Defined Type: ferm::ipset

Defined in:
manifests/ipset.pp

Summary

a defined resource that can match for ipsets at the top of a chain. This is a per-chain resource. You cannot mix IPv4 and IPv6 sets.

Overview

Examples:

Create an iptables rule that allows traffic that matches the ipset ‘internet`

ferm::ipset { 'CONSUL':
  sets => {
    'internet' => 'ACCEPT'
  },
}

create two matches for IPv6, both at the end of the ‘INPUT` chain. Explicitly mention the `filter` table.

ferm::ipset { 'INPUT':
  prepend_to_chain => false,
  table            => 'filter',
  ip_version       => 'ip6',
  sets             => {
    'testset01'      => 'ACCEPT',
    'anothertestset' => 'DROP'
  },
}

Parameters:

  • sets (Hash[String[1], Ferm::Actions])

    A hash with multiple sets. For each hash you can provide an action like ‘DROP` or `ACCEPT`.

  • chain (String[1]) (defaults to: $name)

    name of the chain we want to apply those rules to. The name of the defined resource will be used as default value for this.

  • table (Ferm::Tables) (defaults to: 'filter')

    name of the table where we want to apply this. Defaults to ‘filter` because that’s the most common usecase.

  • ip_version (Enum['ip','ip6']) (defaults to: 'ip')

    sadly, ip sets are version specific. You cannot mix IPv4 and IPv6 addresses. Because of this you need to provide the version.

  • prepend_to_chain (Boolean) (defaults to: true)

    By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.

See Also:



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'manifests/ipset.pp', line 38

define ferm::ipset (
  Hash[String[1], Ferm::Actions] $sets,
  String[1]                      $chain            = $name,
  Ferm::Tables                   $table            = 'filter',
  Enum['ip','ip6']               $ip_version       = 'ip',
  Boolean                        $prepend_to_chain = true,
) {
  $suffix = $prepend_to_chain ? {
    true  => 'aaa',
    false => 'ccc',
  }

  # make sure the generated snippet is actually included
  concat::fragment { "${table}-${chain}-${name}":
    target  => $ferm::configfile,
    content => epp(
      "${module_name}/ferm-chain-ipset.epp", {
        'ip'    => $ip_version,
        'table' => $table,
        'chain' => $chain,
        'sets'  => $sets,
      }
    ),
    order   => "${table}-${chain}-${suffix}",
  }
}