Révision ed827383
Allow customising the log prefix
| manifests/inet_filter.pp | ||
|---|---|---|
| 39 | 39 |
content => 'jump global'; |
| 40 | 40 |
'INPUT-log_rejected': |
| 41 | 41 |
order => '98', |
| 42 |
content => 'log prefix "[nftables] INPUT Rejected: " flags all counter reject with icmpx type port-unreachable';
|
|
| 42 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'INPUT' })}\" flags all counter reject with icmpx type port-unreachable";
|
|
| 43 | 43 |
} |
| 44 | 44 |
|
| 45 | 45 |
# inet-filter-chain-OUTPUT |
| ... | ... | |
| 58 | 58 |
content => 'jump global'; |
| 59 | 59 |
'OUTPUT-log_rejected': |
| 60 | 60 |
order => '98', |
| 61 |
content => 'log prefix "[nftables] OUTPUT Rejected: " flags all counter reject with icmpx type port-unreachable';
|
|
| 61 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'OUTPUT' })}\" flags all counter reject with icmpx type port-unreachable";
|
|
| 62 | 62 |
} |
| 63 | 63 |
|
| 64 | 64 |
# inet-filter-chain-FORWARD |
| ... | ... | |
| 74 | 74 |
content => 'jump global'; |
| 75 | 75 |
'FORWARD-log_rejected': |
| 76 | 76 |
order => '98', |
| 77 |
content => 'log prefix "[nftables] FORWARD Rejected: " flags all counter reject with icmpx type port-unreachable';
|
|
| 77 |
content => "log prefix \"${sprintf($nftables::log_prefix, { 'chain' => 'FORWARD' })}\" flags all counter reject with icmpx type port-unreachable";
|
|
| 78 | 78 |
} |
| 79 | 79 |
|
| 80 | 80 |
# basic outgoing rules |
| manifests/init.pp | ||
|---|---|---|
| 34 | 34 |
Boolean $out_https = true, |
| 35 | 35 |
Boolean $out_all = false, |
| 36 | 36 |
Hash $rules = {},
|
| 37 |
String $log_prefix = '[nftables] %<chain>s Rejected: ', |
|
| 37 | 38 |
) {
|
| 38 | 39 |
|
| 39 | 40 |
package{'nftables':
|
| spec/classes/inet_filter_spec.rb | ||
|---|---|---|
| 328 | 328 |
) |
| 329 | 329 |
} |
| 330 | 330 |
end |
| 331 |
|
|
| 332 |
context 'custom log prefix without variable substitution' do |
|
| 333 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => "test "}' }
|
|
| 334 |
|
|
| 335 |
it {
|
|
| 336 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_rejected').with(
|
|
| 337 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 338 |
content: %r{^ log prefix \"test " flags all counter reject with icmpx type port-unreachable$},
|
|
| 339 |
order: '98', |
|
| 340 |
) |
|
| 341 |
} |
|
| 342 |
it {
|
|
| 343 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_rejected').with(
|
|
| 344 |
target: 'nftables-inet-filter-chain-OUTPUT', |
|
| 345 |
content: %r{^ log prefix \"test " flags all counter reject with icmpx type port-unreachable$},
|
|
| 346 |
order: '98', |
|
| 347 |
) |
|
| 348 |
} |
|
| 349 |
it {
|
|
| 350 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_rejected').with(
|
|
| 351 |
target: 'nftables-inet-filter-chain-FORWARD', |
|
| 352 |
content: %r{^ log prefix \"test " flags all counter reject with icmpx type port-unreachable$},
|
|
| 353 |
order: '98', |
|
| 354 |
) |
|
| 355 |
} |
|
| 356 |
end |
|
| 357 |
|
|
| 358 |
context 'custom log prefix with variable substitution' do |
|
| 359 |
let(:pre_condition) { 'class{\'nftables\': log_prefix => " bar [%<chain>s] "}' } # rubocop:disable Style/FormatStringToken
|
|
| 360 |
|
|
| 361 |
it {
|
|
| 362 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-INPUT-rule-log_rejected').with(
|
|
| 363 |
target: 'nftables-inet-filter-chain-INPUT', |
|
| 364 |
content: %r{^ log prefix \" bar \[INPUT\] " flags all counter reject with icmpx type port-unreachable$},
|
|
| 365 |
order: '98', |
|
| 366 |
) |
|
| 367 |
} |
|
| 368 |
it {
|
|
| 369 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-OUTPUT-rule-log_rejected').with(
|
|
| 370 |
target: 'nftables-inet-filter-chain-OUTPUT', |
|
| 371 |
content: %r{^ log prefix \" bar \[OUTPUT\] " flags all counter reject with icmpx type port-unreachable$},
|
|
| 372 |
order: '98', |
|
| 373 |
) |
|
| 374 |
} |
|
| 375 |
it {
|
|
| 376 |
is_expected.to contain_concat__fragment('nftables-inet-filter-chain-FORWARD-rule-log_rejected').with(
|
|
| 377 |
target: 'nftables-inet-filter-chain-FORWARD', |
|
| 378 |
content: %r{^ log prefix \" bar \[FORWARD\] " flags all counter reject with icmpx type port-unreachable$},
|
|
| 379 |
order: '98', |
|
| 380 |
) |
|
| 381 |
} |
|
| 382 |
end |
|
| 331 | 383 |
end |
| 332 | 384 |
end |
| 333 | 385 |
end |
Formats disponibles : Unified diff