root / templates / config / puppet.nft.epp @ f1ef02c5
Historique | Voir | Annoter | Télécharger (881 octets)
| 1 | 03d9e7da | Steve Traylen | <%- | |
|---|---|---|---|
| 2 | Boolean $nat, |
||
| 3 | Optional[Array[String[1],1]] $noflush = undef, |
||
| 4 | |-%> |
||
| 5 | <%- |
||
| 6 | if $noflush and $facts['nftables'] and $facts['nftables']['tables'] {
|
||
| 7 | $_flush_command = $facts['nftables']['tables'].filter |$_tab| { ! ($_tab in $noflush) }.map |$_table| {
|
||
| 8 | "flush table ${regsubst($_table,'-',' ')}"
|
||
| 9 | } |
||
| 10 | } else {
|
||
| 11 | $_flush_command = ['flush ruleset'] |
||
| 12 | } |
||
| 13 | -%> |
||
| 14 | 30462da1 | Steve Traylen | # puppet-preflight.nft is only used by puppet for validating new configs |
| 15 | # puppet.nft is real configuration that the nftables services uses. |
||
| 16 | # To process either the -I flag must be specified. |
||
| 17 | # nft -c -I /etc/nftables/puppet -f /etc/nftables/puppet.nft |
||
| 18 | # nft -c -I /etc/nftables/puppet-preflight -f /etc/nftables/puppet-preflight.nft |
||
| 19 | |||
| 20 | 0ba57c66 | mh | # drop any existing nftables ruleset |
| 21 | 03d9e7da | Steve Traylen | <%= $_flush_command.join('; ') %>
|
| 22 | 0ba57c66 | mh | |
| 23 | 30462da1 | Steve Traylen | include "custom-*.nft" |
| 24 | include "inet-filter.nft" |
||
| 25 | 82d10659 | Nacho Barrientos | <% if $nat { -%>
|
| 26 | 30462da1 | Steve Traylen | include "ip-nat.nft" |
| 27 | include "ip6-nat.nft" |
||
| 28 | 82d10659 | Nacho Barrientos | <% } -%> |