Révision fcb79d73
support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid
namespace conflicts
| manifests/rules/qemu.pp | ||
|---|---|---|
| 93 | 93 |
if $masquerade {
|
| 94 | 94 |
nftables::rule {
|
| 95 | 95 |
'POSTROUTING-qemu_ignore_multicast': |
| 96 |
table => 'ip-nat',
|
|
| 96 |
table => "ip-${nftables::nat_table_name}",
|
|
| 97 | 97 |
content => "ip saddr ${network_v4} ip daddr 224.0.0.0/24 return";
|
| 98 | 98 |
'POSTROUTING-qemu_ignore_broadcast': |
| 99 |
table => 'ip-nat',
|
|
| 99 |
table => "ip-${nftables::nat_table_name}",
|
|
| 100 | 100 |
content => "ip saddr ${network_v4} ip daddr 255.255.255.255 return";
|
| 101 | 101 |
'POSTROUTING-qemu_masq_tcp': |
| 102 |
table => 'ip-nat',
|
|
| 102 |
table => "ip-${nftables::nat_table_name}",
|
|
| 103 | 103 |
content => "meta l4proto tcp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 104 | 104 |
'POSTROUTING-qemu_masq_udp': |
| 105 |
table => 'ip-nat',
|
|
| 105 |
table => "ip-${nftables::nat_table_name}",
|
|
| 106 | 106 |
content => "meta l4proto udp ip saddr ${network_v4} ip daddr != ${network_v4} masquerade to :1024-65535";
|
| 107 | 107 |
'POSTROUTING-qemu_masq_ip': |
| 108 |
table => 'ip-nat',
|
|
| 108 |
table => "ip-${nftables::nat_table_name}",
|
|
| 109 | 109 |
content => "ip saddr ${network_v4} ip daddr != ${network_v4} masquerade";
|
| 110 | 110 |
} |
| 111 | 111 |
} |
Formats disponibles : Unified diff