disable conntrack filtering in FORWARD/OUTPUT

conntrack filtering basically doesn't work in those chains, so we need
to disable it.

diff --git a/manifests/config.pp b/manifests/config.pp
index 7dae7a5a9d7de7960db3fe696a5130ebd3421e4e..16ecd9e3fe47b5be794e1b2d8aec2ed78010b533 100644 (file)
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -49,12 +49,12 @@ class ferm::config {
   }
   ferm::chain{'FORWARD':
     policy              => $ferm::forward_policy,
-    disable_conntrack   => $ferm::disable_conntrack,
+    disable_conntrack   => true,
     log_dropped_packets => $ferm::forward_log_dropped_packets,
   }
   ferm::chain{'OUTPUT':
     policy              => $ferm::output_policy,
-    disable_conntrack   => $ferm::disable_conntrack,
+    disable_conntrack   => true,
     log_dropped_packets => $ferm::output_log_dropped_packets,
   }
 

diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb
index c5018da8b531b94a440771e035f1b07434597a9f..f827dc2f55c4fa9fd89a110eff3765b4e73a7bbd 100644 (file)
--- a/spec/acceptance/ferm_spec.rb
+++ b/spec/acceptance/ferm_spec.rb
@@ -32,7 +32,7 @@ basic_manifest = %(
     manage_configfile => true,
     manage_initfile   => #{manage_initfile}, # CentOS-6 does not provide init script
     forward_policy    => 'DROP',
-    output_policy     => 'DROP',
+    output_policy     => 'ACCEPT',
     input_policy      => 'DROP',
     rules             => {
       'allow_acceptance_tests' => {
@@ -66,7 +66,7 @@ describe 'ferm' do
     end
 
     describe command('iptables-save') do
-      its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT DROP.*}m }
+      its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m }
     end
 
     describe iptables do