Defined Type: nftables::set

Defined in:
modules/nftables/manifests/set.pp

Summary

Create a named set to be used in nftables rules

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • ensure (Wmflib::Ensure) (defaults to: present)

    Ensure of the resource

  • hosts (Array[Wmflib::Host_or_network])

    An array of FQDNs, IPs or subnets. Hostnames are being resolved at runtime towards IP addresses



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'modules/nftables/manifests/set.pp', line 6

define nftables::set (
    Array[Wmflib::Host_or_network] $hosts,
    Wmflib::Ensure $ensure = present,
) {

    $ips = $hosts.map |$host| {
        $host ? {
            Stdlib::IP::Address => $host,
            default => dnsquery::lookup($host, true)
        }
    }.flatten.unique

    $ipv4_addrs = $ips.filter |$host| { $host =~ Stdlib::IP::Address::V4 }
    $ipv6_addrs = $ips.filter |$host| { $host =~ Stdlib::IP::Address::V6 }

    $v4_params = {
        'name'     => "${title}_ipv4",
        'set_type' => 'ipv4_addr',
        'addrs'    => $ipv4_addrs,
        'interval' => $ipv4_addrs.any |$addr| { '/' in $addr },
    }
    @file { "/etc/nftables/sets/${name}_ipv4.nft":
        ensure  => $ensure,
        mode    => '0444',
        content => epp('nftables/set.epp', $v4_params),
        notify  => Service['nftables'],
        tag     => 'nft',
    }

    $v6_params = {
        'name'     => "${title}_ipv6",
        'set_type' => 'ipv6_addr',
        'addrs'    => $ipv6_addrs,
        'interval' => $ipv6_addrs.any |$addr| { '/' in $addr }
    }
    @file { "/etc/nftables/sets/${name}_ipv6.nft":
        ensure  => $ensure,
        mode    => '0444',
        content => epp('nftables/set.epp', $v6_params),
        notify  => Service['nftables'],
        tag     => 'nft',
    }
}