Module: Mt::Wall::DSL::RuleScope

Included in:: RootBuilder

Defined in:: lib/mt/wall/dsl/rule_scope.rb

Overview

The ‘rule` verb: abstract, device-agnostic access grants (Layer A). Only the global (root) scope declares these — they compile to the forward chain of every managed device. Device-local box firewall config is a different concern (see DeviceBuilder / ChainBuilder).

Includers MUST provide the storage hook:

#record_rule(Model::Rule)

‘rule` groups access grants by source: the source (a host or group) is the block header, and each `to` line inside is one grant from that source. The action defaults to :allow and may be omitted.

rule "admin" do
  to "edge-1-mgmt", "ssh"          # allow (default action)
  to "edge-2-mgmt", "ssh", :deny   # explicit action
  to "edge-3-mgmt"                 # no service = any
end

Instance Method Summary collapse

#rule(source) { ... } ⇒ void

Instance Method Details

#rule(source) { ... } ⇒ `void`

This method returns an undefined value.

Parameters:

source (String) —

name of the source host/group

Yields:

a RuleBuilder context (one ‘to` per grant)

# File 'lib/mt/wall/dsl/rule_scope.rb', line 27

def rule(source, &block)
  builder = RuleBuilder.new(Validators.validate_name!(source, label: "source"))
  builder.instance_eval(&block) if block
  builder.rules.each { |grant| record_rule(grant) }
end

Module: Mt::Wall::DSL::RuleScope

Overview

Instance Method Summary collapse

Instance Method Details

#rule(source) { ... } ⇒ void

#rule(source) { ... } ⇒ `void`