Merge pull request #33 from cernops/simplerule

Add nftables::simplerule

README.md

@@ -86,3 +86,10 @@ You can define the order by using the `order` param.
 Adds a named set to a given table. It allows composing the
 set using individual parameters but also takes raw input
 via the content and source parameters.
+
+## nftables::simplerule
+
+Allows expressing firewall rules without having to use nftables's language by
+adding an abstraction layer a-la-Firewall. It's rather limited how far you can
+go so if you need rather complex rules or you can speak nftables it's
+recommended to use `nftables::rule` directly.

REFERENCE.md

@@ -66,6 +66,14 @@
 * [`nftables::rules::masquerade`](#nftablesrulesmasquerade): masquerade all outgoing traffic
 * [`nftables::rules::snat4`](#nftablesrulessnat4): manage a ipv4 snat rule
 * [`nftables::set`](#nftablesset): manage a named set
+* [`nftables::simplerule`](#nftablessimplerule)
+
+### Data types
+
+* [`Nftables::Addr`](#nftablesaddr): Represents an address expression to be used within a rule.
+* [`Nftables::Addr::Set`](#nftablesaddrset): Represents a set expression to be used within a rule.
+* [`Nftables::Port`](#nftablesport): Represents a port expression to be used within a rule.
+* [`Nftables::Port::Range`](#nftablesportrange): Represents a port range expression to be used within a rule.
 
 ## Classes
 
@@ -1215,3 +1223,149 @@ Data type: `Optional[Variant[String,Array[String,1]]]`
 
 Default value: ``undef``
 
+### `nftables::simplerule`
+
+The nftables::simplerule class.
+
+#### Parameters
+
+The following parameters are available in the `nftables::simplerule` defined type.
+
+##### `ensure`
+
+Data type: `Enum['present','absent']`
+
+
+
+Default value: `'present'`
+
+##### `rulename`
+
+Data type: `Pattern[/^[-a-zA-Z0-9_]+$/]`
+
+
+
+Default value: `$title`
+
+##### `order`
+
+Data type: `Pattern[/^\d\d$/]`
+
+
+
+Default value: `'50'`
+
+##### `chain`
+
+Data type: `String`
+
+
+
+Default value: `'default_in'`
+
+##### `table`
+
+Data type: `String`
+
+
+
+Default value: `'inet-filter'`
+
+##### `action`
+
+Data type: `Enum['accept', 'continue', 'drop', 'queue', 'return']`
+
+
+
+Default value: `'accept'`
+
+##### `comment`
+
+Data type: `Optional[String]`
+
+
+
+Default value: ``undef``
+
+##### `dport`
+
+Data type: `Optional[Nftables::Port]`
+
+
+
+Default value: ``undef``
+
+##### `proto`
+
+Data type: `Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']]`
+
+
+
+Default value: ``undef``
+
+##### `daddr`
+
+Data type: `Optional[Nftables::Addr]`
+
+
+
+Default value: ``undef``
+
+##### `set_type`
+
+Data type: `Enum['ip', 'ip6']`
+
+
+
+Default value: `'ip6'`
+
+##### `sport`
+
+Data type: `Optional[Nftables::Port]`
+
+
+
+Default value: ``undef``
+
+##### `saddr`
+
+Data type: `Optional[Nftables::Addr]`
+
+
+
+Default value: ``undef``
+
+##### `counter`
+
+Data type: `Boolean`
+
+
+
+Default value: ``false``
+
+## Data types
+
+### `Nftables::Addr`
+
+Represents an address expression to be used within a rule.
+
+Alias of `Variant[Stdlib::IP::Address::V6, Stdlib::IP::Address::V4, Nftables::Addr::Set]`
+
+### `Nftables::Addr::Set`
+
+Represents a set expression to be used within a rule.
+
+Alias of `Pattern[/^@[-a-zA-Z0-9_]+$/]`
+
+### `Nftables::Port`
+
+Represents a port expression to be used within a rule.
+
+Alias of `Variant[Array[Stdlib::Port, 1], Stdlib::Port, Nftables::Port::Range]`
+
+### `Nftables::Port::Range`
+
+Represents a port range expression to be used within a rule.
+
+Alias of `Pattern[/^\d+-\d+$/]`
+

manifests/simplerule.pp

@@ -0,0 +1,99 @@
+# @summary Provides a simplified interface to nftables::rule for basic use cases.
+#   It's recommended to use nftables::rule directly if you feel comfortable with
+#   nft's syntax.
+#
+# @example allow incoming traffic from port 541 on port 543 TCP to a given IP range and count packets
+#   nftables::simplerule{'my_service_in':
+#     action  => 'accept',
+#     comment => 'allow traffic to port 543',
+#     counter => true,
+#     proto   => 'tcp',
+#     dport   => 543,
+#     daddr   => '2001:1458::/32',
+#     sport   => 541,
+#   }
+#
+# @param rulename
+#   The symbolic name for the rule to add. Defaults to the resource's title.
+#
+# @param order
+#   A number representing the order of the rule.
+#
+# @param chain
+#   The name of the chain to add this rule to.
+#
+# @param table
+#   The name of the table to add this rule to.
+#
+# @param action
+#   The verdict for the matched traffic.
+#
+# @param comment
+#   A typically human-readable comment for the rule.
+#
+# @param dport
+#   The destination port, ports or port range.
+#
+# @param proto
+#   The transport-layer protocol to match.
+#
+# @param daddr
+#   The destination address, CIDR or set to match.
+#
+# @param set_type
+#   When using sets as saddr or daddr, the type of the set.
+#   Use `ip` for sets of type `ipv4_addr`.
+#
+# @param sport
+#   The source port, ports or port range.
+#
+# @param saddr
+#   The source address, CIDR or set to match.
+#
+# @param counter
+#   Enable traffic counters for the matched traffic.
+
+define nftables::simplerule (
+  Enum['present','absent'] $ensure = 'present',
+  Pattern[/^[-a-zA-Z0-9_]+$/] $rulename = $title,
+  Pattern[/^\d\d$/] $order = '50',
+  String $chain  = 'default_in',
+  String $table = 'inet-filter',
+  Enum['accept', 'continue', 'drop', 'queue', 'return'] $action = 'accept',
+  Optional[String] $comment = undef,
+  Optional[Nftables::Port] $dport = undef,
+  Optional[Enum['tcp', 'tcp4', 'tcp6', 'udp', 'udp4', 'udp6']] $proto = undef,
+  Optional[Nftables::Addr] $daddr = undef,
+  Enum['ip', 'ip6'] $set_type = 'ip6',
+  Optional[Nftables::Port] $sport = undef,
+  Optional[Nftables::Addr] $saddr = undef,
+  Boolean $counter = false,
+) {
+  if $dport and !$proto {
+    fail('Specifying a transport protocol via $proto is mandatory when passing a $dport')
+  }
+
+  if $sport and !$proto {
+    fail('Specifying a transport protocol via $proto is mandatory when passing a $sport')
+  }
+
+  if $ensure == 'present' {
+    nftables::rule { "${chain}-${rulename}":
+      content => epp('nftables/simplerule.epp',
+        {
+          'action'   => $action,
+          'comment'  => $comment,
+          'counter'  => $counter,
+          'daddr'    => $daddr,
+          'dport'    => $dport,
+          'proto'    => $proto,
+          'saddr'    => $saddr,
+          'set_type' => $set_type,
+          'sport'    => $sport,
+        }
+      ),
+      order   => $order,
+      table   => $table,
+    }
+  }
+}