diff options
| author | Tim Meusel <tim@bastelfreak.de> | 2020-04-21 13:12:47 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-21 13:12:47 +0200 |
| commit | c34c528537cd9baa7057588d628a36843d63b015 (patch) | |
| tree | 1bfa33e2712c03e0dc201ec104e28974b8e79614 | |
| parent | 9b71e958f45f50071203eaa7d6aac445ee31ff14 (diff) | |
| parent | 91fa3bcde36896eedade89911df93bbf58b6609b (diff) | |
| download | puppet-ferm-c34c528537cd9baa7057588d628a36843d63b015.tar.gz puppet-ferm-c34c528537cd9baa7057588d628a36843d63b015.tar.bz2 | |
Merge pull request #90 from Dan33l/add_conntrack_dedicated
use dedicated conntrack parameters / by default disable conntrack for new chains / by default enable conntrack for filter INPUT chain
| -rw-r--r-- | REFERENCE.md | 24 | ||||
| -rw-r--r-- | manifests/chain.pp | 4 | ||||
| -rw-r--r-- | manifests/config.pp | 6 | ||||
| -rw-r--r-- | manifests/init.pp | 8 | ||||
| -rw-r--r-- | spec/acceptance/ferm_spec.rb | 4 |
5 files changed, 34 insertions, 12 deletions
diff --git a/REFERENCE.md b/REFERENCE.md index 2de98f6..4a3283a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -112,11 +112,27 @@ Data type: `Stdlib::Absolutepath` Path to the directory where the module stores ferm configuration files -##### `disable_conntrack` +##### `forward_disable_conntrack` + +Data type: `Boolean` + +Enable/Disable the generation of conntrack rules for the FORWARD chain + +Default value: `true` + +##### `output_disable_conntrack` Data type: `Boolean` -Disable/Enable the generation of conntrack rules +Enable/Disable the generation of conntrack rules for the OUTPUT chain + +Default value: `true` + +##### `input_disable_conntrack` + +Data type: `Boolean` + +Enable/Disable the generation of conntrack rules for the INPUT chain Default value: `false` @@ -227,7 +243,9 @@ The following parameters are available in the `ferm::chain` defined type. Data type: `Boolean` -Disable/Enable usage of conntrack +Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain + +Default value: `true` ##### `log_dropped_packets` diff --git a/manifests/chain.pp b/manifests/chain.pp index b66ef7f..0593cc8 100644 --- a/manifests/chain.pp +++ b/manifests/chain.pp @@ -7,7 +7,7 @@ # log_dropped_packets => true, # } # -# @param disable_conntrack Disable/Enable usage of conntrack +# @param disable_conntrack Disable/Enable usage of conntrack. By default, we enable conntrack only for the filter INPUT chain # @param log_dropped_packets Enable/Disable logging of packets to the kernel log, if no explicit chain matched # @param policy Set the default policy for CHAIN (works only for builtin chains) # Allowed values: (ACCEPT|DROP) (see Ferm::Policies type) @@ -18,8 +18,8 @@ # @param ip_versions Set list of versions of ip we want ot use. # define ferm::chain ( - Boolean $disable_conntrack, Boolean $log_dropped_packets, + Boolean $disable_conntrack = true, String[1] $chain = $name, Optional[Ferm::Policies] $policy = undef, Ferm::Tables $table = 'filter', diff --git a/manifests/config.pp b/manifests/config.pp index acc58d6..bd08e96 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -47,17 +47,17 @@ class ferm::config { ferm::chain{'INPUT': policy => $ferm::input_policy, - disable_conntrack => $ferm::disable_conntrack, + disable_conntrack => $ferm::input_disable_conntrack, log_dropped_packets => $ferm::input_log_dropped_packets, } ferm::chain{'FORWARD': policy => $ferm::forward_policy, - disable_conntrack => $ferm::disable_conntrack, + disable_conntrack => $ferm::forward_disable_conntrack, log_dropped_packets => $ferm::forward_log_dropped_packets, } ferm::chain{'OUTPUT': policy => $ferm::output_policy, - disable_conntrack => $ferm::disable_conntrack, + disable_conntrack => $ferm::output_disable_conntrack, log_dropped_packets => $ferm::output_log_dropped_packets, } diff --git a/manifests/init.pp b/manifests/init.pp index ecaa391..4c69452 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -32,7 +32,9 @@ # @param manage_initfile Disable/Enable the management of the ferm init script for RedHat-based OS # @param configfile Path to the config file # @param configdirectory Path to the directory where the module stores ferm configuration files -# @param disable_conntrack Disable/Enable the generation of conntrack rules +# @param forward_disable_conntrack Enable/Disable the generation of conntrack rules for the FORWARD chain +# @param output_disable_conntrack Enable/Disable the generation of conntrack rules for the OUTPUT chain +# @param input_disable_conntrack Enable/Disable the generation of conntrack rules for the INPUT chain # @param forward_policy Default policy for the FORWARD chain # @param output_policy Default policy for the OUTPUT chain # @param input_policy Default policy for the INPUT chain @@ -50,7 +52,9 @@ class ferm ( Boolean $manage_service = false, Boolean $manage_configfile = false, Boolean $manage_initfile = false, - Boolean $disable_conntrack = false, + Boolean $forward_disable_conntrack = true, + Boolean $output_disable_conntrack = true, + Boolean $input_disable_conntrack = false, Ferm::Policies $forward_policy = 'DROP', Ferm::Policies $output_policy = 'ACCEPT', Ferm::Policies $input_policy = 'DROP', diff --git a/spec/acceptance/ferm_spec.rb b/spec/acceptance/ferm_spec.rb index c5018da..f827dc2 100644 --- a/spec/acceptance/ferm_spec.rb +++ b/spec/acceptance/ferm_spec.rb @@ -32,7 +32,7 @@ basic_manifest = %( manage_configfile => true, manage_initfile => #{manage_initfile}, # CentOS-6 does not provide init script forward_policy => 'DROP', - output_policy => 'DROP', + output_policy => 'ACCEPT', input_policy => 'DROP', rules => { 'allow_acceptance_tests' => { @@ -66,7 +66,7 @@ describe 'ferm' do end describe command('iptables-save') do - its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT DROP.*}m } + its(:stdout) { is_expected.to match %r{.*filter.*:INPUT DROP.*:FORWARD DROP.*:OUTPUT ACCEPT.*}m } end describe iptables do |