aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--REFERENCE.md14
-rw-r--r--data/common.yaml3
-rw-r--r--manifests/config.pp8
-rw-r--r--manifests/init.pp8
-rw-r--r--templates/ferm.conf.epp3
5 files changed, 29 insertions, 7 deletions
diff --git a/REFERENCE.md b/REFERENCE.md
index 9425b52..e9736fb 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -7,7 +7,7 @@
_Public Classes_
-* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, }
+* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, ip_v
_Private Classes_
@@ -29,12 +29,13 @@ Class: ferm
This class manages ferm installation and rule generation on modern linux systems
class{'ferm':
- manage_service => true,
+ manage_service => true,
+ ip_versions => ['ip6'],
}
#### Examples
-##### deploy ferm and start it
+##### deploy ferm and start it, on node with only ipv6 enabled
```puppet
@@ -132,6 +133,13 @@ Enable/Disable logging in the INPUT chain of packets to the kernel log, if no ex
Default value: false
Allowed values: (true|false)
+##### `ip_versions`
+
+Data type: `Array[Enum['ip','ip6']]`
+
+Set list of versions of ip we want ot use.
+Default value: ['ip', 'ip6']
+
## Defined types
### ferm::chain
diff --git a/data/common.yaml b/data/common.yaml
index 938fbef..f13dcfa 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -10,3 +10,6 @@ ferm::rules: {}
ferm::input_log_dropped_packets: false
ferm::forward_log_dropped_packets: false
ferm::output_log_dropped_packets: false
+ferm::ip_versions:
+ - ip
+ - ip6
diff --git a/manifests/config.pp b/manifests/config.pp
index 1736fa6..23ed390 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -5,6 +5,8 @@ class ferm::config {
# this is a private class
assert_private("You're not supposed to do that!")
+ $_ip = join($ferm::ip_versions, ' ')
+
# copy static files to ferm
# on a long term point of view, we want to package this
file{'/etc/ferm.d':
@@ -29,7 +31,11 @@ class ferm::config {
concat::fragment{'ferm.conf':
target => $ferm::configfile,
- content => epp("${module_name}/ferm.conf.epp"),
+ content => epp(
+ "${module_name}/ferm.conf.epp", {
+ 'ip' => $_ip,
+ }
+ ),
order => '50',
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 82f163c..a8b886d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,9 +2,10 @@
#
# This class manages ferm installation and rule generation on modern linux systems
#
-# @example deploy ferm and start it
+# @example deploy ferm and start it, on node with only ipv6 enabled
# class{'ferm':
-# manage_service => true,
+# manage_service => true,
+# ip_versions => ['ip6'],
# }
#
# @param manage_service Disable/Enable the management of the ferm daemon
@@ -40,6 +41,8 @@
# @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
# Default value: false
# Allowed values: (true|false)
+# @param ip_versions Set list of versions of ip we want ot use.
+# Default value: ['ip', 'ip6']
class ferm (
Boolean $manage_service,
Boolean $manage_configfile,
@@ -52,6 +55,7 @@ class ferm (
Boolean $output_log_dropped_packets,
Boolean $input_log_dropped_packets,
Hash $rules,
+ Array[Enum['ip','ip6']] $ip_versions,
) {
contain ferm::install
contain ferm::config
diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp
index 42a44be..37afca0 100644
--- a/templates/ferm.conf.epp
+++ b/templates/ferm.conf.epp
@@ -1,6 +1,7 @@
+<%- | String[1] $ip | -%>
# End custom section
-domain (ip ip6) table filter {
+domain (<%= $ip %>) table filter {
chain INPUT {
interface lo ACCEPT;
@include '/etc/ferm.d/chains/INPUT.conf';