Browse Source

testing

master
Sean Johnson 1 year ago
parent
commit
e1b2775465
  1. 18
      fwrules/init.sls
  2. 54
      fwrules/templates/sets.nft.j2

18
fwrules/init.sls

@ -22,7 +22,7 @@ netfilter-persistent: @@ -22,7 +22,7 @@ netfilter-persistent:
- group: root
- backup: minion
- template: jinja
- check_cmd: /usr/sbin/nft -c -f
# - check_cmd: /usr/sbin/nft -c -f
/etc/firewall/chains.nft:
file.managed:
@ -32,7 +32,7 @@ netfilter-persistent: @@ -32,7 +32,7 @@ netfilter-persistent:
- group: root
- backup: minion
- template: jinja
- check_cmd: /usr/sbin/nft -c -f
# - check_cmd: /usr/sbin/nft -c -f
/etc/firewall/firewall.nft:
file.managed:
@ -46,11 +46,11 @@ netfilter-persistent: @@ -46,11 +46,11 @@ netfilter-persistent:
- file: /etc/firewall/sets.nft
- file: /etc/firewall/chains.nft
- backup: minion
- check_cmd: /usr/sbin/nft -c -f
# - check_cmd: /usr/sbin/nft -c -f
nft -e -f /etc/firewall/firewall.nft:
cmd.run:
- onchanges:
- file: /etc/firewall/firewall.nft
- file: /etc/firewall/chains.nft
- file: /etc/firewall/sets.nft
# nft -e -f /etc/firewall/firewall.nft:
# cmd.run:
# - onchanges:
# - file: /etc/firewall/firewall.nft
# - file: /etc/firewall/chains.nft
# - file: /etc/firewall/sets.nft

54
fwrules/templates/sets.nft.j2

@ -1,5 +1,17 @@ @@ -1,5 +1,17 @@
#!/usr/sbin/nft -f
{%- macro nft_define(name, addresses) -%}
{%- if addresses|length is gt 0 -%}
define {{ name }} = {
{%- for addr in addresses %}
{{ addr }},
{%- endfor %}
};
{%- else -%}
define {{ name }} = {};
{%- endif %}
{%- endmacro -%}
{% set public_addresses = salt["minion_net.public_addresses"] -%}
{%- set priv4 = (
public_addresses("app:builder", target_type="grain", addr_type="ipv4") +
@ -10,41 +22,11 @@ @@ -10,41 +22,11 @@
public_addresses("app:saltbox", target_type="grain", addr_type="ipv6")
) -%}
define management4 = {
adephagia.synology.me,
107.155.67.64/29,
{%- for addr in priv4 %}
{{ addr }},
{%- endfor %}
}
define management6 = {
2604:880:396::/48,
{%- for addr in priv6 %}
{{ addr }},
{%- endfor %}
}
define scrapers4 = {
{%- for addr in public_addresses("app:metrics", target_type="grain", addr_type="ipv4") %}
{{ addr }},
{%- endfor %}
}
{{ nft_define("management4", ["adephagia.synology.me", "107.155.67.64/29"] + priv4) }}
{{ nft_define("management6", ["2604:880:396::/48"] + priv6) }}
define scrapers6 = {
{%- for addr in public_addresses("app:metrics", target_type="grain", addr_type="ipv6") %}
{{ addr }},
{%- endfor %}
}
{{ nft_define("scrapers4", public_addresses("app:metrics", target_type="grain", addr_type="ipv4")|list) }}
{{ nft_define("scrapers6", public_addresses("app:metrics", target_type="grain", addr_type="ipv6")|list) }}
define minions4 = {
{%- for addr in public_addresses("*", target_type="glob", addr_type="ipv4") %}
{{ addr }},
{%- endfor %}
}
define minions6 = {
{%- for addr in public_addresses("*", target_type="glob", addr_type="ipv6") %}
{{ addr }},
{%- endfor %}
}
{{ nft_define("minions4", public_addresses("*", target_type="glob", addr_type="ipv4")|list) }}
{{ nft_define("minions6", public_addresses("*", target_type="glob", addr_type="ipv6")|list) }}
Loading…
Cancel
Save