From 08b9f1d04537e24b09d4dc3293f4a3bc04345242 Mon Sep 17 00:00:00 2001
From: Steve Traylen <steve.traylen@cern.ch>
Date: Wed, 22 Nov 2023 09:53:16 +0100
Subject: [PATCH] Additional rules for podman root containers

This class defines additional forwarding rules to let root containers
reach external networks when using Netavark (since v4.0) or CNI (deprecated).
At the time of writing, Podman supports automatic configuration
of firewall rules with iptables and firewalld only.
---
 REFERENCE.md                      | 13 +++++++++++++
 manifests/rules/podman.pp         | 17 +++++++++++++++++
 spec/acceptance/all_rules_spec.rb |  1 +
 spec/classes/rules/podman_spec.rb | 17 +++++++++++++++++
 4 files changed, 48 insertions(+)
 create mode 100644 manifests/rules/podman.pp
 create mode 100644 spec/classes/rules/podman_spec.rb

diff --git a/REFERENCE.md b/REFERENCE.md
index 534c3f1d..3aca63b0 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -76,6 +76,11 @@ and Manager Daemons (MGR).
 * [`nftables::rules::out::tor`](#nftables--rules--out--tor): manage out tor
 * [`nftables::rules::out::whois`](#nftables--rules--out--whois): allow clients to query remote whois server
 * [`nftables::rules::out::wireguard`](#nftables--rules--out--wireguard): manage out wireguard
+* [`nftables::rules::podman`](#nftables--rules--podman): Rules for Podman, a tool for managing OCI containers and pods.
+This class defines additional forwarding rules to let root containers
+reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+At the time of writing, Podman supports automatic configuration
+of firewall rules with iptables and firewalld only.
 * [`nftables::rules::puppet`](#nftables--rules--puppet): manage in puppet
 * [`nftables::rules::pxp_agent`](#nftables--rules--pxp_agent): manage in pxp-agent
 * [`nftables::rules::qemu`](#nftables--rules--qemu): Bridged network configuration for qemu/libvirt
@@ -1190,6 +1195,14 @@ specify wireguard ports
 
 Default value: `[51820]`
 
+### <a name="nftables--rules--podman"></a>`nftables::rules::podman`
+
+Rules for Podman, a tool for managing OCI containers and pods.
+This class defines additional forwarding rules to let root containers
+reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+At the time of writing, Podman supports automatic configuration
+of firewall rules with iptables and firewalld only.
+
 ### <a name="nftables--rules--puppet"></a>`nftables::rules::puppet`
 
 manage in puppet
diff --git a/manifests/rules/podman.pp b/manifests/rules/podman.pp
new file mode 100644
index 00000000..df1e370d
--- /dev/null
+++ b/manifests/rules/podman.pp
@@ -0,0 +1,17 @@
+# @summary 
+#  Rules for Podman, a tool for managing OCI containers and pods.
+#  This class defines additional forwarding rules to let root containers
+#  reach external networks when using Netavark (since v4.0) or CNI (deprecated).
+#  At the time of writing, Podman supports automatic configuration
+#  of firewall rules with iptables and firewalld only.
+#
+class nftables::rules::podman {
+  nftables::rule {
+    'default_fwd-podman_establised':
+      content => 'ip daddr 10.88.0.0/16 ct state related,established accept',
+  }
+  nftables::rule {
+    'default_fwd-podman_accept':
+      content => 'ip saddr 10.88.0.0/16 accept',
+  }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
index 6a333838..58c9765b 100644
--- a/spec/acceptance/all_rules_spec.rb
+++ b/spec/acceptance/all_rules_spec.rb
@@ -26,6 +26,7 @@ class { 'nftables':
       include nftables::rules::dhcpv6_client
       include nftables::rules::afs3_callback
       include nftables::rules::ospf
+      include nftables::rules::podman
       include nftables::rules::http
       include nftables::rules::puppet
       include nftables::rules::pxp_agent
diff --git a/spec/classes/rules/podman_spec.rb b/spec/classes/rules/podman_spec.rb
new file mode 100644
index 00000000..5ff7f1ad
--- /dev/null
+++ b/spec/classes/rules/podman_spec.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'nftables::rules::podman' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let(:facts) { os_facts }
+
+      context 'default options' do
+        it { is_expected.to compile }
+        it { is_expected.to contain_nftables__rule('default_fwd-podman_establised').with_content('ip daddr 10.88.0.0/16 ct state related,established accept') }
+        it { is_expected.to contain_nftables__rule('default_fwd-podman_accept').with_content('ip saddr 10.88.0.0/16 accept') }
+      end
+    end
+  end
+end