deploying custom tables is broken

[duritong]

You can't anymore deploy a custom config using nftables::config

We do

include "custom-*.nft"

But there is no way how you can create such a file with the reworked nftables::config, since the name is used for the filter table afterwards.

This got broken in e4c3222

CC @nbarrientos

I am trying to add a custom ip table for fail2ban: based on: https://wiki.meurisse.org/wiki/Fail2Ban and I don't think we can do it anymore with the current state of the module.

[duritong]

I guess, we should add back an original way to deploy custom-*.nft files.

[nbarrientos]

Hi @duritong

Sorry for that.

An alternative to your suggested patch to avoid an extra class could be to prefix by default the file names of all tables created with nftables::config with custom- and just reset it for the tables directly managed by the module, something like:

8b90e50

This way the required configuration for Fail2ban that you're linking could be expressed like:

  nftables::config {'ip-fail2ban':
    content => 'include "ip-fail2ban-chain-*.nft"'
  }

  nftables::chain {'f2binput':
    chain => 'input',
    table => 'ip-fail2ban',
  }

  nftables::rule { 'input-hook':
      order   => '01',
      content => 'type filter hook input priority 100',
      table   => 'ip-fail2ban',
  }

Resulting in:

table ip fail2ban {
        chain input {
                type filter hook input priority 100; policy accept;
        }
}

[nbarrientos]

I've sent a MR with the suggested changes above in case you liked that approach better :)

[nbarrientos]

Actually as an extra improvement, nftables::config could be patched to generate the include by default based on the resource name to not to have to pass that content above :)

[duritong]

yeah that sounds like a good idea.

[nbarrientos]

Ok, thanks. Everything is implemented, I believe.