aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--data/common.yaml1
-rw-r--r--manifests/chain.pp9
-rw-r--r--manifests/config.pp9
-rw-r--r--manifests/init.pp4
-rw-r--r--templates/ferm_chain_header.conf.epp3
5 files changed, 22 insertions, 4 deletions
diff --git a/data/common.yaml b/data/common.yaml
index 2618909..57509c5 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -1,6 +1,7 @@
---
ferm::manage_service: false
ferm::manage_configfile: false
+ferm::disable_conntrack: false
ferm::configfile: /etc/ferm.conf
ferm::input_policy: DROP
ferm::forward_policy: DROP
diff --git a/manifests/chain.pp b/manifests/chain.pp
index 6f2ee1d..5b21912 100644
--- a/manifests/chain.pp
+++ b/manifests/chain.pp
@@ -1,8 +1,10 @@
# defined resource which creates all rules for one chain
# @param policy [Ferm::Policies] Set the default policy for a CHAIN
+# @param disable_conntrack [Boolean] disable/enable usage of conntrack
# @param chain [Ferm::Chains] name of the chain that should be managed
define ferm::chain (
Ferm::Policies $policy,
+ Boolean $disable_conntrack,
Ferm::Chains $chain = $name,
) {
@@ -14,7 +16,12 @@ define ferm::chain (
concat::fragment{"${chain}-policy":
target => "/etc/ferm.d/chains/${chain}.conf",
- content => epp("${module_name}/ferm_chain_header.conf.epp", {'policy' => $policy }),
+ content => epp(
+ "${module_name}/ferm_chain_header.conf.epp", {
+ 'policy' => $policy,
+ 'disable_conntrack' => $disable_conntrack,
+ }
+ ),
order => '01',
}
}
diff --git a/manifests/config.pp b/manifests/config.pp
index 43c68ee..ff69c06 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -35,12 +35,15 @@ class ferm::config {
}
ferm::chain{'INPUT':
- policy => $ferm::input_policy,
+ policy => $ferm::input_policy,
+ disable_conntrack => $ferm::disable_conntrack,
}
ferm::chain{'FORWARD':
- policy => $ferm::forward_policy,
+ policy => $ferm::forward_policy,
+ disable_conntrack => $ferm::disable_conntrack,
}
ferm::chain{'OUTPUT':
- policy => $ferm::output_policy,
+ policy => $ferm::output_policy,
+ disable_conntrack => $ferm::disable_conntrack,
}
}
diff --git a/manifests/init.pp b/manifests/init.pp
index 17ebeff..0096c3a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -16,6 +16,9 @@
# @param configfile [Stdlib::Absolutepath] path to the config file
# Default value: /etc/ferm.conf
# Allowed values: Stdlib::Absolutepath
+# @param disable_conntrack [Boolean] disable/enable the generation of conntrack rules
+# Default value: false
+# Allowed values: (true|false)
# @param forward_policy [Ferm::Policies] default policy for the FORWARD chain
# Default value: DROP
# Allowed values: (ACCEPT|DROP|REJECT)
@@ -32,6 +35,7 @@ class ferm (
Boolean $manage_service,
Boolean $manage_configfile,
Stdlib::Absolutepath $configfile,
+ Boolean $disable_conntrack,
Ferm::Policies $forward_policy,
Ferm::Policies $output_policy,
Ferm::Policies $input_policy,
diff --git a/templates/ferm_chain_header.conf.epp b/templates/ferm_chain_header.conf.epp
index b8c444c..e2c30e6 100644
--- a/templates/ferm_chain_header.conf.epp
+++ b/templates/ferm_chain_header.conf.epp
@@ -1,8 +1,11 @@
<%- | Ferm::Policies $policy,
+ Boolean $disable_conntrack,
| -%>
# Default policy for this chain
policy <%= $policy %>;
+<% unless $disable_conntrack { -%>
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
+<% } -%>
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 15:54:08 +0000