diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2019-09-11 13:29:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-11 13:29:12 +0200 |
| commit | 6d96e030be0db4a916dd6a9bd0b25570d359e634 (patch) | |
| tree | 523f7a96c5b2640dbf2dd45cd89d931e12ceff9d /templates | |
| parent | 81748ba786c6a55c4575a400c08de99716da8fbb (diff) | |
| parent | 882a45498ddefdfc83ff5b19da723fd0be3acdec (diff) | |
| download | puppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.gz puppet-ferm-6d96e030be0db4a916dd6a9bd0b25570d359e634.tar.bz2 | |
Merge pull request #58 from voxpupuli/multi-table-support
add ability to configure rules in tables other than the default "filter" table
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/ferm-table-chain-config-include.epp | 14 | ||||
| -rw-r--r-- | templates/ferm.conf.epp | 16 | ||||
| -rw-r--r-- | templates/ferm_chain_header.conf.epp | 8 | ||||
| -rw-r--r-- | templates/ferm_header.conf.epp | 2 |
4 files changed, 19 insertions, 21 deletions
diff --git a/templates/ferm-table-chain-config-include.epp b/templates/ferm-table-chain-config-include.epp new file mode 100644 index 0000000..722d3e7 --- /dev/null +++ b/templates/ferm-table-chain-config-include.epp @@ -0,0 +1,14 @@ +<%- | String[1] $ip, +Ferm::Tables $table, +String[1] $chain, +Stdlib::Absolutepath $filename, +| -%> + +domain (<%= $ip %>) table <%= $table %> { + chain <%= $chain %> { + <%- if $table == 'filter' and $chain == 'INPUT' { -%> + interface lo ACCEPT; + <%- } -%> + @include '<%= $filename %>'; + } +} diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp index 0245a70..3b1a211 100644 --- a/templates/ferm.conf.epp +++ b/templates/ferm.conf.epp @@ -2,7 +2,6 @@ Stdlib::Absolutepath $configdirectory, Hash[String[1], Array[String[1]]] $preserve_chains_in_tables, | -%> -# End custom section <%- $preserve_chains_in_tables.each |$table, $chains| { -%> domain (<%= $ip %>) table <%= $table %> { @@ -11,18 +10,3 @@ domain (<%= $ip %>) table <%= $table %> { <%- } -%> } <%- } -%> - -domain (<%= $ip %>) table filter { - chain INPUT { - interface lo ACCEPT; - @include '<%= $configdirectory %>/chains/INPUT.conf'; - } - - chain OUTPUT { - @include '<%= $configdirectory %>/chains/OUTPUT.conf'; - } - - chain FORWARD { - @include '<%= $configdirectory %>/chains/FORWARD.conf'; - } -} diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp index f94b18d..938958b 100644 --- a/templates/ferm_chain_header.conf.epp +++ b/templates/ferm_chain_header.conf.epp @@ -1,12 +1,14 @@ -<%- | Ferm::Policies $policy, +<%- | Optional[Ferm::Policies] $policy, Boolean $disable_conntrack, | -%> # THIS FILE IS MANAGED BY PUPPET +<%- if $policy { -%> # Default policy for this chain policy <%= $policy %>; +<%- } -%> <% unless $disable_conntrack { -%> # connection tracking -mod state state INVALID DROP; -mod state state (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate INVALID DROP; <% } -%> diff --git a/templates/ferm_header.conf.epp b/templates/ferm_header.conf.epp index e1a1f1a..a29106c 100644 --- a/templates/ferm_header.conf.epp +++ b/templates/ferm_header.conf.epp @@ -5,5 +5,3 @@ # get all ip definitions @include '<%= $configdirectory %>/definitions/'; - -# Begin custom section |