diff options
author | Thore Bödecker <me@foxxx0.de> | 2019-09-03 11:56:58 +0200 |
---|---|---|
committer | Thore Bödecker <me@foxxx0.de> | 2019-09-11 13:20:35 +0200 |
commit | 882a45498ddefdfc83ff5b19da723fd0be3acdec (patch) | |
tree | 523f7a96c5b2640dbf2dd45cd89d931e12ceff9d /templates | |
parent | 81748ba786c6a55c4575a400c08de99716da8fbb (diff) | |
download | puppet-ferm-882a45498ddefdfc83ff5b19da723fd0be3acdec.tar.gz puppet-ferm-882a45498ddefdfc83ff5b19da723fd0be3acdec.tar.bz2 |
add ability to define rules in tables != filter
Previously it was neither possible to properly define custom chains nor
to define rules in tables other than the default filter table.
For various legitimate reasons it can be required to define rules in the
raw, nat or mangle tables, e.g. to use NOTRACK or to configure
DNAT/SNAT/MASQUERADE.
Additionally it might come in handy to define custom chains to group
certain rules and allow a more efficient evaluation for incoming packets
by not cramming all rules into the filter/INPUT chain so that
(worst-case) all packets need to traverse and evaluate all rules.
I have tried to maintain backwards compatibility and to not change
default filenames/paths so that it won't result in leftover obsolete unmaged
files from previous versions of this module.
In order to improve the naming schema the rule $policy has been renamed
to $action, however both parameters are available and optional now, with
some sanity checks that require at most one of them and issueing a
warning() for users of the now deprecated $policy parameter.
All previous tests have been adapted to the changes, a long with an
additional set of tests for the new feature.
Fixes #61
Diffstat (limited to 'templates')
-rw-r--r-- | templates/ferm-table-chain-config-include.epp | 14 | ||||
-rw-r--r-- | templates/ferm.conf.epp | 16 | ||||
-rw-r--r-- | templates/ferm_chain_header.conf.epp | 8 | ||||
-rw-r--r-- | templates/ferm_header.conf.epp | 2 |
4 files changed, 19 insertions, 21 deletions
diff --git a/templates/ferm-table-chain-config-include.epp b/templates/ferm-table-chain-config-include.epp new file mode 100644 index 0000000..722d3e7 --- /dev/null +++ b/templates/ferm-table-chain-config-include.epp @@ -0,0 +1,14 @@ +<%- | String[1] $ip, +Ferm::Tables $table, +String[1] $chain, +Stdlib::Absolutepath $filename, +| -%> + +domain (<%= $ip %>) table <%= $table %> { + chain <%= $chain %> { + <%- if $table == 'filter' and $chain == 'INPUT' { -%> + interface lo ACCEPT; + <%- } -%> + @include '<%= $filename %>'; + } +} diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp index 0245a70..3b1a211 100644 --- a/templates/ferm.conf.epp +++ b/templates/ferm.conf.epp @@ -2,7 +2,6 @@ Stdlib::Absolutepath $configdirectory, Hash[String[1], Array[String[1]]] $preserve_chains_in_tables, | -%> -# End custom section <%- $preserve_chains_in_tables.each |$table, $chains| { -%> domain (<%= $ip %>) table <%= $table %> { @@ -11,18 +10,3 @@ domain (<%= $ip %>) table <%= $table %> { <%- } -%> } <%- } -%> - -domain (<%= $ip %>) table filter { - chain INPUT { - interface lo ACCEPT; - @include '<%= $configdirectory %>/chains/INPUT.conf'; - } - - chain OUTPUT { - @include '<%= $configdirectory %>/chains/OUTPUT.conf'; - } - - chain FORWARD { - @include '<%= $configdirectory %>/chains/FORWARD.conf'; - } -} diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp index f94b18d..938958b 100644 --- a/templates/ferm_chain_header.conf.epp +++ b/templates/ferm_chain_header.conf.epp @@ -1,12 +1,14 @@ -<%- | Ferm::Policies $policy, +<%- | Optional[Ferm::Policies] $policy, Boolean $disable_conntrack, | -%> # THIS FILE IS MANAGED BY PUPPET +<%- if $policy { -%> # Default policy for this chain policy <%= $policy %>; +<%- } -%> <% unless $disable_conntrack { -%> # connection tracking -mod state state INVALID DROP; -mod state state (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT; +mod conntrack ctstate INVALID DROP; <% } -%> diff --git a/templates/ferm_header.conf.epp b/templates/ferm_header.conf.epp index e1a1f1a..a29106c 100644 --- a/templates/ferm_header.conf.epp +++ b/templates/ferm_header.conf.epp @@ -5,5 +5,3 @@ # get all ip definitions @include '<%= $configdirectory %>/definitions/'; - -# Begin custom section |