puppet rule to create an empty ferm chain

diff --git a/modules/ferm/manifests/rule/chain.pp b/modules/ferm/manifests/rule/chain.pp
new file mode 100644 (file)
index 0000000..7675b50
--- /dev/null
+++ b/modules/ferm/manifests/rule/chain.pp
@@ -0,0 +1,32 @@
+# Create an (empty) chain
+#
+# @param domain netfilter domain: ip (IPv4), ip6 (IPv6), or both.
+# @param table  netfilter table
+# @param chain  netfilter chain
+# @param description a description of the rule
+# @param prio   Priority/Order of the rule
+define ferm::rule::chain (
+  String $chain,
+  String $description = '',
+  Variant[Enum['ip', 'ip6'], Array[Enum['ip', 'ip6']]] $domain = ['ip', 'ip6'],
+  String $table = 'filter',
+  String $prio = '10',
+) {
+  include ferm
+
+  $real_domain = Array($domain, true)
+
+  file {
+    "/etc/ferm/dsa.d/${prio}_${name}":
+      ensure  => 'present',
+      mode    => '0400',
+      notify  => Exec['ferm reload'],
+      content => inline_template( @(EOF) ),
+                    domain (<%= @real_domain.join(' ') %>) {
+                      table <%= @table %> {
+                        chain <% @chain %> {}
+                      }
+                    }
+                    | EOF
+  }
+}