Kaynağa Gözat
add the option to specify the family per rule to support ipv6 (#3)
Closes: #2 * add the option to specify the family per rule to support ipv6 * include policy updates for ipv6 * update documentation to mention ipv6 * Make ipv6 optional; remove spurious tabs from the readme. * set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this servicetags/mcp0.5^0
Dennis van Dok
7 yıl önce
4 değiştirilmiş dosya ile 51 ekleme ve 0 silme
+ 19
- 0
README.rst
Dosyayı Görüntüle
| @@ -22,6 +22,7 @@ ping | |||
| parametetrs: | |||
| iptables: | |||
| service: | |||
| enabled: True | |||
| chain: | |||
| INPUT: | |||
| rules: | |||
| @@ -88,6 +89,24 @@ Allow access from local network | |||
| source_network: 192.168.1.0/24 | |||
| jump: ACCEPT | |||
| IPv6 is supported as well | |||
| .. code-block:: yaml | |||
| parameters: | |||
| iptables: | |||
| service: | |||
| enabled: True | |||
| ipv6: True | |||
| chain: | |||
| INPUT: | |||
| rules: | |||
| - protocol: tcp | |||
| family: ipv6 | |||
| destination_port: 22 | |||
| source_network: 2001:DB8::/32 | |||
| jump: ACCEPT | |||
| Read more | |||
| ========= | |||
+ 3
- 0
iptables/_rule.sls
Dosyayı Görüntüle
| @@ -11,6 +11,9 @@ iptables_{{ chain_name }}_{{ rule_name }}: | |||
| {%- endif %} | |||
| - table: {{ rule.get('table', 'filter') }} | |||
| - chain: {{ chain_name }} | |||
| {%- if rule.family is defined %} | |||
| - family: {{ rule.family }} | |||
| {%- endif %} | |||
| {%- if rule.jump is defined %} | |||
| - jump: {{ rule.jump }} | |||
| {%- endif %} | |||
+ 10
- 0
iptables/rules.sls
Dosyayı Görüntüle
| @@ -5,9 +5,19 @@ | |||
| {%- if chain.policy is defined %} | |||
| iptables_{{ chain_name }}_policy: | |||
| iptables.set_policy: | |||
| - family: ipv4 | |||
| - chain: {{ chain_name }} | |||
| - policy: {{ chain.policy }} | |||
| - table: filter | |||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||
| iptables_{{ chain_name }}_ipv6_policy: | |||
| iptables.set_policy: | |||
| - family: ipv6 | |||
| - chain: {{ chain_name }} | |||
| - policy: {{ chain.policy }} | |||
| - table: filter | |||
| {%- endif %} | |||
| {%- endif %} | |||
| {%- for service_name, service in pillar.items() %} | |||
+ 19
- 0
iptables/service.sls
Dosyayı Görüntüle
| @@ -36,9 +36,28 @@ iptables_{{ chain_name }}_policy: | |||
| - table: filter | |||
| - require_in: | |||
| - iptables: iptables_flush | |||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||
| iptables_{{ chain_name }}_ipv6_policy: | |||
| iptables.set_policy: | |||
| - chain: {{ chain_name }} | |||
| - family: ipv6 | |||
| - policy: ACCEPT | |||
| - table: filter | |||
| - require_in: | |||
| - iptables: ip6tables_flush | |||
| {%- endif %} | |||
| {%- endfor %} | |||
| iptables_flush: | |||
| iptables.flush | |||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||
| ip6tables_flush: | |||
| iptables.flush: | |||
| - family: ipv6 | |||
| {%- endif %} | |||
| {%- endif %} | |||
Yükleniyor…