puppet nftables

# manage a chain rule

# Name should be:

#   CHAIN_NAME-rulename

define nftables::rule(

  Enum['present','absent']

    $ensure = 'present',

  Pattern[/^[a-zA-Z0-9_]+-[a-zA-Z0-9_]+(-\d+)?$/]

    $rulename = $title,

  Pattern[/^\d\d$/]

    $order = '50',

  Optional[String]

    $table = 'inet-filter',

  Optional[String]

    $content = undef,

  Optional[Variant[String,Array[String,1]]]

    $source = undef,

){

  if $ensure == 'present' {

    $data = split($rulename, '-')

    if $data[2] {

      $fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}-${data[2]}"

    } else {

      $fragment = "nftables-${table}-chain-${data[0]}-rule-${data[1]}"

    }

    concat::fragment{"${fragment}_header":

      content => "#   Start of fragment order:${order} rulename:${rulename}",

      order   => "${order}${fragment}a",

      target  => "nftables-${table}-chain-${data[0]}",

    }

    concat::fragment{

      $fragment:

        order  => "${order}${fragment}b",

        target => "nftables-${table}-chain-${data[0]}",

    }

    if $content {

      Concat::Fragment[$fragment]{

        content => "  ${content}",

      }

    } else {

      Concat::Fragment[$fragment]{

        source => $source,

      }

    }

  }

}