove`
     disable outgoing ssh
     ### `nftables::rules::out::tor`
     manage out tor
     ### `nftables::rules::out::wireguard`
     manage out wireguard
     #### Parameters
     The following parameters are available in the `nftables::rules::out::wireguard` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[51820]`
     ### `nftables::rules::puppet`
     manage in puppet
     #### Parameters
     The following parameters are available in the `nftables::rules::puppet` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[8140]`
     ### `nftables::rules::smtp`
     manage in smtp
     ### `nftables::rules::smtp_submission`
     manage in smtp submission
     ### `nftables::rules::smtps`
     manage in smtps
     ### `nftables::rules::ssh`
     manage in ssh
     #### Parameters
     The following parameters are available in the `nftables::rules::ssh` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[22]`
     ### `nftables::rules::tor`
     manage in tor
     #### Parameters
     The following parameters are available in the `nftables::rules::tor` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[9001]`
     ### `nftables::rules::wireguard`
     manage in wireguard
     #### Parameters
     The following parameters are available in the `nftables::rules::wireguard` class.
     ##### `ports`
     Data type: `Array[Integer,1]`
     Default value: `[51820]`
     ## Defined types
     ### `nftables::chain`
     manage a chain
     #### Parameters
     The following parameters are available in the `nftables::chain` defined type.
     ##### `table`
     Data type: `Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/]`
     Default value: `'inet-filter'`
     ##### `chain`
     Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
     Default value: `$title`
     ##### `inject`
     Data type: `Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]]`
     Default value: ``undef``
     ##### `inject_iif`
     Data type: `Optional[String]`
     Default value: ``undef``
     ##### `inject_oif`
     Data type: `Optional[String]`
     Default value: ``undef``
     ### `nftables::config`
     manage a config snippet
     #### Parameters
     The following parameters are available in the `nftables::config` defined type.
     ##### `content`
     Data type: `Optional[String]`
     Default value: ``undef``
     ##### `source`
     Data type: `Optional[Variant[String,Array[String,1]]]`
     Default value: ``undef``
     ### `nftables::rule`
     manage a chain rule
     Name should be:
       CHAIN_NAME-rulename
     #### Parameters
     The following parameters are available in the `nftables::rule` defined type.
     ##### `ensure`
     Data type: `Enum['present','absent']`
     Default value: `'present'`
     ##### `rulename`
     Data type: `Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]`
     Default value: `$title`
     ##### `order`
     Data type: `Pattern[/^\d\d$/]`
     Default value: `'50'`
     ##### `table`
     Data type: `Optional[String]`
     Default value: `'inet-filter'`
     ##### `content`
     Data type: `Optional[String]`
     Default value: ``undef``
     ##### `source`
     Data type: `Optional[Variant[String,Array[String,1]]]`
     Default value: ``undef``
     ### `nftables::rules::dnat4`
     manage a ipv4 dnat rule
     #### Parameters
     The following parameters are available in the `nftables::rules::dnat4` defined type.
     ##### `daddr`
     Data type: `Pattern[/^[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}\.[12]?\d{1,2}$/]`
     ##### `port`
     Data type: `Variant[String,Integer[1,65535]]`
     ##### `rulename`
     Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
     Default value: `$title`
     ##### `order`
     Data type: `Pattern[/^\d\d$/]`
     Default value: `'50'`
     ##### `chain`
     Data type: `String[1]`
     Default value: `'default_fwd'`
     ##### `iif`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `proto`
     Data type: `Enum['tcp','udp']`
     Default value: `'tcp'`
     ##### `dport`
     Data type: `Optional[Variant[String,Integer[1,65535]]]`
     Default value: `''`
     ##### `ensure`
     Data type: `Enum['present','absent']`
     Default value: `'present'`
     ### `nftables::rules::masquerade`
     masquerade all outgoing traffic
     #### Parameters
     The following parameters are available in the `nftables::rules::masquerade` defined type.
     ##### `rulename`
     Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
     Default value: `$title`
     ##### `order`
     Data type: `Pattern[/^\d\d$/]`
     Default value: `'70'`
     ##### `chain`
     Data type: `String[1]`
     Default value: `'POSTROUTING'`
     ##### `oif`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `saddr`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `daddr`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `proto`
     Data type: `Optional[Enum['tcp','udp']]`
     Default value: ``undef``
     ##### `dport`
     Data type: `Optional[Variant[String,Integer[1,65535]]]`
     Default value: ``undef``
     ##### `ensure`
     Data type: `Enum['present','absent']`
     Default value: `'present'`
     ### `nftables::rules::snat4`
     manage a ipv4 snat rule
     #### Parameters
     The following parameters are available in the `nftables::rules::snat4` defined type.
     ##### `snat`
     Data type: `String[1]`
     ##### `rulename`
     Data type: `Pattern[/^[a-zA-Z0-9_]+$/]`
     Default value: `$title`
     ##### `order`
     Data type: `Pattern[/^\d\d$/]`
     Default value: `'70'`
     ##### `chain`
     Data type: `String[1]`
     Default value: `'POSTROUTING'`
     ##### `oif`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `saddr`
     Data type: `Optional[String[1]]`
     Default value: ``undef``
     ##### `proto`
     Data type: `Optional[Enum['tcp','udp']]`
     Default value: ``undef``
     ##### `dport`
     Data type: `Optional[Variant[String,Integer[1,65535]]]`
     Default value: ``undef``
     ##### `ensure`
     Data type: `Enum['present','absent']`
     Default value: `'present'`

