permit to choose ipv4, ipv6 or both

diff --git a/REFERENCE.md b/REFERENCE.md
index 9425b52d67f77d214ddef4eac377b244400d0350..e9736fb0e189f8cc8df618e9371bbd9b49755dbe 100644 (file)
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -7,7 +7,7 @@
 
 _Public Classes_
 
-* [`ferm`](#ferm): Class: ferm  This class manages ferm installation and rule generation on modern linux systems  class{'ferm':   manage_service =>  true, }
+* [`ferm`](#ferm): Class: ferm  This class manages ferm installation and rule generation on modern linux systems  class{'ferm':   manage_service => true,   ip_v
 
 _Private Classes_
 
@@ -29,12 +29,13 @@ Class: ferm
 This class manages ferm installation and rule generation on modern linux systems
 
 class{'ferm':
-  manage_service =>  true,
+  manage_service => true,
+  ip_versions    =>  ['ip6'],
 }
 
 #### Examples
 
-##### deploy ferm and start it
+##### deploy ferm and start it, on node with only ipv6 enabled
 
 ```puppet
 
@@ -132,6 +133,13 @@ Enable/Disable logging in the INPUT chain of packets to the kernel log, if no ex
 Default value: false
 Allowed values: (true|false)
 
+##### `ip_versions`
+
+Data type: `Array[Enum['ip','ip6']]`
+
+Set list of versions of ip we want ot use.
+Default value: ['ip', 'ip6']
+
 ## Defined types
 
 ### ferm::chain

diff --git a/data/common.yaml b/data/common.yaml
index 938fbef3a2b6e1f492ff9d075c8167fa78fa6494..f13dcfa6852df9b54a8ce3dd97711164241075bc 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -10,3 +10,6 @@ ferm::rules: {}
 ferm::input_log_dropped_packets: false
 ferm::forward_log_dropped_packets: false
 ferm::output_log_dropped_packets: false
+ferm::ip_versions:
+  - ip
+  - ip6

diff --git a/manifests/config.pp b/manifests/config.pp
index 1736fa607f746f712f7540321c7ca038c2aea48b..23ed3905cd9eced967efb219892b627e12330dba 100644 (file)
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -5,6 +5,8 @@ class ferm::config {
   # this is a private class
   assert_private("You're not supposed to do that!")
 
+  $_ip = join($ferm::ip_versions, ' ')
+
   # copy static files to ferm
   # on a long term point of view, we want to package this
   file{'/etc/ferm.d':
@@ -29,7 +31,11 @@ class ferm::config {
 
     concat::fragment{'ferm.conf':
       target  => $ferm::configfile,
-      content => epp("${module_name}/ferm.conf.epp"),
+      content => epp(
+        "${module_name}/ferm.conf.epp", {
+          'ip' => $_ip,
+          }
+      ),
       order   => '50',
     }
   }

diff --git a/manifests/init.pp b/manifests/init.pp
index 82f163c959981be0ae738c1bee32f60f36e7200d..a8b886d7950953c5e49dfd3dc766699953be3bf3 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,9 +2,10 @@
 #
 # This class manages ferm installation and rule generation on modern linux systems
 #
-# @example deploy ferm and start it
+# @example deploy ferm and start it, on node with only ipv6 enabled
 # class{'ferm':
-#   manage_service =>  true,
+#   manage_service => true,
+#   ip_versions    =>  ['ip6'],
 # }
 #
 # @param manage_service Disable/Enable the management of the ferm daemon
@@ -40,6 +41,8 @@
 # @param input_log_dropped_packets Enable/Disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
 #   Default value: false
 #   Allowed values: (true|false)
+# @param ip_versions Set list of versions of ip we want ot use.
+#   Default value: ['ip', 'ip6']
 class ferm (
   Boolean $manage_service,
   Boolean $manage_configfile,
@@ -52,6 +55,7 @@ class ferm (
   Boolean $output_log_dropped_packets,
   Boolean $input_log_dropped_packets,
   Hash $rules,
+  Array[Enum['ip','ip6']] $ip_versions,
 ) {
   contain ferm::install
   contain ferm::config

diff --git a/templates/ferm.conf.epp b/templates/ferm.conf.epp
index 42a44be952376dac7e10553324064531e9c99d14..37afca09fe5f79f20c4b15536d46b9d59fd4581e 100644 (file)
--- a/templates/ferm.conf.epp
+++ b/templates/ferm.conf.epp
@@ -1,6 +1,7 @@
+<%- | String[1] $ip | -%>
 # End custom section
 
-domain (ip ip6) table filter {
+domain (<%= $ip %>) table filter {
   chain INPUT {
     interface lo ACCEPT;
     @include '/etc/ferm.d/chains/INPUT.conf';