6 files changed, 49 insertions, 8 deletions

diff --git a/data/common.yaml b/data/common.yaml
index 57509c5..938fbef 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -7,3 +7,6 @@ ferm::input_policy: DROP
 ferm::forward_policy: DROP
 ferm::output_policy: ACCEPT
 ferm::rules: {}
+ferm::input_log_dropped_packets: false
+ferm::forward_log_dropped_packets: false
+ferm::output_log_dropped_packets: false
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 5b21912..f9722cf 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -2,9 +2,11 @@
 # @param policy [Ferm::Policies] Set the default policy for a CHAIN
 # @param disable_conntrack [Boolean] disable/enable usage of conntrack
 # @param chain [Ferm::Chains] name of the chain that should be managed
+# @param log_dropped_packets [Boolean] boolean to enable/disable logging of packets to the kernel log, if no explicit chain matched
 define ferm::chain (
   Ferm::Policies $policy,
   Boolean $disable_conntrack,
+  Boolean $log_dropped_packets,
   Ferm::Chains $chain = $name,
 ) {
 
@@ -24,4 +26,12 @@ define ferm::chain (
     ),
     order   => '01',
   }
+
+  if $log_dropped_packets {
+    concat::fragment{"${chain}-footer":
+      target  => "/etc/ferm.d/chains/${chain}.conf",
+      content => epp("${module_name}/ferm_chain_footer.conf.epp", { 'chain' => $chain }),
+      order   => '99',
+    }
+  }
 }
diff --git a/manifests/config.pp b/manifests/config.pp
index ff69c06..1736fa6 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -35,15 +35,18 @@ class ferm::config {
   }
 
   ferm::chain{'INPUT':
-    policy            => $ferm::input_policy,
-    disable_conntrack => $ferm::disable_conntrack,
+    policy              => $ferm::input_policy,
+    disable_conntrack   => $ferm::disable_conntrack,
+    log_dropped_packets => $ferm::input_log_dropped_packets,
   }
   ferm::chain{'FORWARD':
-    policy            => $ferm::forward_policy,
-    disable_conntrack => $ferm::disable_conntrack,
+    policy              => $ferm::forward_policy,
+    disable_conntrack   => $ferm::disable_conntrack,
+    log_dropped_packets => $ferm::forward_log_dropped_packets,
   }
   ferm::chain{'OUTPUT':
-    policy            => $ferm::output_policy,
-    disable_conntrack => $ferm::disable_conntrack,
+    policy              => $ferm::output_policy,
+    disable_conntrack   => $ferm::disable_conntrack,
+    log_dropped_packets => $ferm::output_log_dropped_packets,
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 0096c3a..c9f2a48 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -31,6 +31,15 @@
 # @param rules a hash that holds all data for ferm::rule
 #   Default value: Empty Hash
 #   Allowed value: Any Hash
+# @param forward_log_dropped_packets boolean to enable/disable logging in the FORWARD chain of packets to the kernel log, if no explicit chain matched
+#   Default value: false
+#   Allowed values: (true|false)
+# @param output_log_dropped_packets boolean to enable/disable logging in the OUTPUT chain of packets to the kernel log, if no explicit chain matched
+#   Default value: false
+#   Allowed values: (true|false)
+# @param input_log_dropped_packets boolean to enable/disable logging in the INPUT chain of packets to the kernel log, if no explicit chain matched
+#   Default value: false
+#   Allowed values: (true|false)
 class ferm (
   Boolean $manage_service,
   Boolean $manage_configfile,
@@ -39,6 +48,9 @@ class ferm (
   Ferm::Policies $forward_policy,
   Ferm::Policies $output_policy,
   Ferm::Policies $input_policy,
+  Boolean $forward_log_dropped_packets,
+  Boolean $output_log_dropped_packets,
+  Boolean $input_log_dropped_packets,
   Hash $rules,
 ) {
   contain ferm::install
diff --git a/spec/defines/chain_spec.rb b/spec/defines/chain_spec.rb
index 7c4e80b..d3ab857 100644
--- a/spec/defines/chain_spec.rb
+++ b/spec/defines/chain_spec.rb
@@ -12,7 +12,8 @@ describe 'ferm::chain', type: :define do
         let :params do
           {
             policy: 'DROP',
-            disable_conntrack: false
+            disable_conntrack: false,
+            log_dropped_packets: true
           }
         end
 
@@ -21,6 +22,10 @@ describe 'ferm::chain', type: :define do
           is_expected.to contain_concat__fragment('INPUT-policy'). \
             with_content(%r{ESTABLISHED RELATED})
         end
+        it do
+          is_expected.to contain_concat__fragment('INPUT-footer'). \
+            with_content(%r{LOG log-prefix 'INPUT: ';})
+        end
         it { is_expected.to contain_concat('/etc/ferm.d/chains/INPUT.conf') }
         it { is_expected.to contain_ferm__chain('INPUT') }
       end
@@ -29,7 +34,8 @@ describe 'ferm::chain', type: :define do
         let :params do
           {
             policy: 'DROP',
-            disable_conntrack: true
+            disable_conntrack: true,
+            log_dropped_packets: false
           }
         end
 
@@ -39,6 +45,10 @@ describe 'ferm::chain', type: :define do
           is_expected.not_to contain_concat__fragment('INPUT-policy'). \
             with_content(%r{ESTABLISHED RELATED})
         end
+        it do
+          is_expected.not_to contain_concat__fragment('INPUT-footer'). \
+            with_content(%r{LOG log-prefix 'INPUT: ';})
+        end
       end
     end
   end
diff --git a/templates/ferm_chain_footer.conf.epp b/templates/ferm_chain_footer.conf.epp
new file mode 100644
index 0000000..39d8684
--- /dev/null
+++ b/templates/ferm_chain_footer.conf.epp
@@ -0,0 +1,3 @@
+<%- | String[1] $chain,
+| -%>
+LOG log-prefix '<%= $chain %>: ';