Default value: 'DROP'
+##### `input_drop_invalid_packets_with_conntrack`
+
+Data type: `Boolean`
+
+Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain.
+
+Default value: `false`
+
##### `rules`
Data type: `Hash`
Default value: `true`
+##### `drop_invalid_packets_with_conntrack`
+
+Data type: `Boolean`
+
+Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP.
+
+Default value: `false`
+
##### `log_dropped_packets`
Data type: `Boolean`
# }
#
# @param disable_conntrack Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain
+# @param drop_invalid_packets_with_conntrack Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false` in this chain. You can set this to false if your policy is DROP.
# @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched
# @param policy Set the default policy for CHAIN (works only for builtin chains)
# Allowed values: (ACCEPT|DROP) (see Ferm::Policies type)
#
define ferm::chain (
Boolean $log_dropped_packets,
- Boolean $disable_conntrack = true,
- String[1] $chain = $name,
- Optional[Ferm::Policies] $policy = undef,
- Ferm::Tables $table = 'filter',
- Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
+ Boolean $drop_invalid_packets_with_conntrack = false,
+ Boolean $disable_conntrack = true,
+ String[1] $chain = $name,
+ Optional[Ferm::Policies] $policy = undef,
+ Ferm::Tables $table = 'filter',
+ Array[Enum['ip','ip6']] $ip_versions = $ferm::ip_versions,
) {
# prevent unmanaged files due to new naming schema
# keep the default "filter" chains in the original location
target => $filename,
content => epp(
"${module_name}/ferm_chain_header.conf.epp", {
- 'policy' => $policy,
- 'disable_conntrack' => $disable_conntrack,
+ 'policy' => $policy,
+ 'disable_conntrack' => $disable_conntrack,
+ 'drop_invalid_packets_with_conntrack' => $drop_invalid_packets_with_conntrack,
}
),
order => '01',
}
ferm::chain{'INPUT':
- policy => $ferm::input_policy,
- disable_conntrack => $ferm::input_disable_conntrack,
- log_dropped_packets => $ferm::input_log_dropped_packets,
+ policy => $ferm::input_policy,
+ disable_conntrack => $ferm::input_disable_conntrack,
+ log_dropped_packets => $ferm::input_log_dropped_packets,
+ drop_invalid_packets_with_conntrack => $ferm::input_drop_invalid_packets_with_conntrack,
}
ferm::chain{'FORWARD':
policy => $ferm::forward_policy,
# @param forward_policy Default policy for the FORWARD chain
# @param output_policy Default policy for the OUTPUT chain
# @param input_policy Default policy for the INPUT chain
+# @param input_drop_invalid_packets_with_conntrack Enable/Disable the `mod conntrack ctstate INVALID DROP` statement. Only works if `$disable_conntrack` is `false`. You can set this to false if your policy is DROP. This only effects the INPUT chain.
# @param rules A hash that holds all data for ferm::rule
# @param chains A hash that holds all data for ferm::chain
# @param forward_log_dropped_packets Enable/Disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched
Boolean $forward_log_dropped_packets = false,
Boolean $output_log_dropped_packets = false,
Boolean $input_log_dropped_packets = false,
+ Boolean $input_drop_invalid_packets_with_conntrack = false,
Hash $rules = {},
Hash $chains = {},
Array[Enum['ip','ip6']] $ip_versions = ['ip','ip6'],
describe command('iptables-save') do
its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m }
+ its(:stdout) { is_expected.not_to match %r{state INVALID -j DROP} }
end
describe iptables do
end
end
end
+
+ context 'with dropping INVALID pakets' do
+ pp2 = %(
+ class { 'ferm':
+ manage_service => true,
+ manage_configfile => true,
+ manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script
+ forward_policy => 'DROP',
+ output_policy => 'ACCEPT',
+ input_policy => 'DROP',
+ input_drop_invalid_packets_with_conntrack => true,
+ rules => {
+ 'allow_acceptance_tests' => {
+ chain => 'INPUT',
+ action => 'ACCEPT',
+ proto => tcp,
+ dport => 22,
+ },
+ },
+ ip_versions => ['ip'], #only ipv4 available with CI
+ }
+ )
+
+ it 'works with no error' do
+ apply_manifest(pp2, catch_failures: true)
+ end
+ it 'works idempotently' do
+ apply_manifest(pp2, catch_changes: true)
+ end
+
+ describe service('ferm') do
+ it { is_expected.to be_running }
+ end
+
+ describe command('iptables-save') do
+ its(:stdout) { is_expected.to match %r{INPUT.*state INVALID -j DROP} }
+ end
+ end
end
end
<%- | Optional[Ferm::Policies] $policy,
Boolean $disable_conntrack,
+ Boolean $drop_invalid_packets_with_conntrack,
| -%>
# THIS FILE IS MANAGED BY PUPPET
<%- if $policy { -%>
<% unless $disable_conntrack { -%>
# connection tracking
mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
+<% if $drop_invalid_packets_with_conntrack { -%>
mod conntrack ctstate INVALID DROP;
<% } -%>
+<% } -%>
projects / puppet-ferm.git / commitdiff