Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New parameter noflush_tables to selectivly skip flush #31

Merged
merged 1 commit into from
Dec 1, 2020
Merged

New parameter noflush_tables to selectivly skip flush #31

merged 1 commit into from
Dec 1, 2020

Conversation

traylenator
Copy link
Collaborator

Introduces a new structured fact nftables

nftables:
  tables:
    - inet-filter
    - ip-nat
    - ip6-nat
    - inet-f2b-table

By default the nft script will continue to contain nft flush ruleset

If noflush_tables is specified e.g.

class{nftables:
  noflush_tables => ['inet-f2b-table'],
}

the results script will explicity flush the other tables only.
i.e.

flush table inet filter
flush table ip nat
flush table ip6 nat

Motivation here is to allow a maintence of chain to managed by something else.
This example for fail2ban but could be docker, ...

@traylenator
Copy link
Collaborator Author

traylenator commented Nov 30, 2020
edited
Loading

We still have that duplicate flush in nft script and in the systemd unit.
If I was going to drop one I would delete the one in the systemd unit.

@traylenator
Copy link
Collaborator Author

tests fail in ruby 2.4.5 only :-(

@duritong
Copy link
Collaborator

duritong commented Nov 30, 2020
edited
Loading

{ a: 'foo' } == { :a => 'foo' }

Which is not { 'a' => 'foo' }

@traylenator
Copy link
Collaborator Author

Yes have revised by ruby hashes now.

Just surprising the the wrong thing worked with new puppet and ruby.

Rebasing.

@traylenator
New parameter noflush_tables to selectivly skip flush
03d9e7d 
Introduces a new structured fact nftables

```yaml
nftables:
  tables:
    - inet-filter
    - ip-nat
    - ip6-nat
    - inet-f2b-table
```

By default the nft script will continue to contain `nft flush ruleset`

If noflush_tables is specified e.g.

```puppet
class{nftables:
  noflush_tables => ['inet-f2b-table'],
}
```
the results script will explicity flush the other tables only.
i.e.

```
flush table inet filter
flush table ip nat
flush table ip6 nat
```

Motivation here is to allow a maintence of chain to managed by something else.
This example for fail2ban but could be docker, ...
@duritong duritong merged commit c3be15e into voxpupuli:master Dec 1, 2020
@traylenator traylenator deleted the selective branch December 2, 2020 08:41
@traylenator traylenator added the enhancement New feature or request label Dec 10, 2020
figless pushed a commit to figless/puppet-nftables that referenced this pull request Aug 25, 2021
@nbarrientos
Squashed 'code/' changes from 9fe75e3..c3be15e
2397409 
c3be15e Merge pull request voxpupuli#31 from traylenator/selective
03d9e7d New parameter noflush_tables to selectivly skip flush

git-subtree-dir: code
git-subtree-split: c3be15e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@traylenator @duritong