/manifests/rules/docker_ce.pp - Diff - puppet nftables - Koumbit's Redmine

Révision fcb79d73

ID	fcb79d73f30dc98983f392fdf7c774c04301ebce
Parent	abcd1731
Enfant	1cdd8e24

Ajouté par Ben Morrice il y a plus de 3 ans

support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid
namespace conflicts

       if $manage_docker_chains {
         nftables::chain {
           'DOCKER-nat':
             table => 'ip-nat',
           "DOCKER-${nftables::nat_table_name}":
             table => "ip-${nftables::nat_table_name}",
             chain => 'DOCKER';
+        }
+      }
       if $manage_base_chains {
         nftables::chain {
           'OUTPUT-nat':
             table => 'ip-nat',
           "OUTPUT-${nftables::nat_table_name}":
             table => "ip-${nftables::nat_table_name}",
             chain => 'OUTPUT';
           'INPUT-nat':
             table => 'ip-nat',
           "INPUT-${nftables::nat_table_name}":
             table => "ip-${nftables::nat_table_name}",
             chain => 'INPUT';
+        }
+      }
       nftables::rule {
         'POSTROUTING-docker':
           table   => 'ip-nat',
           table   => "ip-${nftables::nat_table_name}",
           content => "oifname != \"${docker_interface}\" ip saddr ${docker_prefix} counter masquerade";
         'PREROUTING-docker':
           table   => 'ip-nat',
           table   => "ip-${nftables::nat_table_name}",
           content => 'fib daddr type local counter jump DOCKER';
         'OUTPUT-jump_docker@ip-nat':
         "OUTPUT-jump_docker@ip-${nftables::nat_table_name}":
           rulename => 'OUTPUT-jump_docker',
           table    => 'ip-nat',
           table    => "ip-${nftables::nat_table_name}",
           content  => 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER';
         'DOCKER-counter':
           table   => 'ip-nat',
           table   => "ip-${nftables::nat_table_name}",
           content => "iifname \"${docker_interface}\" counter return";
         'INPUT-type@ip-nat':
         "INPUT-type@ip-${nftables::nat_table_name}":
           rulename => 'INPUT-type',
           table    => 'ip-nat',
           table    => "ip-${nftables::nat_table_name}",
           order    => '01',
           content  => 'type nat hook input priority 100';
         'INPUT-policy@ip-nat':
         "INPUT-policy@ip-${nftables::nat_table_name}":
           rulename => 'INPUT-policy',
           table    => 'ip-nat',
           table    => "ip-${nftables::nat_table_name}",
           order    => '02',
           content  => 'policy accept';
+      }

Formats disponibles : Unified diff

Projet

Général

Profil

puppet nftables

Révision fcb79d73