X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fferm%2Fmanifests%2Frule%2Fsimple.pp;h=8afe3087edc79d2ab18b6561cfe601e4638d0d5c;hb=972528da88c48db95741697fc1f862f022c78c16;hp=fff04a3ec37de04bc9691af72f141585f0f497ca;hpb=f8c796462cc0ee66e546fa66456dfd1013bca22c;p=mirror%2Fdsa-puppet.git diff --git a/modules/ferm/manifests/rule/simple.pp b/modules/ferm/manifests/rule/simple.pp index fff04a3ec..8afe3087e 100644 --- a/modules/ferm/manifests/rule/simple.pp +++ b/modules/ferm/manifests/rule/simple.pp @@ -1,4 +1,38 @@ -# a plain, simple ferm rule +# A simple ferm rule. +# +# This rule will send IPv4 and/or IPv6 traffic using either TCP and/or UDP +# optionally going to a port, optionally from/to addresses/networks from +# one table (INPUT by default) to some target (ACCEPT by default). +# +# Sample uses: +# +# ferm::rule::simple { '01-dsa-bind': +# description => 'Allow nameserver access', +# proto => ['udp', 'tcp'], +# port => 'domain', +# } +# +# or: +# +# ferm::rule::simple { 'dsa-smtp': +# description => 'Allow smtp access from the world', +# port => '25', +# } +# +# or: +# +# @@ferm::rule::simple { "submission-from-${::fqdn}": +# tag => 'smtp::server::submission::to::mail-relay', +# chain => 'submission', +# saddr => $base::public_addresses, +# } +# combined with: +# ferm::rule::simple { 'submission-from-satellites': +# target => 'submission', +# port => 'submission', +# } +# Ferm::Rule::Simple <<| tag == 'smtp::server::submission::to::mail-relay' |>> +# # # @param proto tcp or udp or both. # @param port one or more ports or port ranges. @@ -43,7 +77,12 @@ define ferm::rule::simple ( domain (<%= @real_domain.join(' ') %>) { table <%= @table %> { <%- + # netfilter chain names are limited to 28 characters, so if name is too long, we'll have to do something about that name = @name + if name.size > 20 then + require 'digest' + name = 'dgst-' + Digest::SHA256.hexdigest(name)[0,15] + end tail = "jump #{@target}" -%> <%=