root / manifests / chain.pp @ e53053ce
Historique | Voir | Annoter | Télécharger (1,35 ko)
| 1 | 8efbdf9a | tr | # manage a chain |
|---|---|---|---|
| 2 | define nftables::chain( |
||
| 3 | 5df9303f | tr | Pattern[/^(ip|ip6|inet)-[a-zA-Z0-9_]+$/] |
| 4 | $table = 'inet-filter', |
||
| 5 | 8efbdf9a | tr | Pattern[/^[a-zA-Z0-9_]+$/] |
| 6 | $chain = $title, |
||
| 7 | Optional[Pattern[/^\d\d-[a-zA-Z0-9_]+$/]] |
||
| 8 | $inject = undef, |
||
| 9 | af544fea | tr | Optional[String] |
| 10 | $inject_iif = undef, |
||
| 11 | Optional[String] |
||
| 12 | $inject_oif = undef, |
||
| 13 | 8efbdf9a | tr | ){
|
| 14 | $concat_name = "nftables-${table}-chain-${chain}"
|
||
| 15 | |||
| 16 | concat{
|
||
| 17 | $concat_name: |
||
| 18 | path => "/etc/nftables/puppet/${table}-chain-${chain}.nft",
|
||
| 19 | owner => root, |
||
| 20 | group => root, |
||
| 21 | mode => '0640', |
||
| 22 | ensure_newline => true, |
||
| 23 | require => Package['nftables'], |
||
| 24 | notify => Service['nftables'], |
||
| 25 | } |
||
| 26 | |||
| 27 | concat::fragment{
|
||
| 28 | default: |
||
| 29 | target => $concat_name; |
||
| 30 | "${concat_name}-header":
|
||
| 31 | order => '00', |
||
| 32 | e53053ce | Steve Traylen | content => "# Start of fragment order:00 ${chain} header\nchain ${chain} {";
|
| 33 | 8efbdf9a | tr | "${concat_name}-footer":
|
| 34 | order => '99', |
||
| 35 | e53053ce | Steve Traylen | content => "# Start of fragment order:99 ${chain} footer\n}";
|
| 36 | 8efbdf9a | tr | } |
| 37 | |||
| 38 | if $inject {
|
||
| 39 | $data = split($inject, '-') |
||
| 40 | af544fea | tr | $iif = $inject_iif ? {
|
| 41 | undef => '', |
||
| 42 | default => "iifname ${inject_iif} ",
|
||
| 43 | } |
||
| 44 | $oif = $inject_oif ? {
|
||
| 45 | undef => '', |
||
| 46 | default => "oifname ${inject_oif} ",
|
||
| 47 | } |
||
| 48 | 8efbdf9a | tr | nftables::rule{ "${data[1]}-jump_${chain}":
|
| 49 | order => $data[0], |
||
| 50 | af544fea | tr | content => "${iif}${oif}jump ${chain}",
|
| 51 | 8efbdf9a | tr | } |
| 52 | } |
||
| 53 | } |