Default value: 'filter'
+##### `ip_versions`
+
+Data type: `Array[Enum['ip','ip6']]`
+
+Set list of versions of ip we want ot use.
+Default value: $ferm::ip_versions
+
+Default value: $ferm::ip_versions
+
### ferm::rule
This defined resource manages a single rule in a specific chain
# @param table Select the target table (filter/raw/mangle/nat)
# Default value: 'filter'
# Allowed values: (filter|raw|mangle|nat) (see Ferm::Tables type)
+# @param ip_versions Set list of versions of ip we want ot use.
+# Default value: $ferm::ip_versions
define ferm::chain (
Boolean $disable_conntrack,
Boolean $log_dropped_packets,
- String[1] $chain = $name,
- Optional[Ferm::Policies] $policy = undef,
- Ferm::Tables $table = 'filter',
+ String[1] $chain = $name,
+ Optional[Ferm::Policies] $policy = undef,
+ Ferm::Tables $table = 'filter',
+ Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
) {
# prevent unmanaged files due to new naming schema
# keep the default "filter" chains in the original location
target => $ferm::configfile,
content => epp(
"${module_name}/ferm-table-chain-config-include.epp", {
- 'ip' => join($ferm::ip_versions, ' '),
+ 'ip' => join($ip_versions, ' '),
'table' => $table,
'chain' => $chain,
'filename' => $filename,
log_dropped_packets => $ferm::output_log_dropped_packets,
}
+ # some default chains and features depend on support from the kernel
+ $kver = $facts['kernelversion']
+
# initialize default tables and chains
['PREROUTING', 'OUTPUT'].each |$raw_chain| {
ferm::chain{"raw-${raw_chain}":
}
}
['PREROUTING', 'INPUT', 'OUTPUT', 'POSTROUTING'].each |$nat_chain| {
+ if versioncmp($kver, '3.17.0') >= 0 {
+ # supports both nat INPUT chain and ip6table_nat
+ $domains = $ferm::ip_versions
+ } elsif versioncmp($kver, '2.6.36') >= 0 {
+ # supports nat INPUT chain, but not ip6table_nat
+ if ('ip6' in $ferm::ip_versions and 'ip' in $ferm::ip_versions) {
+ $domains = ['ip']
+ }
+ } else {
+ # supports neither nat INPUT nor ip6table_nat
+ if $nat_chain == 'INPUT' { next() }
+ if ('ip6' in $ferm::ip_versions and 'ip' in $ferm::ip_versions) {
+ $domains = ['ip']
+ }
+ }
ferm::chain{"nat-${nat_chain}":
chain => $nat_chain,
policy => 'ACCEPT',
disable_conntrack => true,
log_dropped_packets => false,
table => 'nat',
+ ip_versions => $domains,
}
}
['PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING'].each |$mangle_chain| {
it { is_expected.to contain_concat__fragment('raw-PREROUTING-config-include') }
it { is_expected.to contain_concat__fragment('raw-OUTPUT-config-include') }
it { is_expected.to contain_concat__fragment('nat-PREROUTING-config-include') }
- it { is_expected.to contain_concat__fragment('nat-INPUT-config-include') }
+ if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+ it { is_expected.to contain_concat__fragment('nat-INPUT-config-include') }
+ else
+ it { is_expected.not_to contain_concat__fragment('nat-INPUT-config-include') }
+ end
it { is_expected.to contain_concat__fragment('nat-OUTPUT-config-include') }
it { is_expected.to contain_concat__fragment('nat-POSTROUTING-config-include') }
it { is_expected.to contain_concat__fragment('mangle-PREROUTING-config-include') }
it { is_expected.to contain_concat__fragment('raw-PREROUTING-policy') }
it { is_expected.to contain_concat__fragment('raw-OUTPUT-policy') }
it { is_expected.to contain_concat__fragment('nat-PREROUTING-policy') }
- it { is_expected.to contain_concat__fragment('nat-INPUT-policy') }
+ if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+ it { is_expected.to contain_concat__fragment('nat-INPUT-policy') }
+ else
+ it { is_expected.not_to contain_concat__fragment('nat-INPUT-policy') }
+ end
it { is_expected.to contain_concat__fragment('nat-OUTPUT-policy') }
it { is_expected.to contain_concat__fragment('nat-POSTROUTING-policy') }
it { is_expected.to contain_concat__fragment('mangle-PREROUTING-policy') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-PREROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/raw-OUTPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-PREROUTING.conf') }
- it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+ if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+ it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+ else
+ it { is_expected.not_to contain_concat('/etc/ferm/ferm.d/chains/nat-INPUT.conf') }
+ end
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-OUTPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/nat-POSTROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm/ferm.d/chains/mangle-PREROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-PREROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/raw-OUTPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-PREROUTING.conf') }
- it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+ if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+ it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+ else
+ it { is_expected.not_to contain_concat('/etc/ferm.d/chains/nat-INPUT.conf') }
+ end
it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-OUTPUT.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/nat-POSTROUTING.conf') }
it { is_expected.to contain_concat('/etc/ferm.d/chains/mangle-PREROUTING.conf') }
it { is_expected.to contain_ferm__chain('raw-PREROUTING') }
it { is_expected.to contain_ferm__chain('raw-OUTPUT') }
it { is_expected.to contain_ferm__chain('nat-PREROUTING') }
- it { is_expected.to contain_ferm__chain('nat-INPUT') }
+ if Gem::Version.new(facts[:kernelversion]) >= Gem::Version.new('2.6.36')
+ it { is_expected.to contain_ferm__chain('nat-INPUT') }
+ else
+ it { is_expected.not_to contain_ferm__chain('nat-INPUT') }
+ end
it { is_expected.to contain_ferm__chain('nat-OUTPUT') }
it { is_expected.to contain_ferm__chain('nat-POSTROUTING') }
it { is_expected.to contain_ferm__chain('mangle-PREROUTING') }
projects / puppet-ferm.git / commitdiff