Using configuration management systems: Difference between revisions
(→other modules adding nftables configuration: fix typo in file name) |
(→puppet: add community module) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
The basic approach is to have a central point where we deploy nftables, with a ruleset layout that allows other files to be deployed and loaded atomically by nftables. | The basic approach is to have a central point where we deploy nftables, with a ruleset layout that allows other files to be deployed and loaded atomically by nftables. | ||
Other components (modules, or profiles, or whatever) then deploy specific rules or other configuration as required. | Other components (modules, or profiles, or whatever) then deploy specific rules or other configuration as required. | ||
= puppet = | |||
For the sake of the example this page uses puppet as reference, but the same concepts and mechanism could be applied to others. | For the sake of the example this page uses puppet as reference, but the same concepts and mechanism could be applied to others. | ||
Line 8: | Line 10: | ||
'''NOTE:''' if you copy-paste this example make sure you adapt it to your environment. This code below is an example and hasn't been tested at all. | '''NOTE:''' if you copy-paste this example make sure you adapt it to your environment. This code below is an example and hasn't been tested at all. | ||
== a base puppet module == | == community module == | ||
The community already developed deep integration between puppet and nftables and other related firewalling mechanisms (like firewalld). | |||
* https://forge.puppet.com/tags/nftables | |||
* https://github.com/voxpupuli/puppet-nftables | |||
== raw example == | |||
This a simplified raw example. | |||
=== a base puppet module === | |||
A file like named this: '''modules/nftables/manifest/init.pp''' | A file like named this: '''modules/nftables/manifest/init.pp''' | ||
Line 58: | Line 71: | ||
</source> | </source> | ||
== a module to introduce nftables config == | === a module to introduce nftables config === | ||
This module is responsible for injecting into the system the new nftables config. | This module is responsible for injecting into the system the new nftables config. | ||
Line 77: | Line 90: | ||
</source> | </source> | ||
== other modules adding nftables configuration == | === other modules adding nftables configuration === | ||
In this example, we have an apache module that creates some additional rules and configuration for nftables. | In this example, we have an apache module that creates some additional rules and configuration for nftables. | ||
Line 95: | Line 108: | ||
} | } | ||
</source> | </source> | ||
= ansible = | |||
Check some examples on how people are using nftables with ansible: | |||
* https://github.com/ipr-cnrs/nftables | |||
* https://github.com/Frzk/ansible-role-nftables |
Latest revision as of 11:30, 16 December 2020
This page shows a basic example on how to integrate nftables scripting capabilities with configuration management systems (like puppet, ansible, chef, salt and others).
The basic approach is to have a central point where we deploy nftables, with a ruleset layout that allows other files to be deployed and loaded atomically by nftables. Other components (modules, or profiles, or whatever) then deploy specific rules or other configuration as required.
puppet
For the sake of the example this page uses puppet as reference, but the same concepts and mechanism could be applied to others.
NOTE: if you copy-paste this example make sure you adapt it to your environment. This code below is an example and hasn't been tested at all.
community module
The community already developed deep integration between puppet and nftables and other related firewalling mechanisms (like firewalld).
raw example
This a simplified raw example.
a base puppet module
A file like named this: modules/nftables/manifest/init.pp
class nftables(
) {
# install the package
package { 'nftables':
ensure => 'present',
}
# create a directory to hold the nftables config
file { '/etc/nftables/':
ensure => 'directory',
}
# deploy the basic configuration file, i.e, the basic nftables ruleset skeleton
file { '/etc/nftables/ruleset.nft':
ensure => 'present',
source => 'puppet:///modules/nftables/nftables.nft',
}
# ensure nftables systemd service is running (at boot time, etc)
service { 'nftables':
ensure => 'running',
}
}
We are installing this file (a file like: modules/nftables/files/nftables.nft)
#!/usr/sbin/nft -f
flush ruleset
# create the basic ruleset skeleton
add table inet filter
add set inet filter allowed_ports { type inet_service ; }
add chain inet filter input { type filter hook input priority filter ; policy drop ; }
add rule inet filter input iif lo counter accept
add rule inet filter input ct state established,related counter accept
add rule inet filter input tcp dport @allowed_ports accept
add rule inet filter input counter
# include all the other files that may be deployed by puppet
include "/etc/nftables/*puppet.nft"
a module to introduce nftables config
This module is responsible for injecting into the system the new nftables config. A file named like : modules/nftables/manifest/rule.pp
define nftables::rule(
String $rule,
) {
require ::nftables
file { "/etc/nftables/${name}_puppet.nft":
ensure => 'present',
content => $rule,
notify => Service['nftables'],
}
}
other modules adding nftables configuration
In this example, we have an apache module that creates some additional rules and configuration for nftables.
This is a file named like this: modules/apache/manifest/config.pp
class ::apache::config(
) {
package { 'apache':
ensure => 'present',
}
nftables::rule { 'apache_port_80':
rule => 'add element inet filter allowed_ports { 80 }',
}
}
ansible
Check some examples on how people are using nftables with ansible: