Browse Source
add the option to specify the family per rule to support ipv6 (#3)
Closes: #2 * add the option to specify the family per rule to support ipv6 * include policy updates for ipv6 * update documentation to mention ipv6 * Make ipv6 optional; remove spurious tabs from the readme. * set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this servicetags/mcp0.5^0
Dennis van Dok
7 years ago
4 changed files with 51 additions and 0 deletions
+ 19
- 0
README.rst
View File
| parametetrs: | parametetrs: | ||||
| iptables: | iptables: | ||||
| service: | service: | ||||
| enabled: True | |||||
| chain: | chain: | ||||
| INPUT: | INPUT: | ||||
| rules: | rules: | ||||
| source_network: 192.168.1.0/24 | source_network: 192.168.1.0/24 | ||||
| jump: ACCEPT | jump: ACCEPT | ||||
| IPv6 is supported as well | |||||
| .. code-block:: yaml | |||||
| parameters: | |||||
| iptables: | |||||
| service: | |||||
| enabled: True | |||||
| ipv6: True | |||||
| chain: | |||||
| INPUT: | |||||
| rules: | |||||
| - protocol: tcp | |||||
| family: ipv6 | |||||
| destination_port: 22 | |||||
| source_network: 2001:DB8::/32 | |||||
| jump: ACCEPT | |||||
| Read more | Read more | ||||
| ========= | ========= | ||||
+ 3
- 0
iptables/_rule.sls
View File
| {%- endif %} | {%- endif %} | ||||
| - table: {{ rule.get('table', 'filter') }} | - table: {{ rule.get('table', 'filter') }} | ||||
| - chain: {{ chain_name }} | - chain: {{ chain_name }} | ||||
| {%- if rule.family is defined %} | |||||
| - family: {{ rule.family }} | |||||
| {%- endif %} | |||||
| {%- if rule.jump is defined %} | {%- if rule.jump is defined %} | ||||
| - jump: {{ rule.jump }} | - jump: {{ rule.jump }} | ||||
| {%- endif %} | {%- endif %} |
+ 10
- 0
iptables/rules.sls
View File
| {%- if chain.policy is defined %} | {%- if chain.policy is defined %} | ||||
| iptables_{{ chain_name }}_policy: | iptables_{{ chain_name }}_policy: | ||||
| iptables.set_policy: | iptables.set_policy: | ||||
| - family: ipv4 | |||||
| - chain: {{ chain_name }} | - chain: {{ chain_name }} | ||||
| - policy: {{ chain.policy }} | - policy: {{ chain.policy }} | ||||
| - table: filter | - table: filter | ||||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||||
| iptables_{{ chain_name }}_ipv6_policy: | |||||
| iptables.set_policy: | |||||
| - family: ipv6 | |||||
| - chain: {{ chain_name }} | |||||
| - policy: {{ chain.policy }} | |||||
| - table: filter | |||||
| {%- endif %} | |||||
| {%- endif %} | {%- endif %} | ||||
| {%- for service_name, service in pillar.items() %} | {%- for service_name, service in pillar.items() %} |
+ 19
- 0
iptables/service.sls
View File
| - table: filter | - table: filter | ||||
| - require_in: | - require_in: | ||||
| - iptables: iptables_flush | - iptables: iptables_flush | ||||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||||
| iptables_{{ chain_name }}_ipv6_policy: | |||||
| iptables.set_policy: | |||||
| - chain: {{ chain_name }} | |||||
| - family: ipv6 | |||||
| - policy: ACCEPT | |||||
| - table: filter | |||||
| - require_in: | |||||
| - iptables: ip6tables_flush | |||||
| {%- endif %} | |||||
| {%- endfor %} | {%- endfor %} | ||||
| iptables_flush: | iptables_flush: | ||||
| iptables.flush | iptables.flush | ||||
| {%- if grains.ipv6|default(False) and service.ipv6|default(True) %} | |||||
| ip6tables_flush: | |||||
| iptables.flush: | |||||
| - family: ipv6 | |||||
| {%- endif %} | |||||
| {%- endif %} | {%- endif %} |
Loading…