Puppet Class: weave::firewall::weave

Defined in:
manifests/firewall/weave.pp

Overview



2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'manifests/firewall/weave.pp', line 2

class weave::firewall::weave {

  $weave_router_ip = $::weave_router_ip_on_docker_bridge
  $network_weave = $::network_weave

  ### > -A POSTROUTING -j WEAVE
  firewall { '00101 nat table, POSTROUTING chain jumped to WEAVE chain':
    table => 'nat',
    chain => 'POSTROUTING',
    proto => 'all',
     jump => 'WEAVE',
  }

  ### > -A FORWARD -i weave -o weave -j ACCEPT
  firewall { '00101 permit FORWARDED packets over weave bridge':
       table => 'filter',
       chain => 'FORWARD',
     iniface => 'weave',
    outiface => 'weave',
       proto => 'all',
      action => 'accept',
  }

  if is_ip_address( $weave_router_ip ) {

    ### > -A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p udp -m udp --dport 6783 -j ACCEPT
    firewall { '06783 accept and forward weave routing udp packets to weave router, when not from docker interface':
            chain => 'FORWARD',
           action => 'accept',
      destination => "$weave_router_ip/32",
          iniface => '! docker0',
         outiface => 'docker0',
            proto => 'udp',
            dport => '6783',
    }

    ### > -A FORWARD -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 6783 -j ACCEPT
    firewall { '06783 accept and forward weave routing tcp packets to weave router, when not from docker interface':
            chain => 'FORWARD',
           action => 'accept',
      destination => "$weave_router_ip/32",
          iniface => '! docker0',
         outiface => 'docker0',
            proto => 'tcp',
            dport => '6783',
    }

    ### > -A DOCKER ! -i docker0 -p tcp -m tcp --dport 6783 -j DNAT --to-destination 172.17.0.2:6783
    firewall { '00101 nat table, DOCKER chain, weave routing tcp packets jumped to DNAT chain and weave router':
        table => 'nat',
        chain => 'DOCKER',
        proto => 'tcp',
      iniface => '! docker0',
        dport => '6783',
         jump => 'DNAT',
       todest => "$weave_router_ip:6783",
    }

    ### > -A DOCKER ! -i docker0 -p udp -m udp --dport 6783 -j DNAT --to-destination 172.17.0.2:6783
    firewall { '00101 nat table, DOCKER chain, weave routing udp packets jumped to DNAT chain and weave router':
        table => 'nat',
        chain => 'DOCKER',
        proto => 'udp',
      iniface => '! docker0',
        dport => '6783',
         jump => 'DNAT',
       todest => "$weave_router_ip:6783",
    }

  }

  # notify { "Next we MASQUERADE traffic for $network_weave ": }
  if is_ip_address( $network_weave ) {

    ### > -A WEAVE ! -s 10.0.1.0/24 -o weave -j MASQUERADE
    firewall { '00101 nat table, WEAVE chain, MASQUERADE non-weave bridge packets to weave bridge':
         table => 'nat',
         chain => 'WEAVE',
        source => "! $network_weave/24",
      outiface => 'weave',
         proto => 'all',
          jump => 'MASQUERADE',
    }

    ### > -A WEAVE -s 10.0.1.0/24 ! -o weave -j MASQUERADE
    firewall { '00101 nat table, WEAVE chain, MASQUERADE weave bridge packets bound beyond weave bridge':
         table => 'nat',
         chain => 'WEAVE',
        source => "$network_weave/24",
      outiface => '! weave',
         proto => 'all',
          jump => 'MASQUERADE',
    }

  }

}