diff options
| -rw-r--r-- | REFERENCE.md | 14 | ||||
| -rw-r--r-- | data/common.yaml | 3 | ||||
| -rw-r--r-- | manifests/config.pp | 8 | ||||
| -rw-r--r-- | manifests/init.pp | 8 | ||||
| -rw-r--r-- | templates/ferm.conf.epp | 3 |
5 files changed, 29 insertions, 7 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 9425b52..e9736fb 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -7,7 +7,7 @@ _Public Classes_ -* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, } +* [`ferm`](#ferm): Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': manage_service => true, ip_v _Private Classes_ @@ -29,12 +29,13 @@ Class: ferm This class manages ferm installation and rule generation on modern linux systems class{'ferm': - manage_service => true, + manage_service => true, + ip_versions => ['ip6'], } #### Examples -##### deploy ferm and start it +##### deploy ferm and start it, on node with only ipv6 enabled ```puppet @@ -132,6 +133,13 @@ Enable/Disable logging in the INPUT chain of packets to the kernel log, if no ex Default value: false Allowed values: (true|false) +##### `ip_versions` + +Data type: `Array[Enum['ip','ip6']]` + +Set list of versions of ip we want ot use. +Default value: ['ip', 'ip6'] + ## Defined types ### ferm::chain diff --git a/data/common.yaml b/data/common.yaml index 938fbef..f13dcfa 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -10,3 +10,6 @@ ferm::rules: {} ferm::input_log_dropped_packets: false ferm::forward_log_dropped_packets: false ferm::output_log_dropped_packets: false +ferm::ip_versions: + - ip + - ip6 diff --git a/manifests/config.pp b/manifests/config.pp index 1736fa6..23ed390 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -5,6 +5,8 @@ class ferm::config { # this is a private class assert_private("You're not supposed to do that!") + $_ip = join($ferm::ip_versions, ' ') + # copy static files to ferm # on a long term point of view, we want to package this file{'/etc/ferm.d': @@ -29,7 +31,11 @@ class ferm::config { concat::fragment{'ferm.conf': target => $ferm::configfile, - content => epp("${module_name}/ferm.conf.epp"), + content => epp( + "${module_name}/ferm.conf.epp", { + 'ip' => $_ip, + } + ), order => '50', } } diff --git a/manifests/init.pp b/manifests/init.pp index 82f163c..a8b886d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,9 +2,10 @@ # # This class manages ferm installation and rule generation on modern linux systems # -# @example deploy ferm and start it +# @example deploy ferm and start it, on node with only ipv6 enabled # class{'ferm': -# manage_service => true, +# manage_service => true, +# ip_versions => ['ip6'], # } # # @param manage_service Disable/Enable the management of the ferm daemon @@ -40,6 +41,8 @@ # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched # Default value: false # Allowed values: (true|false) +# @param ip_versions Set list of versions of ip we want ot use. +# Default value: ['ip', 'ip6'] class ferm ( Boolean $manage_service, Boolean $manage_configfile, @@ -52,6 +55,7 @@ class ferm ( Boolean $output_log_dropped_packets, Boolean $input_log_dropped_packets, Hash $rules, + Array[Enum['ip','ip6']] $ip_versions, ) { contain ferm::install contain ferm::config diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp index 42a44be..37afca0 100644 --- a/templates/ferm.conf.epp +++ b/templates/ferm.conf.epp @@ -1,6 +1,7 @@ +<%- | String[1] $ip | -%> # End custom section -domain (ip ip6) table filter { +domain (<%= $ip %>) table filter { chain INPUT { interface lo ACCEPT; @include '/etc/ferm.d/chains/INPUT.conf'; |