     # manage nftables
     # @summary Configure nftables
+    #
     # @example
     #   class{'nftables:
     #     out_ntp = false,
     #     out_dns = true,
     #   }
+    #
     # @param out_all
     #   Allow all outbound connections. If `true` then all other
     #   out parameters `out_ntp`, `out_dns`, ... will be assuemed
     #   false.
+    #
     # @param out_ntp
     #   Allow outbound to ntp servers.
+    #
     # @param out_http
     #   Allow outbound to http servers.
+    #
     # @param out_https
     #   Allow outbound to https servers.
+    #
     # @param out_https
     #   Allow outbound to https servers.
+    #
     # @param in_ssh
     #   Allow inbound to ssh servers.
+    #
     class nftables (
       Boolean $in_ssh    = true,
       Boolean $out_ntp   = true,
       Boolean $out_dns   = true,
       Boolean $out_http  = true,
       Boolean $out_https = true,
       Boolean $out_all   = false,
     ) {
       package{'nftables':

+      }
       # basic outgoing rules
       if $nftables::out_ntp {
         include nftables::rules::out::chrony
+      }
       if $nftables::out_dns {
         include nftables::rules::out::dns
+      }
       if $nftables::out_http {
         include nftables::rules::out::http
+      }
       if $nftables::out_https {
         include nftables::rules::out::https
       if $nftables::out_all {
         include nftables::rules::out::all
       } else {
         if $nftables::out_ntp {
           include nftables::rules::out::chrony
+        }
         if $nftables::out_dns {
           include nftables::rules::out::dns
+        }
         if $nftables::out_http {
           include nftables::rules::out::http
+        }
         if $nftables::out_https {
           include nftables::rules::out::https
+        }
+      }
+    }

     # allow all outbound
     class nftables::rules::out::all {
       nftables::rule{
         'default_out-all':
           order   => '90',
           content => 'accept',
+      }
+    }

               enable: 'mask',
+            )
+          }
           it { is_expected.to contain_class('nftables::rules::out::http') }
           it { is_expected.to contain_class('nftables::rules::out::https') }
           it { is_expected.to contain_class('nftables::rules::out::dns') }
           it { is_expected.to contain_class('nftables::rules::out::chrony') }
           it { is_expected.not_to contain_class('nftables::rules::out::all') }
           it { is_expected.not_to contain_nftables__rule('default_out-all') }
           context 'with out_all set true' do
             let(:params) do {
               out_all: true
+            }
             end
             it { is_expected.to contain_class('nftables::rules::out::all') }
             it { is_expected.not_to contain_class('nftables::rules::out::http') }
             it { is_expected.not_to contain_class('nftables::rules::out::https') }
             it { is_expected.not_to contain_class('nftables::rules::out::dns') }
             it { is_expected.not_to contain_class('nftables::rules::out::chrony') }
             it { is_expected.to contain_nftables__rule('default_out-all').with_content('accept') }
             it { is_expected.to contain_nftables__rule('default_out-all').with_order('90') }
           end
         end
       end
     end

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision e17693e3