diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2019-10-01 16:35:56 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-01 16:35:56 +0200 |
| commit | 1432f4316871f9c367d0cac8e3758d239d2f79ea (patch) | |
| tree | 8cfc5af5a35a1557af027d68eccbd9def263dbde /manifests | |
| parent | 5d00a506f896fccb2485ebf3ea316f0156b80f8b (diff) | |
| parent | d4b8909eab6194da389b121e46137da7618eb45c (diff) | |
| download | puppet-ferm-1432f4316871f9c367d0cac8e3758d239d2f79ea.tar.gz puppet-ferm-1432f4316871f9c367d0cac8e3758d239d2f79ea.tar.bz2 | |
Merge pull request #80 from bastelfreak/ipsets
implement ipset support
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/chain.pp | 6 | ||||
| -rw-r--r-- | manifests/ipset.pp | 62 |
2 files changed, 67 insertions, 1 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp index 10cc9c1..1be7e83 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -73,6 +73,10 @@ define ferm::chain ( } # make sure the generated snippet is actually included + # the ordering here is hacked. We might end up with multiple blocks for the same filter+chain. + # This happens if we add ipset matches. We suffix this ordering with `bbb`. This allows us to + # insert ipset matches before other rules by adding `-aaa` or + # insert them at the end by ordering them with `-ccc`. concat::fragment{"${table}-${chain}-config-include": target => $ferm::configfile, content => epp( @@ -83,7 +87,7 @@ define ferm::chain ( 'filename' => $filename, } ), - order => "${table}-${chain}", + order => "${table}-${chain}-bbb", require => Concat[$filename], } } diff --git a/manifests/ipset.pp b/manifests/ipset.pp new file mode 100644 index 0000000..fab7894 --- /dev/null +++ b/manifests/ipset.pp @@ -0,0 +1,62 @@ +# +# @summary a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets. +# +# @see http://ferm.foo-projects.org/download/2.1/ferm.html#set +# +# @example +# ferm::ipset { 'CONSUL': +# sets => { +# 'internet' => 'ACCEPT' +# }, +# } +# +# @example create to matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table. +# ferm::ipset { 'INPUT': +# prepend_to_chain => false, +# table => 'filter', +# ip_version => 'ip6', +# sets => { +# 'testset01' => 'ACCEPT', +# 'anothertestset' => 'DROP' +# }, +# } +# +# @param chain +# name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this. +# +# @param table +# name of the table where we want to apply this. Defaults to `filter` because that's the most common usecase. +# +# @param ip_version +# sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version. +# +# @param sets +# A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`. +# +define ferm::ipset ( + Hash[String[1], Ferm::Actions] $sets, + String[1] $chain = $name, + Ferm::Tables $table = 'filter', + Enum['ip','ip6'] $ip_version = 'ip', + Boolean $prepend_to_chain = true, +) { + + $suffix = $prepend_to_chain ? { + true => 'aaa', + false => 'ccc', + } + + # make sure the generated snippet is actually included + concat::fragment{"${table}-${chain}-ipset": + target => $ferm::configfile, + content => epp( + "${module_name}/ferm-chain-ipset.epp", { + 'ip' => $ip_version, + 'table' => $table, + 'chain' => $chain, + 'sets' => $sets, + } + ), + order => "${table}-${chain}-${suffix}", + } +} |