Révision ea96d5db
Move ct rules from global to INPUT and OUTPUT
| files/config/puppet-inet-filter.nft | ||
|---|---|---|
| 2 | 2 |
|
| 3 | 3 |
# something we want for all |
| 4 | 4 |
chain global {
|
| 5 |
ct state established,related accept |
|
| 6 |
ct state invalid drop |
|
| 7 |
|
|
| 8 | 5 |
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
|
| 9 | 6 |
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
|
| 10 | 7 |
ip protocol icmp icmp type echo-request limit rate 4/second accept |
| manifests/inet_filter.pp | ||
|---|---|---|
| 50 | 50 |
content => "reject with ${$nftables::reject_with}";
|
| 51 | 51 |
} |
| 52 | 52 |
} |
| 53 |
if $nftables::in_out_conntrack {
|
|
| 54 |
nftables::rule{
|
|
| 55 |
'INPUT-accept_established_related': |
|
| 56 |
order => '05', |
|
| 57 |
content => 'ct state established,related accept'; |
|
| 58 |
'INPUT-drop_invalid': |
|
| 59 |
order => '06', |
|
| 60 |
content => 'ct state invalid drop'; |
|
| 61 |
} |
|
| 62 |
} |
|
| 53 | 63 |
|
| 54 | 64 |
# inet-filter-chain-OUTPUT |
| 55 | 65 |
nftables::rule{
|
| ... | ... | |
| 76 | 86 |
content => "reject with ${$nftables::reject_with}";
|
| 77 | 87 |
} |
| 78 | 88 |
} |
| 89 |
if $nftables::in_out_conntrack {
|
|
| 90 |
nftables::rule{
|
|
| 91 |
'OUTPUT-accept_established_related': |
|
| 92 |
order => '05', |
|
| 93 |
content => 'ct state established,related accept'; |
|
| 94 |
'OUTPUT-drop_invalid': |
|
| 95 |
order => '06', |
|
| 96 |
content => 'ct state invalid drop'; |
|
| 97 |
} |
|
| 98 |
} |
|
| 79 | 99 |
|
| 80 | 100 |
# inet-filter-chain-FORWARD |
| 81 | 101 |
nftables::rule{
|
| manifests/init.pp | ||
|---|---|---|
| 38 | 38 |
# drop), otherwise the packet will be rejected with the REJECT_WITH |
| 39 | 39 |
# policy indicated by the value of this parameter. |
| 40 | 40 |
# |
| 41 |
# @param in_out_conntrack |
|
| 42 |
# Adds INPUT and OUTPUT rules to allow traffic that's part of an |
|
| 43 |
# established connection and also to drop invalid packets. |
|
| 44 |
# |
|
| 41 | 45 |
class nftables ( |
| 42 | 46 |
Boolean $in_ssh = true, |
| 43 | 47 |
Boolean $out_ntp = true, |
| ... | ... | |
| 45 | 49 |
Boolean $out_http = true, |
| 46 | 50 |
Boolean $out_https = true, |
| 47 | 51 |
Boolean $out_all = false, |
| 52 |
Boolean $in_out_conntrack = true, |
|
| 48 | 53 |
Hash $rules = {},
|
| 49 | 54 |
String $log_prefix = '[nftables] %<chain>s %<comment>s', |
| 50 | 55 |
Variant[Boolean[false], Pattern[ |
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 88 | 88 |
) |
| 89 | 89 |
} |
| 90 | 90 |
it {
|
| 91 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related').with(
|
|
| 92 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 93 |
content: %r{^ ct state established,related accept$},
|
|
| 94 |
order: '05', |
|
| 95 |
) |
|
| 96 |
} |
|
| 97 |
it {
|
|
| 98 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid').with(
|
|
| 99 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 100 |
content: %r{^ ct state invalid drop$},
|
|
| 101 |
order: '06', |
|
| 102 |
) |
|
| 103 |
} |
|
| 104 |
it {
|
|
| 91 | 105 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-jump_default_in').with(
|
| 92 | 106 |
target: 'nftables-inet-filter-chain-INPUT', |
| 93 | 107 |
content: %r{^ jump default_in$},
|
| ... | ... | |
| 194 | 208 |
) |
| 195 | 209 |
} |
| 196 | 210 |
it {
|
| 211 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related').with(
|
|
| 212 |
target: 'nftables-inet-filter-chain-OUTPUT', |
|
| 213 |
content: %r{^ ct state established,related accept$},
|
|
| 214 |
order: '05', |
|
| 215 |
) |
|
| 216 |
} |
|
| 217 |
it {
|
|
| 218 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid').with(
|
|
| 219 |
target: 'nftables-inet-filter-chain-OUTPUT', |
|
| 220 |
content: %r{^ ct state invalid drop$},
|
|
| 221 |
order: '06', |
|
| 222 |
) |
|
| 223 |
} |
|
| 224 |
it {
|
|
| 197 | 225 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-jump_default_out').with(
|
| 198 | 226 |
target: 'nftables-inet-filter-chain-OUTPUT', |
| 199 | 227 |
content: %r{^ jump default_out$},
|
| ... | ... | |
| 321 | 349 |
) |
| 322 | 350 |
} |
| 323 | 351 |
it {
|
| 352 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
|
|
| 353 |
} |
|
| 354 |
it {
|
|
| 355 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
|
|
| 356 |
} |
|
| 357 |
it {
|
|
| 324 | 358 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-jump_default_fwd').with(
|
| 325 | 359 |
target: 'nftables-inet-filter-chain-FORWARD', |
| 326 | 360 |
content: %r{^ jump default_fwd$},
|
| ... | ... | |
| 500 | 534 |
|
| 501 | 535 |
it { is_expected.not_to compile }
|
| 502 | 536 |
end |
| 537 |
|
|
| 538 |
context 'without conntrack rules' do |
|
| 539 |
let(:params) do |
|
| 540 |
{
|
|
| 541 |
'in_out_conntrack' => false, |
|
| 542 |
} |
|
| 543 |
end |
|
| 544 |
|
|
| 545 |
it {
|
|
| 546 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-accept_established_related')
|
|
| 547 |
} |
|
| 548 |
it {
|
|
| 549 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-drop_invalid')
|
|
| 550 |
} |
|
| 551 |
it {
|
|
| 552 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-accept_established_related')
|
|
| 553 |
} |
|
| 554 |
it {
|
|
| 555 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-drop_invalid')
|
|
| 556 |
} |
|
| 557 |
it {
|
|
| 558 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-accept_established_related')
|
|
| 559 |
} |
|
| 560 |
it {
|
|
| 561 |
is_expected.not_to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-drop_invalid')
|
|
| 562 |
} |
|
| 563 |
end |
|
| 503 | 564 |
end |
| 504 | 565 |
end |
| 505 | 566 |
end |
Formats disponibles : Unified diff