diff options
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/chain.pp | 2 | ||||
| -rw-r--r-- | manifests/rule.pp | 32 |
2 files changed, 30 insertions, 4 deletions
diff --git a/manifests/chain.pp b/manifests/chain.pp index 6a01607..0a0071a 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -31,7 +31,7 @@ define ferm::chain ( concat::fragment{"${chain}-footer": target => "/etc/ferm.d/chains/${chain}.conf", content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }), - order => '99', + order => 'zzzzzzzzzzzzzzzzzzzzz', } } } diff --git a/manifests/rule.pp b/manifests/rule.pp index c87ef7f..b8ae29a 100644 --- a/manifests/rule.pp +++ b/manifests/rule.pp @@ -8,6 +8,7 @@ # @param saddr The source address we want to match # @param daddr The destination address we want to match # @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types) +# @param interface an Optional interface where this rule should be applied # @param ensure Set the rule to present or absent define ferm::rule ( Ferm::Chains $chain, @@ -19,6 +20,7 @@ define ferm::rule ( Optional[String[1]] $saddr = undef, Optional[String[1]] $daddr = undef, Optional[String[1]] $proto_options = undef, + Optional[String[1]] $interface = undef, Enum['absent','present'] $ensure = 'present', ){ $proto_real = "proto ${proto}" @@ -47,9 +49,33 @@ define ferm::rule ( $rule = squeeze("${comment_real} ${proto_real} ${proto_options_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ') if $ensure == 'present' { - concat::fragment{"${chain}-${name}": - target => "/etc/ferm.d/chains/${chain}.conf", - content => "${rule}\n", + if $interface { + unless defined(Concat::Fragment["${chain}-${interface}-aaa"]) { + concat::fragment{"${chain}-${interface}-aaa": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "interface ${interface} {\n", + order => $interface, + } + } + + concat::fragment{"${chain}-${interface}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => " ${rule}\n", + order => $interface, + } + + unless defined(Concat::Fragment["${chain}-${interface}-zzz"]) { + concat::fragment{"${chain}-${interface}-zzz": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "}\n", + order => $interface, + } + } + } else { + concat::fragment{"${chain}-${name}": + target => "/etc/ferm.d/chains/${chain}.conf", + content => "${rule}\n", + } } } } |