diff --git a/README.md b/README.md index 1298477..90c7703 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,9 @@ Parameters: | purge | true | Boolean parameter that determines if all unmanaged firewall rules and chains are purged. Defaults to true. Requires puppetlabs/firewall 1.2.0+ in order,for IPv6 resources to be purged. | | chain_policy | DROP | Policy (drop, accept) to apply to each chain (INPUT, FORWARD, OUTPUT). Defaults to drop. The last rules in each chain are always "log then drop" so the policy has minimal effect. | | chain_purge | false | An alternative method of purging unmanaged firewall rules that operates only on the INPUT, OUTPUT, and FORWARD chains. This method of purging unmanaged rules allows you to specify an array of regular expressions that match against firewall rules that should be ignored when purging (see the `ignores` variable. The default value is false and its usage with `purge` is mutually exclusive. An example use case would be to ignore firewall rules that are managed by another application like docker. | -| manage_logging | false | Boolean parameter specifying whether this module should manage logger config for iptables. Defaults to false. If true then rsyslog will be configured to write all iptables events to /var/log/iptables.log and logrotate will manage the file. | +| manage_logging | false | Boolean parameter specifying whether this module should manage logger config for iptables. Defaults to false. If true then rsyslog will be configured to write all iptables events to /var/log/iptables.log and logrotate will manage the file. | +| dualstack | false | Boolean parameter specifying whether to create the same rules for both IPv4 and IPv6. | + Variables (set through Hiera config): diff --git a/lib/puppet/parser/functions/suffix_hash_title.rb b/lib/puppet/parser/functions/suffix_hash_title.rb new file mode 100644 index 0000000..d13f1ae --- /dev/null +++ b/lib/puppet/parser/functions/suffix_hash_title.rb @@ -0,0 +1,11 @@ +module Puppet::Parser::Functions + newfunction(:suffix_hash_title, :type => :rvalue) do |args| + result = {} + if args[0].class == Hash and args[1].class == String + args[0].each do |title, values| + result[title + args[1]] = values + end + end + return result + end +end diff --git a/manifests/init.pp b/manifests/init.pp index 0c70f26..7577d06 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -65,6 +65,10 @@ # configured to write all iptables events to /var/log/iptables.log and # logrotate will manage the file. # +# [*dualstack*] +# Boolean parameter specifying whether to create the same rules for +# both IPv4 and IPv6. +# # === Variables # # [*rules*] @@ -95,6 +99,7 @@ $chain_policy = 'drop', $chain_purge = false, $manage_logging = false, + $dualstack = false, ) { #------------------------ Validation ---------------------------------------- @@ -110,6 +115,7 @@ validate_re($chain_policy, ['^accept$', '^drop$']) validate_bool($chain_purge) validate_bool($manage_logging) + validate_bool($dualstack) if $purge and $chain_purge { fail('purge and chain_purge and mutually exclusive. Set only one to true.') @@ -170,7 +176,15 @@ # Create rules from the given hash. if $rules { - create_resources(firewall, $rules) + if $dualstack { + $rules_ipv4 = suffix_hash_title($rules, ' IPv4') + $rules_ipv6 = suffix_hash_title($rules, ' IPv6') + create_resources(firewall, $rules_ipv4, { 'provider' => 'iptables' }) + create_resources(firewall, $rules_ipv6, { 'provider' => 'ip6tables' }) + } + else { + create_resources(firewall, $rules) + } } if $manage_logging {