aboutsummaryrefslogtreecommitdiff
path: root/manifests/rule.pp
blob: 6f448f928a39e4d7b0d0a968adda9f1917b4406f (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

# defined resource which creates a single rule in a specific chain
# @param chain Configure the chain where we want to add the rule
# @param policy Configure what we want to do with the packet (drop, accept, log...)
# @param proto Which protocol do we want to match, typically UDP or TCP
# @param comment A comment that will be added to the ferm config and to ip{,6}tables
# @param dport The destination port, can be a range as string or a single port number as integer
# @param sport The source port, can be a range as string or a single port number as integer
# @param saddr The source address we want to match
# @param daddr The destination address we want to match
# @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types)
# @param ensure Set the rule to present or absent
define ferm::rule (
  Ferm::Chains $chain,
  Ferm::Policies $policy,
  Ferm::Protocols $proto,
  String $comment = $name,
  Optional[Variant[Integer,String]] $dport = undef,
  Optional[Variant[Integer,String]] $sport = undef,
  Optional[String] $saddr = undef,
  Optional[String] $daddr = undef,
  Optional[String[1]] $proto_options = undef,
  Enum['absent','present'] $ensure = 'present',
){
  $proto_real = "proto ${proto}"

  $dport_real = $dport ? {
    undef   => '',
    default => "dport ${dport}",
  }
  $sport_real = $sport ? {
    undef   => '',
    default => "sport ${sport}",
  }
  $saddr_real = $saddr ? {
    undef   => '',
    default => "saddr @ipfilter(${saddr})",
  }
  $daddr_real = $daddr ? {
    undef   =>  '',
    default => "daddr @ipfilter(${daddr})"
  }
  $proto_options_real = $proto_options ? {
    undef   =>  '',
    default => $proto_options
  }
  $comment_real = "mod comment comment '${comment}'"

  $rule = squeeze("${comment_real} ${proto_real} ${proto_options_real} ${dport_real} ${sport_real} ${daddr_real} ${saddr_real} ${policy};", ' ')
  if $ensure == 'present' {
    concat::fragment{"${chain}-${name}":
      target  => "/etc/ferm.d/chains/${chain}.conf",
      content => "${rule}\n",
    }
  }
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-18 11:59:21 +0000