ferm::forward_policy: DROP
ferm::output_policy: ACCEPT
ferm::rules: {}
+ferm::input_log_dropped_packets: false
+ferm::forward_log_dropped_packets: false
+ferm::output_log_dropped_packets: false
# @param policy [Ferm::Policies] Set the default policy for a CHAIN
# @param disable_conntrack [Boolean] disable/enable usage of conntrack
# @param chain [Ferm::Chains] name of the chain that should be managed
+# @param log_dropped_packets [Boolean] boolean to enable/disable logging of packets to the kernel log, if no explicit chain matched
define ferm::chain (
Ferm::Policies $policy,
Boolean $disable_conntrack,
+ Boolean $log_dropped_packets,
Ferm::Chains $chain = $name,
) {
),
order => '01',
}
+
+ if $log_dropped_packets {
+ concat::fragment{"${chain}-footer":
+ target => "/etc/ferm.d/chains/${chain}.conf",
+ content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
+ order => '99',
+ }
+ }
}
}
ferm::chain{'INPUT':
- policy => $ferm::input_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::input_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::input_log_dropped_packets,
}
ferm::chain{'FORWARD':
- policy => $ferm::forward_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::forward_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::forward_log_dropped_packets,
}
ferm::chain{'OUTPUT':
- policy => $ferm::output_policy,
- disable_conntrack => $ferm::disable_conntrack,
+ policy => $ferm::output_policy,
+ disable_conntrack => $ferm::disable_conntrack,
+ log_dropped_packets => $ferm::output_log_dropped_packets,
}
}
# @param rules a hash that holds all data for ferm::rule
# Default value: Empty Hash
# Allowed value: Any Hash
+# @param forward_log_dropped_packets boolean to enable/disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
+# @param output_log_dropped_packets boolean to enable/disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
+# @param input_log_dropped_packets boolean to enable/disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
+# Default value: false
+# Allowed values: (true|false)
class ferm (
Boolean $manage_service,
Boolean $manage_configfile,
Ferm::Policies $forward_policy,
Ferm::Policies $output_policy,
Ferm::Policies $input_policy,
+ Boolean $forward_log_dropped_packets,
+ Boolean $output_log_dropped_packets,
+ Boolean $input_log_dropped_packets,
Hash $rules,
) {
contain ferm::install
let :params do
{
policy: 'DROP',
- disable_conntrack: false
+ disable_conntrack: false,
+ log_dropped_packets: true
}
end
is_expected.to contain_concat__fragment('INPUT-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
+ it do
+ is_expected.to contain_concat__fragment('INPUT-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT: ';})
+ end
it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
it { is_expected.to contain_ferm__chain('INPUT') }
end
let :params do
{
policy: 'DROP',
- disable_conntrack: true
+ disable_conntrack: true,
+ log_dropped_packets: false
}
end
is_expected.not_to contain_concat__fragment('INPUT-policy'). \
with_content(%r{ESTABLISHED RELATED})
end
+ it do
+ is_expected.not_to contain_concat__fragment('INPUT-footer'). \
+ with_content(%r{LOG log-prefix 'INPUT: ';})
+ end
end
end
end
--- /dev/null
+<%- | String[1] $chain,
+| -%>
+LOG log-prefix '<%= $chain %>: ';
projects / puppet-ferm.git / commitdiff