}
```
-##### create a custom chain, e.g. for managing custom FORWARD chain rule for OpenVPN using custom ferm DSL.
-
-```puppet
-$my_rules = @(EOT)
-chain OPENVPN_FORWORD_RULES {
- proto udp {
- interface tun0 {
- outerface enp4s0 {
- mod conntrack ctstate (NEW) saddr @ipfilter((10.8.0.0/24)) ACCEPT;
- }
- }
- }
-}
-| EOT
-
-ferm::chain{'OPENVPN_FORWORD_RULES':
- chain => 'OPENVPN_FORWORD_RULES',
- content => $my_rules,
-}
-
-ferm::rule { "OpenVPN - FORWORD all udp traffic from network 10.8.0.0/24 to subchain OPENVPN_FORWORD_RULES":
- chain => 'FORWARD',
- action => 'OPENVPN_FORWORD_RULES',
- saddr => '10.8.0.0/24',
- proto => 'udp',
-}
-```
-
#### Parameters
The following parameters are available in the `ferm::chain` defined type.
##### `ip_versions`
-Data type: `Array[Enum['ip','ip6']]`
+Data type: `Array[Enum['ip', 'ip6']]`
Set list of versions of ip we want ot use.
##### `content`
-Data type: `Optional[String]`
+Data type: `Optional[String[1]]`
-Can only be used for custom chains. It allows you to provide your own ferm rules for this chain. Sets the contents of this custom chain to provided value.
-Default value: undef
+
+Default value: `undef`
### ferm::ipset
chain => 'INPUT',
action => 'SSH',
proto => 'tcp',
- dport => '22',
+ dport => 22,
}
```
chain => 'SSH',
action => 'ACCEPT',
proto => 'tcp',
- dport => '22',
+ dport => 22,
saddr => '127.0.0.1',
}
```
##### `dport`
-Data type: `Optional[Variant[Stdlib::Port,String[1]]]`
+Data type: `Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]]`
-The destination port, can be a range as string or a single port number as integer
+The destination port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher)
Default value: `undef`
##### `sport`
-Data type: `Optional[Variant[Stdlib::Port,String[1]]]`
+Data type: `Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]]`
-The source port, can be a range as string or a single port number as integer
+The source port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher)
Default value: `undef`
# chain => 'INPUT',
# action => 'SSH',
# proto => 'tcp',
-# dport => '22',
+# dport => 22,
# }
#
# @example Create a rule in the 'SSH' chain to allow connections from localhost
# chain => 'SSH',
# action => 'ACCEPT',
# proto => 'tcp',
-# dport => '22',
+# dport => 22,
# saddr => '127.0.0.1',
# }
#
# @param policy Configure what we want to do with the packet (drop/accept/reject, can also be a target chain name) [DEPRECATED]
# Default value: undef
# Allowed values: (RETURN|ACCEPT|DROP|REJECT|NOTRACK|LOG|MARK|DNAT|SNAT|MASQUERADE|REDIRECT|String[1])
-# @param dport The destination port, can be a range as string or a single port number as integer
-# @param sport The source port, can be a range as string or a single port number as integer
+# @param dport The destination port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher)
+# @param sport The source port, can be a single port number as integer or an Array of integers (which will then use the multiport matcher)
# @param saddr The source address we want to match
# @param daddr The destination address we want to match
# @param proto_options Optional parameters that will be passed to the protocol (for example to match specific ICMP types)
String $comment = $name,
Optional[Ferm::Actions] $action = undef,
Optional[Ferm::Policies] $policy = undef,
- Optional[Variant[Stdlib::Port,String[1]]] $dport = undef,
- Optional[Variant[Stdlib::Port,String[1]]] $sport = undef,
+ Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $dport = undef,
+ Optional[Variant[Stdlib::Port,Array[Stdlib::Port]]] $sport = undef,
Optional[Variant[Array, String[1]]] $saddr = undef,
Optional[Variant[Array, String[1]]] $daddr = undef,
Optional[String[1]] $proto_options = undef,
String => "proto ${proto}",
}
- $dport_real = $dport ? {
- undef => '',
- default => "dport ${dport}",
+ # ferm supports implicit multiport using the "dports" shortcut
+ if $dport =~ Array {
+ $dports = join($dport, ' ')
+ $dport_real = "dports (${dports})"
+ } elsif $dport =~ Integer {
+ $dport_real = "dport ${dport}"
+ } else {
+ $dport_real = ''
}
- $sport_real = $sport ? {
- undef => '',
- default => "sport ${sport}",
+
+ # ferm supports implicit multiport using the "sports" shortcut
+ if $sport =~ Array {
+ $sports = join($sport, ' ')
+ $sport_real = "sports (${sports})"
+ } elsif $sport =~ Integer {
+ $sport_real = "sport ${sport}"
+ } else {
+ $sport_real = ''
}
+
if $saddr =~ Array {
assert_type(Array[Stdlib::IP::Address], flatten($saddr)) |$expected, $actual| {
fail( "The data type should be \'${expected}\', not \'${actual}\'. The data is ${flatten($saddr)}." )
{
chain: 'INPUT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1'
}
end
policy: 'ACCEPT',
action: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1'
}
end
chain: 'INPUT',
policy: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1'
}
end
chain: 'INPUT',
action: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1'
}
end
chain: 'INPUT',
action: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1',
interface: 'eth0'
}
chain: 'INPUT',
action: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
daddr: ['127.0.0.1', '123.123.123.123', ['10.0.0.1', '10.0.0.2']],
interface: 'eth0'
}
chain: 'INPUT',
action: 'ACCEPT',
proto: %w[tcp udp],
- dport: '(8301 8302)',
+ dport: [8301, 8302],
saddr: '127.0.0.1'
}
end
it { is_expected.to compile.with_all_deps }
- it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) dport (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
+ it { is_expected.to contain_concat__fragment('INPUT-filter-consul').with_content("mod comment comment 'filter-consul' proto (tcp udp) dports (8301 8302) saddr @ipfilter((127.0.0.1)) ACCEPT;\n") }
it { is_expected.to contain_concat__fragment('filter-INPUT-config-include') }
it { is_expected.to contain_concat__fragment('filter-FORWARD-config-include') }
it { is_expected.to contain_concat__fragment('filter-OUTPUT-config-include') }
chain: 'INPUT',
action: 'SSH',
proto: 'tcp',
- dport: '22'
+ dport: 22
}
end
chain: 'SSH',
action: 'ACCEPT',
proto: 'tcp',
- dport: '22',
+ dport: 22,
saddr: '127.0.0.1'
}
end
projects / puppet-ferm.git / commitdiff