Commit ab49aac 1 parent 712b8b3 commit ab49aac Copy full SHA for ab49aac
File tree 2 files changed +16
-1
lines changed
2 files changed +16
-1
lines changed Original file line number Diff line number Diff line change 1010# },
1111# }
1212#
13+ # @example Create an iptables rule that allows outbound traffic that matches the ipset `internet`
14+ # ferm::ipset { 'allow_outbound_ipsets':
15+ # table => 'OUTPUT',
16+ # match => 'dst',
17+ # sets => {
18+ # 'internet' => 'ACCEPT'
19+ # },
20+ # }
21+ #
1322# @example create two matches for IPv6, both at the end of the `INPUT` chain. Explicitly mention the `filter` table.
1423# ferm::ipset { 'INPUT':
1524# prepend_to_chain => false,
3544# @param prepend_to_chain
3645# By default, ipset rules are added to the top of the chain. Set this to false to append them to the end instead.
3746#
47+ # @param match
48+ # Define if 'sets' should match for 'src' or 'dst'. Default: 'src'
49+ #
3850define ferm::ipset (
3951 Hash[String[1], Ferm::Actions] $sets ,
4052 String[1] $chain = $name,
4153 Ferm::Tables $table = ' filter'
4254 Enum['ip','ip6'] $ip_version = ' ip'
4355 Boolean $prepend_to_chain = true ,
56+ Enum['dst', 'src'] $match = ' src'
4457) {
4558 $suffix = $prepend_to_chain ? {
4659 true => ' aaa'
5669 ' table' $table ,
5770 ' chain' $chain ,
5871 ' sets' $sets ,
72+ ' match' $match ,
5973 }
6074 ),
6175 order => " ${table} -${chain} -${suffix} "
Original file line number Diff line number Diff line change 22Ferm::Tables $table,
33String[1] $chain,
44Hash[String[1], Ferm::Actions] $sets,
5+ Enum['dst', 'src'] $match,
56| -%>
67
78domain (<%= $ip %>) table <%= $table %> {
89 chain <%= $chain %> {
910 <%- $sets.each |$ipset, $action| { -%>
10- mod set set <%= $ipset %> src <%= $action %>;
11+ mod set set <%= $ipset %> <%= $match %> <%= $action %>;
1112 <%- } -%>
1213 }
1314}
You can’t perform that action at this time.
0 commit comments