aboutsummaryrefslogtreecommitdiff
path: root/manifests/ipset.pp
blob: 7262cc3e78c92080b65a6d561ed9c88e1ca3cfd9 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

#
# @summary a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets.
#
# @see http://ferm.foo-projects.org/download/2.1/ferm.html#set
#
# @example Create an iptables rule that allows traffic that matches the ipset `internet`
#   ferm::ipset { 'CONSUL':
#     sets => {
#       'internet' => 'ACCEPT'
#     },
#   }
#
# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
#   ferm::ipset { 'INPUT':
#     prepend_to_chain => false,
#     table            => 'filter',
#     ip_version       => 'ip6',
#     sets             => {
#       'testset01'      => 'ACCEPT',
#       'anothertestset' => 'DROP'
#     },
#   }
#
# @param sets
#   A hash with multiple sets. For each hash you can provide an action like `DROP` or `ACCEPT`.
# @param chain
#   name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this.
#
# @param table
#   name of the table where we want to apply  this. Defaults to `filter` because that's the most common usecase.
#
# @param ip_version
#   sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version.
#
# @param prepend_to_chain
#   By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
#
define ferm::ipset (
  Hash[String[1], Ferm::Actions] $sets,
  String[1]                      $chain            = $name,
  Ferm::Tables                   $table            = 'filter',
  Enum['ip','ip6']               $ip_version       = 'ip',
  Boolean                        $prepend_to_chain = true,
) {
  $suffix = $prepend_to_chain ? {
    true  => 'aaa',
    false => 'ccc',
  }

  # make sure the generated snippet is actually included
  concat::fragment { "${table}-${chain}-${name}":
    target  => $ferm::configfile,
    content => epp(
      "${module_name}/ferm-chain-ipset.epp", {
        'ip'    => $ip_version,
        'table' => $table,
        'chain' => $chain,
        'sets'  => $sets,
      }
    ),
    order   => "${table}-${chain}-${suffix}",
  }
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 13:47:51 +0000