Révision fcb79d73
support a different table name for 'nat'
- Some applications (such as libvirt) still use iptables to inject firewall
rules
- iptables will refuse to update tables that were initially created with nft
- This commit allows defining the name of the 'nat' table in order to avoid
namespace conflicts
| spec/acceptance/default_spec.rb | ||
|---|---|---|
| 111 | 111 |
it { is_expected.to be_enabled }
|
| 112 | 112 |
end |
| 113 | 113 |
end |
| 114 |
context 'with custom nat_table_name' do |
|
| 115 |
it 'no rules validate okay' do |
|
| 116 |
pp = <<-EOS |
|
| 117 |
class{'nftables':
|
|
| 118 |
firewalld_enable => false, |
|
| 119 |
nat => true, |
|
| 120 |
nat_table_name => 'mycustomtablename', |
|
| 121 |
} |
|
| 122 |
# nftables cannot be started in docker so replace service with a validation only. |
|
| 123 |
systemd::dropin_file{"zzz_docker_nft.conf":
|
|
| 124 |
ensure => present, |
|
| 125 |
unit => "nftables.service", |
|
| 126 |
content => [ |
|
| 127 |
"[Service]", |
|
| 128 |
"ExecStart=", |
|
| 129 |
"ExecStart=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 130 |
"ExecReload=", |
|
| 131 |
"ExecReload=/sbin/nft -c -I /etc/nftables/puppet -f /etc/sysconfig/nftables.conf", |
|
| 132 |
"", |
|
| 133 |
].join("\n"),
|
|
| 134 |
notify => Service["nftables"], |
|
| 135 |
} |
|
| 136 |
EOS |
|
| 137 |
apply_manifest(pp, catch_failures: true) |
|
| 138 |
end |
|
| 139 |
describe service('nftables') do
|
|
| 140 |
it { is_expected.to be_running }
|
|
| 141 |
it { is_expected.to be_enabled }
|
|
| 142 |
end |
|
| 143 |
end |
|
| 114 | 144 |
end |
Formats disponibles : Unified diff