Puppet Class: nomad_cni::firewall::cni_cut_off

Defined in:
manifests/firewall/cni_cut_off.pp

Overview

Class: nomad_cni::firewall::cni_cutoff

Parameters

provider

Enum[‘iptables’, ‘ip6tables’]

Iptables provider: iptables or ip6tables

rule_order

Nomad_cni::Digits

Iptables rule order

Parameters:

  • rule_order (Nomad_cni::Digits)
  • provider (Array[Enum['iptables', 'ip6tables']]) 


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'manifests/firewall/cni_cut_off.pp', line 12

class nomad_cni::firewall::cni_cut_off (
  Nomad_cni::Digits $rule_order,
  Array[Enum['iptables', 'ip6tables']] $provider,
) {
  assert_private()

  $cni_names = $facts['nomad_cni_hash'].keys()
  $networks = $cni_names.map |$item| { $facts['nomad_cni_hash'][$item]['network'] }

  if 'iptables' in $provider {
    $cni_names.each |$cni| {
      $my_network = $facts['nomad_cni_hash'][$cni]['network']
      $networks.each |$network| {
        firewall { "${rule_order} drop traffic from ${cni} ${my_network} to CNI ${network} using provider iptables":
          action      => drop,
          chain       => 'CNI-ISOLATION-INPUT',
          source      => $my_network,
          destination => $network,
          proto       => 'all',
          provider    => 'iptables',
        }
      }
    }
  }

  if 'ip6tables' in $provider {
    $cni_names.each |$cni| {
      $my_network = $facts['nomad_cni_hash'][$cni]['network6']  # TODO: ipv6 (the custom fact is not yet ready)

      $networks.each |$network| {
        firewall { "${rule_order} drop traffic from ${cni} ${my_network} to CNI ${network} using provider ip6tables":
          action      => drop,
          chain       => 'CNI-ISOLATION-INPUT',
          source      => $my_network,
          destination => $network,
          proto       => 'all',
          provider    => 'ip6tables',
        }
      }
    }
  }
}