/manifests/rules/docker_ce.pp - Annoter - puppet nftables - Koumbit's Redmine

Télécharger au format

root / manifests / rules / docker_ce.pp @ e499cece

Historique | Voir | Annoter | Télécharger (4,28 ko)

1	6be2adf7	Luis Fernández Álvarez	# @summary Default firewall configuration for Docker-CE
2			#
3			# The configuration distributed in this class represents the default firewall
4			# configuration done by docker-ce when the iptables integration is enabled.
5			#
6			# This class is needed as the default docker-ce rules added to ip-filter conflict
7			# with the inet-filter forward rules set by default in this module.
8			#
9			# When using this class 'docker::iptables: false' should be set.
10			#
11			# @param docker_interface
12	9dca9bc3	Luis Fernández Álvarez	# Interface name used by docker.
13	6be2adf7	Luis Fernández Álvarez	# @param docker_prefix
14	9dca9bc3	Luis Fernández Álvarez	# The address space used by docker.
15	1bf717d9	Luis Fernández Álvarez	# @param manage_docker_chains
16			# Flag to control whether the class should create the docker related chains.
17			# @param manage_base_chains
18			# Flag to control whether the class should create the base common chains.
19	6be2adf7	Luis Fernández Álvarez	class nftables::rules::docker_ce (
20	1bf717d9	Luis Fernández Álvarez	String[1] $docker_interface = 'docker0',
21			Stdlib::IP::Address::V4::CIDR $docker_prefix = '172.17.0.0/16',
22			Boolean $manage_docker_chains = true,
23			Boolean $manage_base_chains = true,
24	6be2adf7	Luis Fernández Álvarez	) {
25			#
26			# inet-filter
27			#
28	1bf717d9	Luis Fernández Álvarez	if $manage_docker_chains {
29			nftables::chain {
30			'DOCKER': ;
31			'DOCKER_ISOLATION_STAGE_1': ;
32			'DOCKER_ISOLATION_STAGE_2': ;
33			'DOCKER_USER': ;
34			}
35	6be2adf7	Luis Fernández Álvarez	}
36
37			nftables::rule {
38			'DOCKER_ISOLATION_STAGE_1-iifname':
39			order => '01',
40			content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter jump DOCKER_ISOLATION_STAGE_2";
41			'DOCKER_ISOLATION_STAGE_1-counter':
42			order => '02',
43			content => 'counter return';
44			'DOCKER_ISOLATION_STAGE_2-drop':
45			order => '01',
46			content => "oifname \"${docker_interface}\" counter drop";
47			'DOCKER_ISOLATION_STAGE_2-counter':
48			order => '02',
49			content => 'counter return';
50			'DOCKER_USER-counter':
51			order => '01',
52			content => 'counter return',
53			}
54
55			nftables::rule {
56			'default_fwd-jump_docker_user':
57			order => '40',
58			content => 'counter jump DOCKER_USER';
59			'default_fwd-jump_docker_isolation_stage_1':
60			order => '41',
61			content => 'counter jump DOCKER_ISOLATION_STAGE_1';
62			'default_fwd-out_docker_accept':
63			order => '42',
64			content => "oifname \"${docker_interface}\" ct state established,related counter accept";
65			'default_fwd-jump_docker':
66			order => '43',
67			content => "oifname \"${docker_interface}\" counter jump DOCKER";
68			'default_fwd-idocker_onot_accept':
69			order => '44',
70			content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter accept";
71			'default_fwd-idocker_odocker_accept':
72			order => '45',
73			content => "iifname \"${docker_interface}\" oifname \"${docker_interface}\" counter accept";
74			}
75
76			#
77			# ip-nat
78			#
79
80	1bf717d9	Luis Fernández Álvarez	if $manage_docker_chains {
81			nftables::chain {
82	fcb79d73	Ben Morrice	"DOCKER-${nftables::nat_table_name}":
83			table => "ip-${nftables::nat_table_name}",
84	1bf717d9	Luis Fernández Álvarez	chain => 'DOCKER';
85			}
86			}
87
88			if $manage_base_chains {
89			nftables::chain {
90	fcb79d73	Ben Morrice	"OUTPUT-${nftables::nat_table_name}":
91			table => "ip-${nftables::nat_table_name}",
92	1bf717d9	Luis Fernández Álvarez	chain => 'OUTPUT';
93	fcb79d73	Ben Morrice	"INPUT-${nftables::nat_table_name}":
94			table => "ip-${nftables::nat_table_name}",
95	1bf717d9	Luis Fernández Álvarez	chain => 'INPUT';
96			}
97	6be2adf7	Luis Fernández Álvarez	}
98
99			nftables::rule {
100			'POSTROUTING-docker':
101	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
102	6be2adf7	Luis Fernández Álvarez	content => "oifname != \"${docker_interface}\" ip saddr ${docker_prefix} counter masquerade";
103			'PREROUTING-docker':
104	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
105	6be2adf7	Luis Fernández Álvarez	content => 'fib daddr type local counter jump DOCKER';
106	fcb79d73	Ben Morrice	"OUTPUT-jump_docker@ip-${nftables::nat_table_name}":
107	c3515492	Luis Fernández Álvarez	rulename => 'OUTPUT-jump_docker',
108	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
109	c3515492	Luis Fernández Álvarez	content => 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER';
110	6be2adf7	Luis Fernández Álvarez	'DOCKER-counter':
111	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
112	6be2adf7	Luis Fernández Álvarez	content => "iifname \"${docker_interface}\" counter return";
113	fcb79d73	Ben Morrice	"INPUT-type@ip-${nftables::nat_table_name}":
114	6be2adf7	Luis Fernández Álvarez	rulename => 'INPUT-type',
115	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
116	6be2adf7	Luis Fernández Álvarez	order => '01',
117			content => 'type nat hook input priority 100';
118	fcb79d73	Ben Morrice	"INPUT-policy@ip-${nftables::nat_table_name}":
119	6be2adf7	Luis Fernández Álvarez	rulename => 'INPUT-policy',
120	fcb79d73	Ben Morrice	table => "ip-${nftables::nat_table_name}",
121	6be2adf7	Luis Fernández Álvarez	order => '02',
122			content => 'policy accept';
123			}
124			}

Projet

Général

Profil

puppet nftables

root / manifests / rules / docker_ce.pp @ e499cece