root / manifests / simplerule.pp @ master
Historique | Voir | Annoter | Télécharger (3,05 ko)
| 1 | b46c9ce9 | Nacho Barrientos | # @summary Provides a simplified interface to nftables::rule |
|---|---|---|---|
| 2 | 4ec94616 | Nacho Barrientos | # |
| 3 | 77abc10b | Nacho Barrientos | # @example allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets |
| 4 | 4ec94616 | Nacho Barrientos | # nftables::simplerule{'my_service_in':
|
| 5 | # action => 'accept', |
||
| 6 | # comment => 'allow traffic to port 543', |
||
| 7 | # counter => true, |
||
| 8 | # proto => 'tcp', |
||
| 9 | # dport => 543, |
||
| 10 | # daddr => '2001:1458::/32', |
||
| 11 | 77abc10b | Nacho Barrientos | # sport => 541, |
| 12 | 4ec94616 | Nacho Barrientos | # } |
| 13 | 13f4e4c6 | Steve Traylen | # @param ensure |
| 14 | # Should the rule be created. |
||
| 15 | 2f28cced | Nacho Barrientos | # |
| 16 | # @param rulename |
||
| 17 | # The symbolic name for the rule to add. Defaults to the resource's title. |
||
| 18 | # |
||
| 19 | # @param order |
||
| 20 | # A number representing the order of the rule. |
||
| 21 | # |
||
| 22 | # @param chain |
||
| 23 | # The name of the chain to add this rule to. |
||
| 24 | # |
||
| 25 | # @param table |
||
| 26 | # The name of the table to add this rule to. |
||
| 27 | # |
||
| 28 | # @param action |
||
| 29 | # The verdict for the matched traffic. |
||
| 30 | # |
||
| 31 | # @param comment |
||
| 32 | # A typically human-readable comment for the rule. |
||
| 33 | # |
||
| 34 | # @param dport |
||
| 35 | # The destination port, ports or port range. |
||
| 36 | # |
||
| 37 | # @param proto |
||
| 38 | # The transport-layer protocol to match. |
||
| 39 | # |
||
| 40 | # @param daddr |
||
| 41 | # The destination address, CIDR or set to match. |
||
| 42 | # |
||
| 43 | # @param set_type |
||
| 44 | # When using sets as saddr or daddr, the type of the set. |
||
| 45 | # Use `ip` for sets of type `ipv4_addr`. |
||
| 46 | # |
||
| 47 | # @param sport |
||
| 48 | # The source port, ports or port range. |
||
| 49 | # |
||
| 50 | 3a469f2b | Nacho Barrientos | # @param saddr |
| 51 | # The source address, CIDR or set to match. |
||
| 52 | # |
||
| 53 | 2f28cced | Nacho Barrientos | # @param counter |
| 54 | # Enable traffic counters for the matched traffic. |
||
| 55 | 25b3f3f4 | Tim Meusel | # |
| 56 | # @param iifname |
||
| 57 | # Optional filter for the incoming interface |
||
| 58 | d7d6d5d3 | Tim Meusel | # @param oifname |
| 59 | # Optional filter for the outgoing interface |
||
| 60 | 467ea4e2 | Nacho Barrientos | define nftables::simplerule ( |
| 61 | Enum['present','absent'] $ensure = 'present', |
||
| 62 | 8c00b818 | Nacho Barrientos | Nftables::SimpleRuleName $rulename = $title, |
| 63 | 467ea4e2 | Nacho Barrientos | Pattern[/^\d\d$/] $order = '50', |
| 64 | String $chain = 'default_in', |
||
| 65 | String $table = 'inet-filter', |
||
| 66 | 5944b9cb | Nacho Barrientos | Enum['accept', 'continue', 'drop', 'queue', 'return'] $action = 'accept', |
| 67 | 467ea4e2 | Nacho Barrientos | Optional[String] $comment = undef, |
| 68 | 09b07e56 | Nacho Barrientos | Optional[Nftables::Port] $dport = undef, |
| 69 | fb58f7b3 | Nacho Barrientos | Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef, |
| 70 | f1ef02c5 | Nacho Barrientos | Optional[Nftables::Addr] $daddr = undef, |
| 71 | 467ea4e2 | Nacho Barrientos | Enum['ip', 'ip6'] $set_type = 'ip6', |
| 72 | 09b07e56 | Nacho Barrientos | Optional[Nftables::Port] $sport = undef, |
| 73 | f1ef02c5 | Nacho Barrientos | Optional[Nftables::Addr] $saddr = undef, |
| 74 | 467ea4e2 | Nacho Barrientos | Boolean $counter = false, |
| 75 | e846c98b | Tim Meusel | Variant[Array[String[1]],String[1]] $iifname = [], |
| 76 | Variant[Array[String[1]],String[1]] $oifname = [], |
||
| 77 | 467ea4e2 | Nacho Barrientos | ) {
|
| 78 | 3a52fb41 | Nacho Barrientos | if $dport and !$proto {
|
| 79 | 2489f932 | Nacho Barrientos | fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
|
| 80 | 3a52fb41 | Nacho Barrientos | } |
| 81 | |||
| 82 | 77abc10b | Nacho Barrientos | if $sport and !$proto {
|
| 83 | fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
|
||
| 84 | } |
||
| 85 | |||
| 86 | 83382bb5 | Nacho Barrientos | if $ensure == 'present' {
|
| 87 | 467ea4e2 | Nacho Barrientos | nftables::rule { "${chain}-${rulename}":
|
| 88 | 83382bb5 | Nacho Barrientos | content => epp('nftables/simplerule.epp',
|
| 89 | {
|
||
| 90 | aaa37172 | Nacho Barrientos | 'action' => $action, |
| 91 | 'comment' => $comment, |
||
| 92 | d43ced4d | Nacho Barrientos | 'counter' => $counter, |
| 93 | 6739966c | Nacho Barrientos | 'daddr' => $daddr, |
| 94 | aaa37172 | Nacho Barrientos | 'dport' => $dport, |
| 95 | 'proto' => $proto, |
||
| 96 | 3a469f2b | Nacho Barrientos | 'saddr' => $saddr, |
| 97 | 6739966c | Nacho Barrientos | 'set_type' => $set_type, |
| 98 | 77abc10b | Nacho Barrientos | 'sport' => $sport, |
| 99 | e846c98b | Tim Meusel | 'iifname' => [$iifname].flatten, |
| 100 | 'oifname' => [$oifname].flatten, |
||
| 101 | 83382bb5 | Nacho Barrientos | } |
| 102 | ), |
||
| 103 | order => $order, |
||
| 104 | table => $table, |
||
| 105 | } |
||
| 106 | } |
||
| 107 | } |