浏览代码

add the option to specify the family per rule to support ipv6 (#3)

Closes: #2 

* add the option to specify the family per rule to support ipv6

* include policy updates for ipv6

* update documentation to mention ipv6

* Make ipv6 optional; remove spurious tabs from the readme.

* set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this service
tags/mcp0.5^0
Dennis van Dok 7 年前
父节点
当前提交
3bee76dcd6
共有 4 个文件被更改,包括 51 次插入0 次删除
  1. +19
    -0
      README.rst
  2. +3
    -0
      iptables/_rule.sls
  3. +10
    -0
      iptables/rules.sls
  4. +19
    -0
      iptables/service.sls

+ 19
- 0
README.rst 查看文件

@@ -22,6 +22,7 @@ ping
parametetrs:
iptables:
service:
enabled: True
chain:
INPUT:
rules:
@@ -88,6 +89,24 @@ Allow access from local network
source_network: 192.168.1.0/24
jump: ACCEPT

IPv6 is supported as well

.. code-block:: yaml

parameters:
iptables:
service:
enabled: True
ipv6: True
chain:
INPUT:
rules:
- protocol: tcp
family: ipv6
destination_port: 22
source_network: 2001:DB8::/32
jump: ACCEPT

Read more
=========


+ 3
- 0
iptables/_rule.sls 查看文件

@@ -11,6 +11,9 @@ iptables_{{ chain_name }}_{{ rule_name }}:
{%- endif %}
- table: {{ rule.get('table', 'filter') }}
- chain: {{ chain_name }}
{%- if rule.family is defined %}
- family: {{ rule.family }}
{%- endif %}
{%- if rule.jump is defined %}
- jump: {{ rule.jump }}
{%- endif %}

+ 10
- 0
iptables/rules.sls 查看文件

@@ -5,9 +5,19 @@
{%- if chain.policy is defined %}
iptables_{{ chain_name }}_policy:
iptables.set_policy:
- family: ipv4
- chain: {{ chain_name }}
- policy: {{ chain.policy }}
- table: filter

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- family: ipv6
- chain: {{ chain_name }}
- policy: {{ chain.policy }}
- table: filter
{%- endif %}
{%- endif %}

{%- for service_name, service in pillar.items() %}

+ 19
- 0
iptables/service.sls 查看文件

@@ -36,9 +36,28 @@ iptables_{{ chain_name }}_policy:
- table: filter
- require_in:
- iptables: iptables_flush

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- chain: {{ chain_name }}
- family: ipv6
- policy: ACCEPT
- table: filter
- require_in:
- iptables: ip6tables_flush
{%- endif %}

{%- endfor %}

iptables_flush:
iptables.flush

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
ip6tables_flush:
iptables.flush:
- family: ipv6
{%- endif %}


{%- endif %}

正在加载...
取消
保存