Module | ipset |
In: |
/modules/ipset/manifests/init.pp
/modules/ipset/manifests/iptables.pp /modules/ipset/manifests/base.pp /modules/ipset/manifests/params.pp |
Manage IP sets in the Linux kernel. Support in Red Hat Enterprise Linux has been introduced in the RHEL 6.2 kernel (run "modinfo ip_set" to check).
Once you have your IP sets in place, you‘ll want to manage iptables rules which make use of those IP sets.
Define: ipset
Create and manage ipsets. You must pass one of $from_file, … TODO, unless you are passing "ensure => absent" to remove the ipset.
Parameters:
$from_file: Create and manage the ipset from the content of a file. Default: none $ipset_type: The type of the ipset. Default: hash:ip $ipset_create_options: The create options of the ipset. Default: empty $ipset_add_options: The add options of the ipset elements. Default: empty
Sample Usage:
file { '/path/to/my_blacklist.txt': content => "10.0.0.1\n10.0.0.2\n" } ipset::test { 'my_blacklist': from_file => '/path/to/my_blacklist.txt', }
Define: ipset::iptables
This shouldn‘t exist. There should be a way to have iptables silently ignore rules for non-existing IP sets… NOTE: No absent support! Just remove then restart iptables. Also make sure you never save iptables rules with IP set rules included, or restore will fail when the IP sets don‘t (yet) exist. That‘s the whole problem we try to solve here.
Parameters:
$table: The table to insert the rule into. Default: 'filter' $chain: The chain to indert the rule into. Mandatory. $ipset: The IP set to match against. Default: $name Use it if you are creating more than one iptables rule for the same IP set. $flags: Comma separated list of 'src' and 'dst' specifications. Default: 'src' $options: The options for the inserted rule. Default: empty You will often want to use this. $target: The target used by inserted rule. Default: 'DROP' $strictmatch: Strict match when checking for existing rules. Default: false Enable if you are sure your $options are set properly and you are having problems creating multiple rules for the same IP set.
Sample Usage:
ipset::iptables { 'mylist': chain => 'INPUT', options => '-p tcp', target => 'REJECT', } ipset::iptables { 'mylist-log': table => 'raw', chain => 'PREROUTING', ipset => 'mylist', options => '-p tcp --dport 80', target => 'LOG --log-prefix "MyList: "', }