Révision fcb79d73
support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid
namespace conflicts
| manifests/ip_nat.pp | ||
|---|---|---|
| 1 | 1 |
# manage basic chains in table ip nat |
| 2 | 2 |
class nftables::ip_nat inherits nftables {
|
| 3 | 3 |
nftables::config {
|
| 4 |
'ip-nat':
|
|
| 4 |
"ip-${nftables::nat_table_name}":
|
|
| 5 | 5 |
prefix => ''; |
| 6 |
'ip6-nat':
|
|
| 6 |
"ip6-${nftables::nat_table_name}":
|
|
| 7 | 7 |
prefix => ''; |
| 8 | 8 |
} |
| 9 | 9 |
|
| ... | ... | |
| 12 | 12 |
'PREROUTING', |
| 13 | 13 |
'POSTROUTING', |
| 14 | 14 |
]: |
| 15 |
table => 'ip-nat';
|
|
| 15 |
table => "ip-${nftables::nat_table_name}";
|
|
| 16 | 16 |
} |
| 17 | 17 |
|
| 18 | 18 |
nftables::chain {
|
| ... | ... | |
| 20 | 20 |
'PREROUTING6', |
| 21 | 21 |
'POSTROUTING6', |
| 22 | 22 |
]: |
| 23 |
table => 'ip6-nat';
|
|
| 23 |
table => "ip6-${nftables::nat_table_name}";
|
|
| 24 | 24 |
} |
| 25 | 25 |
|
| 26 | 26 |
# ip-nat-chain-PREROUTING |
| 27 | 27 |
nftables::rule {
|
| 28 | 28 |
'PREROUTING-type': |
| 29 |
table => 'ip-nat',
|
|
| 29 |
table => "ip-${nftables::nat_table_name}",
|
|
| 30 | 30 |
order => '01', |
| 31 | 31 |
content => 'type nat hook prerouting priority -100'; |
| 32 | 32 |
'PREROUTING-policy': |
| 33 |
table => 'ip-nat',
|
|
| 33 |
table => "ip-${nftables::nat_table_name}",
|
|
| 34 | 34 |
order => '02', |
| 35 | 35 |
content => 'policy accept'; |
| 36 | 36 |
'PREROUTING6-type': |
| 37 |
table => 'ip6-nat',
|
|
| 37 |
table => "ip6-${nftables::nat_table_name}",
|
|
| 38 | 38 |
order => '01', |
| 39 | 39 |
content => 'type nat hook prerouting priority -100'; |
| 40 | 40 |
'PREROUTING6-policy': |
| 41 |
table => 'ip6-nat',
|
|
| 41 |
table => "ip6-${nftables::nat_table_name}",
|
|
| 42 | 42 |
order => '02', |
| 43 | 43 |
content => 'policy accept'; |
| 44 | 44 |
} |
| ... | ... | |
| 46 | 46 |
# ip-nat-chain-POSTROUTING |
| 47 | 47 |
nftables::rule {
|
| 48 | 48 |
'POSTROUTING-type': |
| 49 |
table => 'ip-nat',
|
|
| 49 |
table => "ip-${nftables::nat_table_name}",
|
|
| 50 | 50 |
order => '01', |
| 51 | 51 |
content => 'type nat hook postrouting priority 100'; |
| 52 | 52 |
'POSTROUTING-policy': |
| 53 |
table => 'ip-nat',
|
|
| 53 |
table => "ip-${nftables::nat_table_name}",
|
|
| 54 | 54 |
order => '02', |
| 55 | 55 |
content => 'policy accept'; |
| 56 | 56 |
'POSTROUTING6-type': |
| 57 |
table => 'ip6-nat',
|
|
| 57 |
table => "ip6-${nftables::nat_table_name}",
|
|
| 58 | 58 |
order => '01', |
| 59 | 59 |
content => 'type nat hook postrouting priority 100'; |
| 60 | 60 |
'POSTROUTING6-policy': |
| 61 |
table => 'ip6-nat',
|
|
| 61 |
table => "ip6-${nftables::nat_table_name}",
|
|
| 62 | 62 |
order => '02', |
| 63 | 63 |
content => 'policy accept'; |
| 64 | 64 |
} |
Formats disponibles : Unified diff