Defined Type: firewall::service

Defined in:
modules/firewall/manifests/service.pp

Summary

a shim define to support a common interface between ferm::service and nft::service

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • proto (Wmflib::Protocol)

    the protocol to use

  • port (Any) (defaults to: undef)

    a single port or an array of ports to configure

  • ensure (Wmflib::Ensure) (defaults to: present)

    the ensurable parameter

  • desc (Optional[String]) (defaults to: '')

    a description to add as a comment

  • prio (Integer[0,99]) (defaults to: 10)

    the priority

  • srange (Any) (defaults to: undef)

    the source range to configure

  • drange (Any) (defaults to: undef)

    the destination range to configure

  • src_sets (Optional[Array[String[1]]]) (defaults to: undef)

    An optional array of predefined sets of hosts FROM which incoming traffic is allowed (defined in profile::firewall::nftables_base_sets).

  • dst_sets (Optional[Array[String[1]]]) (defaults to: undef)

    An optional array of predefined sets of hosts TO which incoming traffic is allowed (defined in profile::firewall::nftables_base_sets).

  • notrack (Boolean) (defaults to: false)

    set the rule with no state tracking

  • port_range (Optional[Firewall::Portrange]) (defaults to: undef) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'modules/firewall/manifests/service.pp', line 13

define firewall::service(
    Wmflib::Protocol              $proto,
                                  $port   = undef,
    Wmflib::Ensure                $ensure = present,
    Optional[String]              $desc = '',
    Integer[0,99]                 $prio = 10,
    Optional[Firewall::Portrange] $port_range = undef,
                                  $srange = undef,
                                  $drange = undef,
    Optional[Array[String[1]]]    $src_sets = undef,
    Optional[Array[String[1]]]    $dst_sets = undef,
    Boolean                       $notrack = false,
) {
    include firewall

    $escaped_title = regsubst($title, '\W', '_', 'G')

    case $firewall::provider {
        'none': {}
        'ferm': {
            ferm::service { $escaped_title:
                * => wmflib::resource::dump_params(),
            }
        }
        'nftables': {

            if $srange =~ String {
                fail('The srange needs to be passed as an array of hosts or IPs')
            }

            if $drange =~ String {
                fail('The drange needs to be passed as an array of hosts or IPs')
            }

            if $port =~ Pattern[/\d{1,5}:\d{1,5}/] {
                fail('The port needs to be converted to use a port_range')
            }

            if $port =~ String {
                fail('The port needs to be converted to an array; use a port or port_range')
            }

            nftables::service { $title:
                *       => wmflib::resource::filter_params('drange', 'srange'),
                src_ips => $srange.then |$range| { wmflib::hosts2ips($range) },
                dst_ips => $drange.then |$range| { wmflib::hosts2ips($range) },
            }
        }

        default: { fail('invalid provider') }
    }
}