introduce parameter disable_conntrack

Default value of disable_conntrack is 'false'. Existing installations
are not affected by this change.

diff --git a/data/common.yaml b/data/common.yaml
index 2618909a441aac21925ce1f602aab95fa1549e33..57509c5815d35db6cb01e3def5136ccf0d87f4ce 100644 (file)
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -1,6 +1,7 @@
 ---
 ferm::manage_service: false
 ferm::manage_configfile: false
+ferm::disable_conntrack: false
 ferm::configfile: /etc/ferm.conf
 ferm::input_policy: DROP
 ferm::forward_policy: DROP

diff --git a/manifests/chain.pp b/manifests/chain.pp
index 6f2ee1d86d019aec98dbc9a86c372e8ea1455a1a..5b21912bde49ddf7fef2a3ba6530494c6fa5fd1f 100644 (file)
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -1,8 +1,10 @@
 # defined resource which creates all rules for one chain
 # @param policy [Ferm::Policies] Set the default policy for a CHAIN
+# @param disable_conntrack [Boolean] disable/enable usage of conntrack
 # @param chain [Ferm::Chains] name of the chain that should be managed
 define ferm::chain (
   Ferm::Policies $policy,
+  Boolean $disable_conntrack,
   Ferm::Chains $chain = $name,
 ) {
 
@@ -14,7 +16,12 @@ define ferm::chain (
 
   concat::fragment{"${chain}-policy":
     target  => "/etc/ferm.d/chains/${chain}.conf",
-    content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }),
+    content => epp(
+      "${module_name}/ferm_chain_header.conf.epp", {
+        'policy'            => $policy,
+        'disable_conntrack' => $disable_conntrack,
+      }
+    ),
     order   => '01',
   }
 }

diff --git a/manifests/config.pp b/manifests/config.pp
index 43c68eeeb4aa81459859e2d78787024726131b4b..ff69c0665660cddae19e32e91602c1397cc6db6c 100644 (file)
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -35,12 +35,15 @@ class ferm::config {
   }
 
   ferm::chain{'INPUT':
-    policy => $ferm::input_policy,
+    policy            => $ferm::input_policy,
+    disable_conntrack => $ferm::disable_conntrack,
   }
   ferm::chain{'FORWARD':
-    policy => $ferm::forward_policy,
+    policy            => $ferm::forward_policy,
+    disable_conntrack => $ferm::disable_conntrack,
   }
   ferm::chain{'OUTPUT':
-    policy => $ferm::output_policy,
+    policy            => $ferm::output_policy,
+    disable_conntrack => $ferm::disable_conntrack,
   }
 }

diff --git a/manifests/init.pp b/manifests/init.pp
index 17ebeff101b8182f8261946c3edf46b8ab704ead..0096c3a8725791f8fd4b44c296cc380e21aa038e 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -16,6 +16,9 @@
 # @param configfile [Stdlib::Absolutepath] path to the config file
 #   Default value: /etc/ferm.conf
 #   Allowed values: Stdlib::Absolutepath
+# @param disable_conntrack [Boolean] disable/enable the generation of conntrack rules
+#   Default value: false
+#   Allowed values: (true|false)
 # @param forward_policy [Ferm::Policies] default policy for the FORWARD chain
 #   Default value: DROP
 #   Allowed values: (ACCEPT|DROP|REJECT)
@@ -32,6 +35,7 @@ class ferm (
   Boolean $manage_service,
   Boolean $manage_configfile,
   Stdlib::Absolutepath $configfile,
+  Boolean $disable_conntrack,
   Ferm::Policies $forward_policy,
   Ferm::Policies $output_policy,
   Ferm::Policies $input_policy,

diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp
index b8c444c85351d5675ed2c99762c231776de07ebe..e2c30e6b569fc7b106d000675ec58c4e45be227a 100644 (file)
--- a/templates/ferm_chain_header.conf.epp
+++ b/templates/ferm_chain_header.conf.epp
@@ -1,8 +1,11 @@
 <%- | Ferm::Policies $policy,
+      Boolean $disable_conntrack,
 | -%>
 # Default policy for this chain
 policy <%= $policy %>;
 
+<% unless $disable_conntrack { -%>
 # connection tracking
 mod state state INVALID DROP;
 mod state state (ESTABLISHED RELATED) ACCEPT;
+<% } -%>