Puppet Class: nomad_cni::ingress::firewall

Defined in:
manifests/ingress/firewall.pp

Overview

Class: nomad_cni::ingress::firewall

Parameters

peer_ip

the IP addresses of the other node in the cluster.

interface

the network interface to apply the firewall rules to.

agent_ips

the IP addresses of the Nomad agents.

Parameters:

  • peer_ip (Stdlib::Ip::Address::Nosubnet)
  • interface (String)
  • agent_ips (Array[Stdlib::Ip::Address::Nosubnet]) 


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'manifests/ingress/firewall.pp', line 15

class nomad_cni::ingress::firewall (
  Stdlib::Ip::Address::Nosubnet $peer_ip,
  String $interface,
  Array[Stdlib::Ip::Address::Nosubnet] $agent_ips,
) {
  $agent_ips.each |$agent_ip| {
    if $agent_ip =~ Stdlib::IP::Address::V6 { $provider = 'ip6tables' } else { $provider = 'iptables' }
    firewall { "200 allow forward through host network ${interface} from Nomad agent ${agent_ip}":
      proto    => 'all',
      chain    => 'FORWARD',
      action   => 'accept',
      provider => $provider,
      outiface => 'br+',
      source   => $agent_ip;
    }
  }
  firewall {
    default:
      proto  => 'all',
      chain  => 'FORWARD',
      action => 'accept';
    "200 allow forward from Bridge to host network ${interface}":
      iniface  => 'br+',
      outiface => $interface;
    '200 allow forward on Bridge':
      iniface  => 'br+',
      outiface => 'br+';
    "200 Allow VRRP inbound from ${peer_ip}":
      proto  => ['vrrp', 'igmp'],
      chain  => 'INPUT',
      source => $peer_ip;
  }
}