From 859f8ba5cb553d66c9dcdbc232d17a0b641624df Mon Sep 17 00:00:00 2001 From: Thore Bödecker Date: Wed, 10 Jul 2019 16:37:50 +0200 Subject: allow preserving of chains in tables --- manifests/config.pp | 5 +++-- manifests/init.pp | 34 ++++++++++++++++++++++++++++------ 2 files changed, 31 insertions(+), 8 deletions(-) (limited to 'manifests') diff --git a/manifests/config.pp b/manifests/config.pp index 88fff15..25607ad 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -33,8 +33,9 @@ class ferm::config { target => $ferm::configfile, content => epp( "${module_name}/ferm.conf.epp", { - 'ip' => $_ip, - 'configdirectory' => $ferm::configdirectory, + 'ip' => $_ip, + 'configdirectory' => $ferm::configdirectory, + 'preserve_chains_in_tables' => $ferm::preserve_chains_in_tables, } ), order => '50', diff --git a/manifests/init.pp b/manifests/init.pp index f1f9aa9..221e148 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,12 +1,29 @@ # Class: ferm # -# This class manages ferm installation and rule generation on modern linux systems +# @summary This class manages ferm installation and rule generation on modern linux systems # -# @example deploy ferm and start it, on node with only ipv6 enabled -# class{'ferm': -# manage_service => true, -# ip_versions => ['ip6'], -# } +# @example deploy ferm without any configured rules, but also don't start the service or modify existing config files +# include ferm +# +# @example deploy ferm and start it, on nodes with only ipv6 enabled +# class{'ferm': +# manage_service => true, +# ip_versions => ['ip6'], +# } +# +# @example deploy ferm and don't touch chains from other software, like fail2ban and docker +# class{'ferm': +# manage_service => true, +# preserve_chains_in_tables => { +# 'filter' => [ +# 'f2b-sshd', +# 'DOCKER', +# 'DOCKER-ISOLATION-STAGE-1', +# 'DOCKER-ISOLATION-STAGE-2', +# 'DOCKER-USER', +# ] +# } +# } # # @param manage_service Disable/Enable the management of the ferm daemon # Default value: false @@ -49,6 +66,10 @@ # Allowed values: (true|false) # @param ip_versions Set list of versions of ip we want ot use. # Default value: ['ip', 'ip6'] +# @param preserve_chains_in_tables Hash with table:chains[] to use ferm @preserve for +# Default value: Empty Hash +# Allowed values: Hash with a list of tables and chains in it to preserve +# Example: {'nat' => ['PREROUTING', 'POSTROUTING']} class ferm ( Boolean $manage_service, Boolean $manage_configfile, @@ -64,6 +85,7 @@ class ferm ( Boolean $input_log_dropped_packets, Hash $rules, Array[Enum['ip','ip6']] $ip_versions, + Hash[String[1],Array[String[1]]] $preserve_chains_in_tables, ) { contain ferm::install contain ferm::config -- cgit v1.2.3