diff --git a/REFERENCE.md b/REFERENCE.md index 51cb23f6..3e30004f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -76,6 +76,11 @@ and Manager Daemons (MGR). * [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor * [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server * [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard +* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods. +This class defines additional forwarding rules to let root containers +reach external networks when using Netavark (since v4.0) or CNI (deprecated). +At the time of writing, Podman supports automatic configuration +of firewall rules with iptables and firewalld only. * [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet * [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent * [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt @@ -1190,6 +1195,14 @@ specify wireguard ports Default value: `[51820]` +### `nftables::rules::podman` + +Rules for Podman, a tool for managing OCI containers and pods. +This class defines additional forwarding rules to let root containers +reach external networks when using Netavark (since v4.0) or CNI (deprecated). +At the time of writing, Podman supports automatic configuration +of firewall rules with iptables and firewalld only. + ### `nftables::rules::puppet` manage in puppet diff --git a/manifests/rules/podman.pp b/manifests/rules/podman.pp new file mode 100644 index 00000000..df1e370d --- /dev/null +++ b/manifests/rules/podman.pp @@ -0,0 +1,17 @@ +# @summary +# Rules for Podman, a tool for managing OCI containers and pods. +# This class defines additional forwarding rules to let root containers +# reach external networks when using Netavark (since v4.0) or CNI (deprecated). +# At the time of writing, Podman supports automatic configuration +# of firewall rules with iptables and firewalld only. +# +class nftables::rules::podman { + nftables::rule { + 'default_fwd-podman_establised': + content => 'ip daddr 10.88.0.0/16 ct state related,established accept', + } + nftables::rule { + 'default_fwd-podman_accept': + content => 'ip saddr 10.88.0.0/16 accept', + } +} diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb index 6a333838..58c9765b 100644 --- a/spec/acceptance/all_rules_spec.rb +++ b/spec/acceptance/all_rules_spec.rb @@ -26,6 +26,7 @@ class { 'nftables': include nftables::rules::dhcpv6_client include nftables::rules::afs3_callback include nftables::rules::ospf + include nftables::rules::podman include nftables::rules::http include nftables::rules::puppet include nftables::rules::pxp_agent diff --git a/spec/classes/rules/podman_spec.rb b/spec/classes/rules/podman_spec.rb new file mode 100644 index 00000000..5ff7f1ad --- /dev/null +++ b/spec/classes/rules/podman_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'nftables::rules::podman' do + on_supported_os.each do |os, os_facts| + context "on #{os}" do + let(:facts) { os_facts } + + context 'default options' do + it { is_expected.to compile } + it { is_expected.to contain_nftables__rule('default_fwd-podman_establised').with_content('ip daddr 10.88.0.0/16 ct state related,established accept') } + it { is_expected.to contain_nftables__rule('default_fwd-podman_accept').with_content('ip saddr 10.88.0.0/16 accept') } + end + end + end +end