Puppet Class: nftables

Defined in:
modules/nftables/manifests/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: 'absent') 


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
 
# File 'modules/nftables/manifests/init.pp', line 2

class nftables (
    Wmflib::Ensure $ensure = 'absent',
) {
    if debian::codename::eq('buster') and $ensure == 'present' {
        # nftables in buster is too old to correctly include externally defined
        # set, see https://phabricator.wikimedia.org/T354279
        apt::package_from_bpo { 'nftables_buster_bpo':
            packages => ['libnftnl11', 'libnftables1', 'nftables'],
            distro   => 'buster',
        }
    } else {
        package { 'nftables':
            ensure => $ensure,
        }
    }

    # if we want the service to be stopped, it indicates we actually don't want this unit running
    # this may prevent accidents in servers whose firewall is managed by others (e.g, neutron)
    if $ensure == 'absent' {
        systemd::mask { 'nftables.service': }
    }
    if $ensure == 'present' {
        systemd::unmask { 'nftables.service': }
    }

    $nft_main_file = '/etc/nftables/main.nft' # used in the systemd template
    systemd::service { 'nftables':
        ensure         => $ensure,
        content        => systemd_template('nftables'),
        override       => true,
        service_params => {
            hasrestart => true,
            restart    => '/usr/bin/systemctl reload nftables'
        }
    }

    # create a directory to hold the nftables main config
    file { '/etc/nftables/':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # For Puppet roles to declare sets of servers, included by the main config
    file { '/etc/nftables/sets':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # For Puppet roles to declare incoming traffic, included by the main config
    file { '/etc/nftables/input':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # For Puppet roles to declare outgoing traffic, included by the main config
    file { '/etc/nftables/output':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # For Puppet roles to define outbound DSCP markings, included by the main config
    file { '/etc/nftables/postrouting':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # For Puppet roles to declare exceptions from connection tracking for
    # traffic, included by the main config
    file { '/etc/nftables/notrack':
        ensure  => 'directory',
        purge   => true,
        recurse => true,
    }

    # deploy the basic configuration file, i.e, the basic nftables ruleset skeleton
    file { $nft_main_file:
        ensure  => $ensure,
        source  => 'puppet:///modules/nftables/main.nft',
        require => File['/etc/nftables'],
        notify  => Service['nftables'],
    }

    # cleanup the file shipped with the debian package, we don't use it
    file { '/etc/nftables.conf':
        ensure => 'absent',
    }

    File <| tag == 'nft' |>
}