saltbox
/
states
2
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity
Browse Source

return on allowed rule, drop on no match

sjohn/nft
Sean Johnson 1 year ago
parent
de68bfd3e6
commit
1573624b04
2 changed files with 47 additions and 35 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 32
      fwrules/chains/swarm_ingress.sls
  2. 50
      test/integration/swarm_ingress/fwrules.rb

32
fwrules/chains/swarm_ingress.sls
View File

@ -27,6 +27,25 @@ include:
- name: {{ chain_name }}
- family: {{ family }}
{{ chain_name }} {{ family }} remove default return:
iptables.delete:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{{ chain_name }} {{ family }} default drop:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% for service, port, transport, sources in ports %}
{% set addresses, ipsets = salt["minion_net.split_ips_ipsets"](sources.get(family, [])) %}
@ -42,7 +61,7 @@ include:
- match: {{ ["set", transport] | tojson }}
- set: {{ set_name }} src
- dport: {{ port }}
- jump: ACCEPT
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}
@ -58,18 +77,9 @@ include:
- match: {{ transport }}
- source: {{ addresses | join(",") }}
- dport: {{ port }}
- jump: ACCEPT
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{% endif %}
{% endfor %}
{{ chain_name }} {{ family }} default deny:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}

50
test/integration/swarm_ingress/fwrules.rb
View File

@ -1,31 +1,33 @@
describe iptables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv4 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv4 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv4 src -m udp --dport 3478 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 6789 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8843 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8880 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8443 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 9090 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv4 src -m tcp --dport 9001 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j RETURN" }
it { should have_rule "-A DOCKER-USER -j DROP" }
it { should_not have_rule "-A DOCKER-USER -j RETURN" }
end
describe ip6tables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv6 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv6 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv6 src -m udp --dport 3478 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 6789 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8843 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8880 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8443 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 9090 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv6 src -m tcp --dport 9001 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j RETURN" }
it { should have_rule "-A DOCKER-USER -j DROP" }
it { should_not have_rule "-A DOCKER-USER -j RETURN" }
end
Write Preview
Loading…
Cancel
Save